Author Topic: [Resolved]i am in need of a specialist to help in removal of maleware....  (Read 4246 times)

Offline !nick!

  • Bronze Member
  • Posts: 19
here is my hijackthis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:24 PM, on 8/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchast.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\explorer.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TEMP\c.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
F2 - REG:system.ini: UserInit=C:\windows\explorer.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: ICQSys (IE PlugIn) - {76DC0B63-1533-4ba9-8BE8-D59EB676FA02} - C:\WINDOWS\system32\dddesot.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpFree\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [Monopod] C:\WINDOWS\TEMP\b.exe
O4 - HKUS\S-1-5-21-2848627006-211567192-983045226-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233090148945
O18 - Filter hijack: text/html - {4e2895f7-3052-4561-ab3e-324bbcdbc1ec} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchast.exe
O23 - Service: Apple Mobile Device - Alps Electric Co., Ltd. - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc.  - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8747 bytes
« Last Edit: September 02, 2009, 09:33:59 AM by PCBruiser »

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • Posts: 8146
Hi,

My name is PCBruiser (or PCB for short), and I will be helping you to remove any malware on your system.  Please do not run any anti-malware, anti-virus or so-called "registry cleaners" unless I specifically tell you to do so.  Running the wrong thing at the wrong time can seriously damage your system.

Please copy and print out these instructions using Notepad so they will be readily available to you. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, please ask your question(s) before doing anything further.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan.

    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
     If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
      • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
      • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
      • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
      • Click OK to close the message box and continue with the removal process.
      • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
      • Make sure that everything is checked, and click Remove Selected.
      • When removal is completed, a log report will open in Notepad.
      • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
      • Copy and paste the contents of that report in your next reply and exit MBAM.  Please also post a fresh HJT log.
      Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process.  Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
      Don't Read?  Can't learn!

      Offline !nick!

      • Bronze Member
      • Posts: 19
      greetings PCbruiser...

      thank you for responding! first off i should say that i all ready have malwarebytes and i did a scan. the scan came up with numerous malware called smith fraud, and fraudsmith winlogin i believe. i deleted them with no problem. now i have a question about a possible threat or malware by the name of C.exe. i bring up task manager and there it is, a process...C.exe. i have done some research on it and i have come to the conclusion that it is indeed malicious software or process linked to a certain disguised and difficult virus to remove. any suggestions about that? and how would i go about removing it completely?

      here is another HJT log as it is most recent after the MB scan. i am sorry i do not have a notepad or log of the MB scan, but like i said it did detect and i deleted. the pop up ads and spyware are gone along with the blue screen. but i still am worried about this C.exe process and i am wondering about how to delete the pro antivirus 2009 service along with webroot on my HJT log. is there any concern with that, do i need to be worried? thank you again in advance.

      -nicholas-

      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 2:55:28 PM, on 8/25/2009
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v8.00 (8.00.6001.18702)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\Explorer.exe
      C:\WINDOWS\svchast.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
      C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
      C:\WINDOWS\system32\taskmgr.exe
      C:\Program Files\Mozilla Firefox\firefox.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
      C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
      C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
      C:\WINDOWS\TEMP\c.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll
      O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
      O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
      O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
      O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
      O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpFree\SpeedItUp.exe -MINI
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
      O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
      O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
      O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
      O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
      O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233090148945
      O18 - Filter hijack: text/html - {4e2895f7-3052-4561-ab3e-324bbcdbc1ec} - (no file)
      O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
      O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchast.exe
      O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
      O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
      O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
      O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
      O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
      O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
      O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
      O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
      O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
      O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
      O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
      O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
      O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc.  - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
      O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

      --
      End of file - 7413 bytes



      Offline PCBruiser

      • Malware Removal Mentors
      • Ambassador
      • Diamond Member
      • Posts: 8146
      Hi,

      1.  Please open the MBAM interface.  Go to the Logs tab.  Select the most recent one, then click on Open.  Copy and paste that into a post here.

      2.  Click on Start/Run and copy the following command into the run box:

      sc stop AntipyProex

      then tap <Enter>.  Then do the same thing with the following:

      sc delete AntipyProex

      3.  Download Combofix from any of the links below, and save it to your desktop.  For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

      Link 1
      Link 2
      Link 3


      **Note:  It is important that it is saved directly to your desktop**

      --------------------------------------------------------------------

      a. Close any open browsers.

      b. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

      --------------------------------------------------------------------

      Double click on combofix.exe & follow the prompts.
      When finished, it will produce a report for you.

      Note:  Do not click combofix's window with your mouse while it's running. That may cause it to stall.

      4.  Please post the following:

      a. the latest MBAM log
      b. combofix.txt
      c. a fresh HJT log
      Don't Read?  Can't learn!

      Offline !nick!

