Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser Hijacked, Touchpad Disabled, HELP!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Browser Hijacked, Touchpad Disabled, HELP!

Unread postby askey127 » February 7th, 2010, 9:15 am

In case you cannot access the Adobe FTP site, the Adobe Reader has to be installed this way:
You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.3 are vulnerable.
  • Go HERE, UNCHECK any Free Add-Ons and click Download to install the latest version of Adobe Acrobat Reader.
  • After it completes the Installation, close the Download Manager.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Re: Browser Hijacked, Touchpad Disabled, HELP!

Unread postby suitelady28 » February 10th, 2010, 2:34 am

ComboFix 10-02-09.03 - Nikki Hester 02/09/2010 23:56:07.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.260 [GMT -5:00]
Running from: c:\documents and settings\Nikki Hester\Desktop\lady.exe
Command switches used :: c:\documents and settings\Nikki Hester\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\fogigar.dll"
"c:\windows\system32\spool\prtprocs\w32x86\68.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\spool\prtprocs\w32x86\68.tmp

Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\kernel32.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-06 23:19 . 2010-02-06 23:19 -------- d-----w- c:\program files\ESET
2010-02-06 22:53 . 2010-02-06 22:53 -------- d-----w- c:\program files\CCleaner
2010-02-06 17:28 . 2009-08-21 17:50 15360 ----a-w- c:\windows\system32\drivers\nnrnstdi.sys
2010-02-06 17:28 . 2009-08-21 17:44 9088 ----a-w- c:\windows\system32\drivers\km_filter.sys
2010-02-06 17:27 . 2009-08-21 17:50 24192 ----a-w- c:\windows\system32\drivers\nielprt.sys
2010-02-06 17:27 . 2009-08-21 17:51 9088 ----a-w- c:\windows\system32\drivers\nielgfx.sys
2010-02-06 17:22 . 2010-02-06 17:22 -------- d-----w- c:\program files\NetRatingsNetSight
2010-02-05 03:25 . 2010-02-05 03:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-02-05 02:59 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 02:59 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 01:19 . 2010-02-05 01:19 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-05 01:17 . 2010-02-05 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-05 01:17 . 2010-02-05 01:17 -------- d-----w- c:\program files\NOS
2010-02-04 03:25 . 2010-02-04 03:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-04 03:20 . 2010-02-04 03:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-04 03:19 . 2010-02-04 03:20 -------- d-----w- c:\program files\Google
2010-01-30 21:24 . 2010-01-30 21:25 -------- d-----w- C:\rsit
2010-01-30 17:49 . 2010-02-02 20:38 0 ----a-w- c:\windows\Akomeroqaxacod.bin
2010-01-30 17:49 . 2010-02-02 20:38 120 ----a-w- c:\windows\Amufanunev.dat
2010-01-21 00:40 . 2010-01-21 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-21 00:39 . 2010-01-21 00:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-21 00:39 . 2010-01-21 00:39 -------- d-----w- c:\documents and settings\Nikki Hester\Application Data\SUPERAntiSpyware.com
2010-01-19 03:19 . 2010-01-19 03:19 -------- d-----w- c:\documents and settings\Nikki Hester\Local Settings\Application Data\Mozilla
2010-01-18 16:54 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-01-17 20:05 . 2010-01-17 20:05 -------- d-----w- c:\program files\Trend Micro
2010-01-16 06:12 . 2008-04-13 18:57 14336 ------w- c:\windows\system32\drivers\asyncmac.sys
2010-01-15 19:11 . 2010-01-15 19:11 -------- d-----w- c:\documents and settings\Nikki Hester\Application Data\FoxyTunes
2010-01-15 19:11 . 2010-01-15 19:11 -------- d-----w- c:\program files\FoxyTunes
2010-01-15 06:14 . 2010-01-15 06:14 -------- d-----w- c:\documents and settings\Nikki Hester\Local Settings\Application Data\Yahoo
2010-01-15 06:12 . 2010-01-15 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-13 23:06 . 2010-01-13 23:06 -------- d-----w- c:\program files\Common Files\xing shared
2010-01-11 23:21 . 2010-01-22 02:45 -------- d-----w- c:\documents and settings\Nikki Hester\Local Settings\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 03:30 . 2008-10-22 05:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 01:30 . 2005-10-18 04:39 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-05 01:17 . 2010-02-05 01:17 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-01 08:50 . 2004-08-04 03:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-30 20:00 . 2005-10-18 05:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-30 19:54 . 2005-10-07 00:09 -------- d-----w- c:\program files\Java
2010-01-30 19:54 . 2005-10-07 00:09 -------- d-----w- c:\program files\Common Files\Java