      • Bronze Member
      • Posts: 19
      hello

      i just ran combo fix, everything worked, but i never recieved the preparing log screen, it logged me off and rebooted. upon reboot and logging into windows i now have a blank screen with just my desktop format and the my documents folder popped up! there is no task tray nor icons on the desktop and no combofix log on notepad... what should i do now?

      Offline !nick!

      • Bronze Member
      • Posts: 19
      udate!

      my desktop icons and toolbar are up and running including combofix. currently it is preparing a log report, but it is taking an awfully long time. i am unsure if it is still functioning correctly. there is a blinking cursor underneath "do not run any programs until combofix is finished". is it still functioning correctly with the blinking cursor? i will post again with its report along with the other mentioned logs...

      thank you  -nicholas-

      Offline !nick!

      • Bronze Member
      • Posts: 19
      success!! here are the logs you asked for.

      COMBOFIX:

      ComboFix 09-08-25.01 - Owner 08/25/2009 17:36.1.1 - NTFSx86
      Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.447.161 [GMT -6:00]
      Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
      AV: Norton AntiVirus TechCenter Edition *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
      FW: Norton AntiVirus TechCenter Edition *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      c:\windows\Installer\100f58.msp
      c:\windows\Installer\11ed7753.msp
      c:\windows\Installer\125140d9.msp
      c:\windows\Installer\1273e81f.msp
      c:\windows\Installer\178de24.msp
      c:\windows\Installer\1e8460e.msp
      c:\windows\Installer\20394c6.msp
      c:\windows\Installer\2bc73cf.msp
      c:\windows\Installer\2d1a635.msp
      c:\windows\Installer\2ec041b.msp
      c:\windows\Installer\317e6ef.msp
      c:\windows\Installer\34f495e.msp
      c:\windows\Installer\4335342.msp
      c:\windows\Installer\43add6a.msp
      c:\windows\Installer\4f09384.msp
      c:\windows\Installer\6223583.msp
      c:\windows\Installer\6a7cbac.msp
      c:\windows\Installer\742f5a2.msp
      c:\windows\Installer\80672c2.msp
      c:\windows\Installer\8140860.msp
      c:\windows\Installer\a16d284.msp
      c:\windows\Installer\bd1ab8c.msp
      c:\windows\Installer\f3da2e1.msp
      c:\windows\ppp3.dat
      c:\windows\ppp4.dat
      c:\windows\setup.exe
      c:\windows\svchast.exe
      c:\windows\system32\bennuar.old
      c:\windows\system32\bincd32.dat
      c:\windows\system32\desot.exe
      c:\windows\system32\dumphive.exe
      c:\windows\system32\images
      c:\windows\system32\images\i1.gif
      c:\windows\system32\images\i2.gif
      c:\windows\system32\images\i3.gif
      c:\windows\system32\images\j1.gif
      c:\windows\system32\images\j2.gif
      c:\windows\system32\images\j3.gif
      c:\windows\system32\images\jj1.gif
      c:\windows\system32\images\jj2.gif
      c:\windows\system32\images\jj3.gif
      c:\windows\system32\images\l1.gif
      c:\windows\system32\images\l2.gif
      c:\windows\system32\images\l3.gif
      c:\windows\system32\images\pix.gif
      c:\windows\system32\images\t1.gif
      c:\windows\system32\images\t2.gif
      c:\windows\system32\images\up1.gif
      c:\windows\system32\images\up2.gif
      c:\windows\system32\images\w1.gif
      c:\windows\system32\images\w11.gif
      c:\windows\system32\images\w2.gif
      c:\windows\system32\images\w3.gif
      c:\windows\system32\images\w3.jpg
      c:\windows\system32\images\wt1.gif
      c:\windows\system32\images\wt2.gif
      c:\windows\system32\images\wt3.gif
      c:\windows\system32\msxgvmte.ini
      c:\windows\system32\Process.exe
      c:\windows\system32\sonhelp.htm
      c:\windows\system32\SrchSTS.exe
      c:\windows\system32\sysnet.dat
      c:\windows\system32\tapi.nfo
      c:\windows\system32\test.ttt
      c:\windows\system32\tmp.reg
      c:\windows\system32\wispex.html

      .
      (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      -------\Legacy_AntipPro2009_100
      -------\Service_AntipPro2009_100


      (((((((((((((((((((((((((   Files Created from 2009-07-26 to 2009-08-26  )))))))))))))))))))))))))))))))
      .

      2009-08-26 01:19 . 2009-08-26 01:37   --------   dc----w-   c:\windows\LastGood
      2009-08-25 23:36 . 2008-04-14 00:12   1033728   -c--a-w-   c:\windows\system32\userinit.exe
      2009-08-25 23:36 . 2008-04-14 00:12   1033728   -c--a-w-   c:\windows\system32\dllcache\userinit.exe
      2009-08-24 05:40 . 2009-08-24 05:40   --------   dcsh--w-   c:\windows\system32\config\systemprofile\IETldCache

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2009-08-24 21:04 . 2005-05-24 08:05   34542   -c--a-w-   c:\documents and settings\Owner\Application Data\wklnhst.dat
      2009-08-24 21:04 . 2005-05-24 08:05   34542   -c--a-w-   c:\docume~1\Owner\APPLIC~1\wklnhst.dat
      2009-08-12 22:02 . 2009-01-28 06:24   --------   dc----w-   c:\program files\SUPERAntiSpyware
      2009-08-12 21:16 . 2009-01-26 22:30   --------   dc----w-   c:\program files\Spybot - Search & Destroy
      2009-08-05 09:01 . 2004-08-14 01:04   204800   -c--a-w-   c:\windows\system32\mswebdvd.dll
      2009-08-04 18:01 . 2009-03-17 06:21   --------   dc----w-   c:\program files\SpeedItUpFree
      2009-07-17 19:01 . 2004-08-14 01:03   58880   -c--a-w-   c:\windows\system32\atl.dll
      2009-07-14 05:43 . 2004-08-14 01:04   286208   -c--a-w-   c:\windows\system32\wmpdxm.dll
      2009-07-03 17:09 . 2004-08-14 01:04   915456   -c--a-w-   c:\windows\system32\wininet.dll
      2009-06-25 08:25 . 2004-08-14 01:04   54272   -c--a-w-   c:\windows\system32\wdigest.dll
      2009-06-25 08:25 . 2004-08-14 01:04   56832   -c--a-w-   c:\windows\system32\secur32.dll
      2009-06-25 08:25 . 2004-08-14 01:04   147456   -c--a-w-   c:\windows\system32\schannel.dll
      2009-06-25 08:25 . 2004-08-14 01:04   136192   -c--a-w-   c:\windows\system32\msv1_0.dll
      2009-06-25 08:25 . 2004-08-14 01:03   730112   -c--a-w-   c:\windows\system32\lsasrv.dll
      2009-06-25 08:25 . 2004-08-14 01:03   301568   -c--a-w-   c:\windows\system32\kerberos.dll
      2009-06-24 11:18 . 2004-08-14 01:03   92928   -c--a-w-   c:\windows\system32\drivers\ksecdd.sys
      2009-06-16 14:36 . 2004-08-14 01:04   119808   -c--a-w-   c:\windows\system32\t2embed.dll
      2009-06-16 14:36 . 2004-08-14 01:03   81920   -c--a-w-   c:\windows\system32\fontsub.dll
      2009-06-12 12:31 . 2004-08-14 01:04   76288   -c--a-w-   c:\windows\system32\telnet.exe
      2009-06-10 15:19 . 2004-08-14 01:18   2066432   -c--a-w-   c:\windows\system32\mstscax.dll
      2009-06-10 14:13 . 2004-08-14 01:03   84992   -c--a-w-   c:\windows\system32\avifil32.dll
      2009-06-10 06:14 . 2004-08-14 01:04   132096   -c--a-w-   c:\windows\system32\wkssvc.dll
      2009-06-03 19:09 . 2004-08-14 01:04   1291264   -c--a-w-   c:\windows\system32\quartz.dll
      2009-06-03 09:58 . 2009-01-29 01:20   15688   -c--a-w-   c:\windows\system32\lsdelete.exe
      .

      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
      @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
      [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
      2008-11-13 23:04   238968   ----a-w-   c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "SpeedItUpEX"="c:\program files\SpeedItUpFree\SpeedItUp.exe" [2009-07-10 2274816]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
      "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
      "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
      "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

      [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
      "NoSetActiveDesktop"= 1 (0x1)

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
      "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
      2008-12-22 17:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
      BootExecute   REG_MULTI_SZ      lsdelete

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
      @="Service"

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
      @="Service"

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
      backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
      backup=c:\windows\pss\GStartup.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
      backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
      backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
      backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antispyware
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC-Checkup
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seekmo
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xhozutomo
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
      "DisableMonitoring"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
      "EnableFirewall"= 0 (0x0)

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "c:\\Program Files\\Messenger\\msmsgs.exe"=
      "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
      "c:\\WINDOWS\\system32\\ftp.exe"=
      "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
      "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
      "c:\\Program Files\\iTunes\\iTunes.exe"=

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "21223:TCP"= 21223:TCP:BitComet 21223 TCP
      "21223:UDP"= 21223:UDP:BitComet 21223 UDP

      R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
      R3 I97DRIVER;I97DRIVER;

      R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
      R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
      R4 OneStepSrch Service;OneStepSrch Service;

      S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-05-01 64160]
      S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
      S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-27 9968]
      S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-12 74480]
      S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-06-29 1029456]
      S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-11-13 1086840]
      S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936]


      [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
      c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
      .
      Contents of the 'Scheduled Tasks' folder

      2009-08-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
      - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 09:59]

      2009-08-07 c:\windows\Tasks\HP DArC Task 2003-06-26 13:16ewlett-Packard2003-06-26 13:16p psc 2500 seriesA3652443A372B157BFD83129692C2C2475483DE7110167266.job
      - c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-06-27 00:50]

      2009-08-25 c:\windows\Tasks\Norton AntiVirus TechCenter Edition - Run Full System Scan - Owner.job
      - c:\program files\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

      2009-06-18 c:\windows\Tasks\{980AEE74-A87D-4A14-961E-8A93A5FE695D}_B425632B1B4B4FF_Owner.job
      - c:\windows\system32\mobsync.exe [2004-08-14 00:12]

      2009-08-25 c:\windows\Tasks\{B7F5A0DA-3C8C-493C-9D82-6120885A3E3D}_B425632B1B4B4FF_Owner.job
      - c:\windows\system32\mobsync.exe [2004-08-14 00:12]

      2009-08-21 c:\windows\Tasks\{BE9A28C8-2EF2-4069-BD51-3E668A4D3285}_B425632B1B4B4FF_Owner.job
      - c:\windows\system32\mobsync.exe [2004-08-14 00:12]
      .
      .
      ------- Supplementary Scan -------
      .
      uStart Page = hxxp://www.rr.com/
      uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
      uInternet Settings,ProxyOverride = *.local
      uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
      IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
      IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
      IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
      FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\xkkgcykb.default\
      FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/
      FF - HiddenExtension: XUL Cache: {D04996CF-46ED-423F-B612-C1DF9043AC1D} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{D04996CF-46ED-423F-B612-C1DF9043AC1D}\
      FF - HiddenExtension: XUL Cache: {C35294CC-9CFD-4A23-8BE5-B35C955FAB8D} - c:\documents and settings\Owner\Local Settings\Application Data\{C35294CC-9CFD-4A23-8BE5-B35C955FAB8D}

      ---- FIREFOX POLICIES ----
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota",      5120);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
      c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
      c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",     true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",    true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",     true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",       true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",    true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",                 true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",                true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",               false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",               true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",                 true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",                   true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",                true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",             false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",            false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",    false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
      .

      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2009-08-25 19:37
      Windows 5.1.2600 Service Pack 3 NTFS

      scanning hidden processes ... 

      scanning hidden autostart entries ...

      scanning hidden files ... 

      scan completed successfully
      hidden files: 0

      **************************************************************************
      .
      --------------------- LOCKED REGISTRY KEYS ---------------------

      [HKEY_USERS\S-1-5-21-2848627006-211567192-983045226-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DCD5A3AE-2FCA-B4E9-92A3-0458643E2A77}*]
      @Allowed: (Read) (RestrictedCode)
      @Allowed: (Read) (RestrictedCode)
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'winlogon.exe'(1112)
      c:\program files\SUPERAntiSpyware\SASWINLO.dll
      c:\windows\system32\WININET.dll
      c:\windows\system32\Ati2evxx.dll

      - - - - - - - > 'explorer.exe'(3104)
      c:\windows\system32\WININET.dll
      c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
      c:\windows\system32\ieframe.dll
      c:\windows\system32\webcheck.dll
      c:\windows\system32\WPDShServiceObj.dll
      c:\windows\system32\PortableDeviceTypes.dll
      c:\windows\system32\PortableDeviceApi.dll
      c:\program files\Common Files\Symantec Shared\NPC\2.0\NPCEXT.dll
      c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
      .
      ------------------------ Other Running Processes ------------------------
      .
      c:\windows\system32\ati2evxx.exe
      c:\program files\Java\jre6\bin\jqs.exe
      c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
      c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
      c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
      c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
      c:\program files\Windows Media Player\wmpnetwk.exe
      c:\windows\system32\wbem\unsecapp.exe
      c:\windows\system32\ati2evxx.exe
      c:\progra~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
      .
      **************************************************************************
      .
      Completion time: 2009-08-26 20:12 - machine was rebooted
      ComboFix-quarantined-files.txt  2009-08-26 02:12

      Pre-Run: 21,434,597,376 bytes free
      Post-Run: 20,957,986,816 bytes free

      WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
      [boot loader]
      timeout=2
      default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
      [operating systems]
      c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
      multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

      331   --- E O F ---   2009-08-14 09:04
      =======================================================================

      MALWAREBYTES:

      Malwarebytes' Anti-Malware 1.36
      Database version: 2156
      Windows 5.1.2600 Service Pack 3

      8/25/2009 5:02:49 PM
      mbam-log-2009-08-25 (17-02-49).txt

      Scan type: Full Scan (C:\|)
      Objects scanned: 176273
      Time elapsed: 2 hour(s), 3 minute(s), 6 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 0
      Registry Values Infected: 0
      Registry Data Items Infected: 0
      Folders Infected: 0
      Files Infected: 6

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      (No malicious items detected)

      Registry Values Infected:
      (No malicious items detected)

      Registry Data Items Infected:
      (No malicious items detected)

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      C:\Program Files\Trend Micro\HijackThis\backups\backup-20090824-214323-164.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
      C:\System Volume Information\_restore{8C459B98-89AA-45F6-A5B9-323014416103}\RP182\A0083727.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
      C:\System Volume Information\_restore{8C459B98-89AA-45F6-A5B9-323014416103}\RP182\A0083737.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
      C:\System Volume Information\_restore{8C459B98-89AA-45F6-A5B9-323014416103}\RP182\A0084737.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
      C:\System Volume Information\_restore{8C459B98-89AA-45F6-A5B9-323014416103}\RP182\A0085737.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
      C:\System Volume Information\_restore{8C459B98-89AA-45F6-A5B9-323014416103}\RP182\A0085756.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
      =======================================================================

      HJT:

      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 8:23:57 PM, on 8/25/2009
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v8.00 (8.00.6001.18702)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
      c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
      C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
      C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
      C:\WINDOWS\explorer.exe
      C:\WINDOWS\system32\notepad.exe
      C:\Program Files\Mozilla Firefox\firefox.exe
      C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
      C:\WINDOWS\system32\taskmgr.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll
      O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
      O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
      O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
      O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
      O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
      O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
      O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
      O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
      O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233090148945
      O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
      O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
      O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
      O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
      O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
      O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
      O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
      O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
      O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
      O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
      O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
      O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
      O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
      O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc.  - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
      O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

      --
      End of file - 6980 bytes
      =======================================================================

      hope this helps, thank you again for the help!

      -nicholas-

      Offline PCBruiser

      • Malware Removal Mentors
      • Ambassador
      • Diamond Member
      • Posts: 8146
      Hi,

      You must uninstall BitComet before we can continue.  http://spywarehammer.com/simplemachinesforum/index.php?topic=110.0  If you prefer, I can do it for you.
      Don't Read?  Can't learn!

      Offline !nick!

      • Bronze Member
      • Posts: 19
      greetings!

      ok, i took the liberty of removing bitcomet. i believe i have no other P2P programs as i can see, unless you are noticing any... thank you for the help. do you need another HJT log? oh well, i will do it any way just in case. and how do i get rid of the anti notkey poller service; C:\windows|system32\ati2evxx? is that something i need?


      HJT log:


      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 2:52:24 PM, on 8/26/2009
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v8.00 (8.00.6001.18702)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\Explorer.exe
      C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
      C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      C:\WINDOWS\system32\taskmgr.exe
      C:\Program Files\Windows Media Player\WMPNSCFG.exe
      C:\Program Files\Mozilla Firefox\firefox.exe
      C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
      C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
      C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      F2 - REG:system.ini: UserInit=C:\WINDOWS\Explorer.exe,
      O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
      O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
      O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
      O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
      O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
      O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233090148945
      O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
      O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
      O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
      O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
      O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
      O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
      O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
      O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
      O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
      O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
      O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
      O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
      O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

      --
      End of file - 6009 bytes

      -nicholas-

      Offline PCBruiser

      • Malware Removal Mentors
      • Ambassador
      • Diamond Member
      • Posts: 8146
      Hi,

      That file is a part of your video drivers - leave it alone, without it your screen will not work.

      I do not think your anti-virus, Norton, is working correctly.  The malware likely damaged it.  Do you like Norton or would you rather try a different anti-virus?  If so, I can remove Norton and make a recommendation for you for a free alternative.  If not, I will provide instructions on how to fix it.  I am also going to ask you to install a free firewall later, but do not do it yet because it can interfere with our fixes.

      I need you to run ComboFix again, using a different method of running it.  

      1.  Open notepad, go to the format menu, uncheck Word Wrap, and then copy/paste the text in the code box below into it:

      Code: [Select]

      KILLALL::

      Folder::
      c:\program files\BitComet

      Registry::
      [-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
      [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xhozutomo]
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "21223:TCP"= -
      "21223:UDP"= -

      Driver::
      I97DRIVER
      OneStepSrch Service


      Save this to your Desktop as CFScript.txt.

      2.  Close all open browsers.




      3.  Referring to the picture above, drag CFScript into ComboFix.exe

      When finished, it will produce a log for you at "C:\ComboFix.txt"

      Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

      4.  Please post the following:

      a. combofix.txt
      b. a fresh HJT log
      Don't Read?  Can't learn!

      Offline !nick!

      • Bronze Member
      • Posts: 19
      hello,

      yes, i kind of like norton. i paid 40 dollars for it, and frankly i want to get my moneys worth out of it no matter how much it botches up, i have 97 days left on the subscription. it may seem to be not working correctly because my intrusion signatures were out of date. i did some tweeks and recently had them updated. prior to that it had been awhile since i had them updated. however, i am curious about this free anti-virus. i would be most obliged to look it over and try it out! and i am curious what fixes you could do to possibly help or allow norton to correctly function. can norton and this other anti-virus run and co-exist at the same time??

      i am in the process of doing the CFScript into combofix and running another log. i will post that and a HJT log in a short while...

      -nicholas-

      Offline !nick!

      • Bronze Member
      • Posts: 19
      hello,

      here are the updated logs you asked for. i am also curious about this free firewall as well... i guess i could certainly use one of them apart from windows firewall, a better and more secure one at that-lol.

      combofix log:

      ComboFix 09-08-26.05 - Owner 08/26/2009 17:14.2.1 - NTFSx86
      Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.447.193 [GMT -6:00]
      Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
      Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt..txt
      AV: Norton AntiVirus TechCenter Edition *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
      FW: Norton AntiVirus TechCenter Edition *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      c:\windows\Installer\77158f5.msi

      .
      (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      -------\Legacy_ONESTEPSRCH_SERVICE
      -------\Service_I97DRIVER
      -------\Service_OneStepSrch Service


      (((((((((((((((((((((((((   Files Created from 2009-07-26 to 2009-08-26  )))))))))))))))))))))))))))))))
      .

      2009-08-25 23:36 . 2008-04-14 00:12   1033728   -c--a-w-   c:\windows\system32\userinit.exe
      2009-08-25 23:36 . 2008-04-14 00:12   1033728   -c--a-w-   c:\windows\system32\dllcache\userinit.exe
      2009-08-24 05:40 . 2009-08-24 05:40   --------   dcsh--w-   c:\windows\system32\config\systemprofile\IETldCache

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2009-08-26 22:53 . 2008-01-31 03:14   --------   dc----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
      2009-08-26 22:14 . 2007-11-03 02:51   --------   dc----w-   c:\documents and settings\Owner\Application Data\DivX
      2009-08-26 21:26 . 2009-01-28 07:39   --------   dc----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
      2009-08-26 06:44 . 2005-05-24 08:05   34542   -c--a-w-   c:\documents and settings\Owner\Application Data\wklnhst.dat
      2009-08-25 03:03 . 2009-02-15 23:49   3942047   -c--a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
      2009-08-12 22:06 . 2009-03-13 12:40   117760   -c--a-w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
      2009-08-12 22:02 . 2009-01-28 06:24   --------   dc----w-   c:\program files\SUPERAntiSpyware
      2009-08-12 21:16 . 2009-01-26 22:30   --------   dc----w-   c:\program files\Spybot - Search & Destroy
      2009-08-05 09:01 . 2004-08-14 01:04   204800   -c--a-w-   c:\windows\system32\mswebdvd.dll
      2009-08-04 18:01 . 2009-03-17 06:21   --------   dc----w-   c:\program files\SpeedItUpFree
      2009-07-17 19:01 . 2004-08-14 01:03   58880   -c--a-w-   c:\windows\system32\atl.dll
      2009-07-14 05:43 . 2004-08-14 01:04   286208   -c--a-w-   c:\windows\system32\wmpdxm.dll
      2009-07-08 10:01 . 2009-06-24 10:02   25440   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
      2009-07-06 10:03 . 2009-06-24 10:02   1630560   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
      2009-07-06 10:02 . 2009-06-24 10:01   2353480   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
      2009-07-03 17:09 . 2004-08-14 01:04   915456   -c--a-w-   c:\windows\system32\wininet.dll
      2009-06-29 10:00 . 2009-06-24 10:03   314712   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
      2009-06-29 10:00 . 2009-06-24 10:02   169312   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
      2009-06-29 10:00 . 2009-06-24 10:02   348496   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
      2009-06-29 10:00 . 2009-06-24 10:02   298336   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
      2009-06-29 10:00 . 2009-06-03 09:58   84832   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
      2009-06-29 10:00 . 2009-06-03 09:58   246128   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
      2009-06-29 10:00 . 2009-06-03 09:58   40288   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
      2009-06-29 10:00 . 2009-06-24 10:02   85352   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
      2009-06-29 10:00 . 2009-06-24 10:01   664424   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
      2009-06-29 09:59 . 2009-06-24 10:01   563064   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
      2009-06-29 09:59 . 2009-06-24 10:01   566632   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
      2009-06-29 09:59 . 2009-06-24 09:59   629072   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
      2009-06-29 09:59 . 2009-06-24 09:59   520024   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
      2009-06-29 09:59 . 2009-06-24 09:59   1029456   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
      2009-06-25 08:25 . 2004-08-14 01:04   54272   -c--a-w-   c:\windows\system32\wdigest.dll
      2009-06-25 08:25 . 2004-08-14 01:04   56832   -c--a-w-   c:\windows\system32\secur32.dll
      2009-06-25 08:25 . 2004-08-14 01:04   147456   -c--a-w-   c:\windows\system32\schannel.dll
      2009-06-25 08:25 . 2004-08-14 01:04   136192   -c--a-w-   c:\windows\system32\msv1_0.dll
      2009-06-25 08:25 . 2004-08-14 01:03   730112   -c--a-w-   c:\windows\system32\lsasrv.dll
      2009-06-25 08:25 . 2004-08-14 01:03   301568   -c--a-w-   c:\windows\system32\kerberos.dll
      2009-06-24 11:18 . 2004-08-14 01:03   92928   -c--a-w-   c:\windows\system32\drivers\ksecdd.sys
      2009-06-16 14:36 . 2004-08-14 01:04   119808   -c--a-w-   c:\windows\system32\t2embed.dll
      2009-06-16 14:36 . 2004-08-14 01:03   81920   -c--a-w-   c:\windows\system32\fontsub.dll
      2009-06-12 12:31 . 2004-08-14 01:04   76288   -c--a-w-   c:\windows\system32\telnet.exe
      2009-06-10 15:19 . 2004-08-14 01:18   2066432   -c--a-w-   c:\windows\system32\mstscax.dll
      2009-06-10 14:13 . 2004-08-14 01:03   84992   -c--a-w-   c:\windows\system32\avifil32.dll
      2009-06-10 06:14 . 2004-08-14 01:04   132096   -c--a-w-   c:\windows\system32\wkssvc.dll
      2009-06-03 19:09 . 2004-08-14 01:04   1291264   -c--a-w-   c:\windows\system32\quartz.dll
      2009-06-03 09:58 . 2009-06-03 09:58   15688   -c--a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
      2009-06-03 09:58 . 2009-01-29 01:20   15688   -c--a-w-   c:\windows\system32\lsdelete.exe
      .

      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
      @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
      [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
      2008-11-13 23:04   238968   ----a-w-   c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
      "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
      "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

      [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
      "NoSetActiveDesktop"= 1 (0x1)

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
      "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
      2008-12-22 17:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
      BootExecute   REG_MULTI_SZ      lsdelete

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
      @="Service"

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
      @="Service"

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
      backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
      backup=c:\windows\pss\GStartup.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
      backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
      backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
      "Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
      "DisableMonitoring"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "c:\\Program Files\\Messenger\\msmsgs.exe"=
      "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
      "c:\\WINDOWS\\system32\\ftp.exe"=
      "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
      "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
      "c:\\Program Files\\iTunes\\iTunes.exe"=

      R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/28/2009 3:55 AM 64160]
      R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/12/2008 4:02 PM 29808]
      R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 4:17 PM 9968]
      R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 74480]
      R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM 1029456]
      R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/30/2009 3:40 AM 101936]
      S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 2:55 PM 23888]
      S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 7408]
      S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/24/2007 11:07 PM 149352]
      S4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [1/25/2009 8:25 PM 1086840]

      [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
      c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
      .
      Contents of the 'Scheduled Tasks' folder

      2009-08-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
      - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 09:59]

      2009-08-07 c:\windows\Tasks\HP DArC Task 2003-06-26 13:16ewlett-Packard2003-06-26 13:16p psc 2500 seriesA3652443A372B157BFD83129692C2C2475483DE7110167266.job
      - c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-06-27 00:50]

      2009-08-25 c:\windows\Tasks\Norton AntiVirus TechCenter Edition - Run Full System Scan - Owner.job
      - c:\program files\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

      2009-06-18 c:\windows\Tasks\{980AEE74-A87D-4A14-961E-8A93A5FE695D}_B425632B1B4B4FF_Owner.job
      - c:\windows\system32\mobsync.exe [2004-08-14 00:12]

      2009-08-26 c:\windows\Tasks\{B7F5A0DA-3C8C-493C-9D82-6120885A3E3D}_B425632B1B4B4FF_Owner.job
      - c:\windows\system32\mobsync.exe [2004-08-14 00:12]

      2009-08-21 c:\windows\Tasks\{BE9A28C8-2EF2-4069-BD51-3E668A4D3285}_B425632B1B4B4FF_Owner.job
      - c:\windows\system32\mobsync.exe [2004-08-14 00:12]
      .
      .
      ------- Supplementary Scan -------
      .
      uStart Page = hxxp://www.rr.com/
      uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
      uInternet Settings,ProxyOverride = *.local
      uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
      FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xkkgcykb.default\
      FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/
      FF - HiddenExtension: XUL Cache: {D04996CF-46ED-423F-B612-C1DF9043AC1D} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{D04996CF-46ED-423F-B612-C1DF9043AC1D}\
      FF - HiddenExtension: XUL Cache: {C35294CC-9CFD-4A23-8BE5-B35C955FAB8D} - c:\documents and settings\Owner\Local Settings\Application Data\{C35294CC-9CFD-4A23-8BE5-B35C955FAB8D}

      ---- FIREFOX POLICIES ----
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota",      5120);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
      c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
      c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",     true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",    true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",     true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",       true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",    true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",                 true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",                true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",               false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",               true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",                 true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",                   true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",                true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",             false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",            false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",    false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
      .

      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2009-08-26 17:36
      Windows 5.1.2600 Service Pack 3 NTFS

      scanning hidden processes ... 

      scanning hidden autostart entries ...

      scanning hidden files ... 

      scan completed successfully
      hidden files: 0

      **************************************************************************
      .
      --------------------- LOCKED REGISTRY KEYS ---------------------

      [HKEY_USERS\S-1-5-21-2848627006-211567192-983045226-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DCD5A3AE-2FCA-B4E9-92A3-0458643E2A77}*]
      @Allowed: (Read) (RestrictedCode)
      @Allowed: (Read) (RestrictedCode)
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'winlogon.exe'(1116)
      c:\program files\SUPERAntiSpyware\SASWINLO.dll
      c:\windows\system32\WININET.dll
      c:\windows\system32\Ati2evxx.dll

      - - - - - - - > 'explorer.exe'(1636)
      c:\windows\system32\WININET.dll
      c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
      c:\windows\system32\ieframe.dll
      c:\windows\system32\webcheck.dll
      c:\windows\system32\WPDShServiceObj.dll
      c:\windows\system32\PortableDeviceTypes.dll
      c:\windows\system32\PortableDeviceApi.dll
      c:\program files\Common Files\Symantec Shared\NPC\2.0\NPCEXT.dll
      c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
      .
      ------------------------ Other Running Processes ------------------------
      .
      c:\windows\system32\ati2evxx.exe
      c:\program files\Java\jre6\bin\jqs.exe
      c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
      c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
      c:\program files\Windows Media Player\wmpnetwk.exe
      c:\windows\system32\ati2evxx.exe
      c:\windows\system32\wbem\unsecapp.exe
      .
      **************************************************************************
      .
      Completion time: 2009-08-26 17:51 - machine was rebooted
      ComboFix-quarantined-files.txt  2009-08-26 23:51
      ComboFix2.txt  2009-08-26 02:12

      Pre-Run: 20,519,858,176 bytes free
      Post-Run: 20,591,841,280 bytes free

      260   --- E O F ---   2009-08-26 05:15


      HJT:

      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 5:56:33 PM, on 8/26/2009
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v8.00 (8.00.6001.18702)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
      C:\WINDOWS\explorer.exe
      C:\WINDOWS\system32\notepad.exe
      C:\WINDOWS\system32\taskmgr.exe
      C:\Program Files\Mozilla Firefox\firefox.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
      O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
      O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
      O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
      O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233090148945
      O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
      O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
      O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
      O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
      O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
      O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
      O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
      O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
      O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
      O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
      O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
      O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
      O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

      --
      End of file - 5795 bytes


      -nicholas-


      Offline PCBruiser

      • Malware Removal Mentors
      • Ambassador
      • Diamond Member
      • Posts: 8146
      Hi,

      1.  Never use more than one anti-virus.  They will conflict and neither will work correctly.

      2.  Repair of Norton will require that you download the latest full installer for Norton from their website.  Also download this tool:

      http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

      and follow the instructions on that page to remove Norton completely.  Then reboot, and finally reinstall Norton from the fresh copy of the installer you just downloaded.  That should fix any problems with Norton not functioning correctly.

      3.  If you choose at some point not to use Norton, and want to try another anti-virus, the one I recommend is AntiVir (free) which is available here:

      http://www.free-av.com/en/download/index.html

      If you choose to use it, you must download the installer, then remove Norton using the removal tool from the previous item.  Then reboot and install AntiVir.

      4.  The free firewall I currently recommend is Online Armor from here:

      http://www.tallemu.com/free-firewall-protection-software.html

      Click on Downloads on the left hand side of the page, then use the bottom download on the next page to open.

      5.  Please post a fresh HJT log after you reinstall Norton and Online Armor.  Also tell me how your system is working now.
      Don't Read?  Can't learn!

      Offline !nick!

      • Bronze Member
      • Posts: 19
      hello,

      it appears that the link you gave me for the removal tool of norton is not working... http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

      do you have another link? and where do i get the installer download for norton? my current product is NORTON ANITVIRUS 2008 TECHCENTER EDITION. another question; what is your opinion on avast, or AVG anti-virus programs? i am just curious...

      « Last Edit: August 27, 2009, 06:38:22 PM by !nick! »

      Offline PCBruiser

      • Malware Removal Mentors
      • Ambassador
      • Diamond Member
      • Posts: 8146
      Personally, I use AntiVir on all my systems. 

      http://www.free-av.com/en/download/index.html

      Avast is similar.

      Norton link was changed to:

      http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

      As to a fresh download of your version, I do not see it on the Symantec site, so you may need to contact their technical support for a download link.
      Don't Read?  Can't learn!