2010-01-30 19:27 . 2008-04-19 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-30 19:27 . 2005-10-18 05:16 -------- d-----w- c:\program files\Lavasoft
2010-01-27 03:00 . 2010-01-27 03:00 348160 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cde8872-n\msvcr71.dll
2010-01-27 03:00 . 2010-01-27 03:00 503808 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cde8872-n\msvcp71.dll
2010-01-27 03:00 . 2010-01-27 03:00 499712 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cde8872-n\jmc.dll
2010-01-27 03:00 . 2010-01-27 03:00 61440 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a1d2174-n\decora-sse.dll
2010-01-27 03:00 . 2010-01-27 03:00 12800 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a1d2174-n\decora-d3d.dll
2010-01-22 01:42 . 2005-10-24 14:03 48096 ----a-w- c:\documents and settings\Nikki Hester\Application Data\wklnhst.dat
2010-01-21 00:41 . 2010-01-21 00:41 52224 ----a-w- c:\documents and settings\Nikki Hester\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-21 00:41 . 2010-01-21 00:41 117760 ----a-w- c:\documents and settings\Nikki Hester\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-20 23:54 . 2006-03-31 18:11 -------- d-----w- c:\program files\McAfee
2010-01-18 16:55 . 2010-01-18 16:55 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-01-15 06:15 . 2007-08-04 04:33 -------- d-----w- c:\documents and settings\Nikki Hester\Application Data\Yahoo!
2010-01-15 06:11 . 2005-10-19 00:49 -------- d-----w- c:\program files\Yahoo!
2010-01-15 06:07 . 2007-08-04 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-13 23:08 . 2005-10-07 00:26 -------- d-----w- c:\program files\Common Files\Real
2010-01-13 22:55 . 2010-01-13 22:55 402952 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Real\RealPlayer\setup\AU_setup11.exe
2010-01-11 00:42 . 2009-05-17 20:15 -------- d-----w- c:\documents and settings\Nikki Hester\Application Data\ZoomBrowser EX
2010-01-11 00:08 . 2007-07-18 01:48 -------- d-----w- c:\program files\Common Files\Apple
2010-01-10 08:10 . 2009-10-01 03:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-01-10 06:16 . 2010-01-10 06:11 -------- d-----w- c:\program files\DivX
2010-01-10 06:13 . 2010-01-10 06:11 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-10 04:46 . 2010-01-10 04:42 -------- d-----w- c:\program files\QuickTime
2009-12-21 19:14 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2009-02-18 19:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-13 02:43 . 2009-12-13 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-12-13 02:42 . 2009-12-13 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayTime
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2010-02-05 01:21 38784 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-14 00:49 . 2010-01-10 06:15 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-14 00:49 . 2010-01-10 06:15 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-11-14 00:49 . 2010-01-10 06:15 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-11-14 00:49 . 2010-01-10 06:15 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-14 00:49 . 2010-01-10 06:15 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-14 00:49 . 2010-01-10 06:15 129784 ------w- c:\windows\system32\pxafs.dll
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2008-10-21 03:16 . 2008-10-21 03:16 16624 ----a-w- c:\program files\Common Files\byzuwa.com
2008-10-21 03:16 . 2008-10-21 03:16 15370 ----a-w- c:\program files\Common Files\ymunagu.lib
2005-10-18 05:02 . 2007-02-20 02:42 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-08-21 17:52 . 2010-02-06 17:28 180224 ----a-w- c:\program files\mozilla firefox\components\nsgkff31_meter1.dll
2004-08-04 10:00 . 2006-01-12 19:42 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-04 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-13 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2009-10-30 47456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\PokerStars.NET\\PokerStarsUpdate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys [2/6/2010 12:27 PM 24192]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2/6/2010 12:28 PM 15360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2/6/2010 12:28 PM 9088]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:20 PM 135664]
S3 0879oo;0879oo;\??\c:\windows\system32\drivers\0879oo.sys --> c:\windows\system32\drivers\0879oo.sys [?]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [2/6/2010 12:27 PM 9088]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 03:20]

2010-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 03:20]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-01 16:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-01 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: //rhap-app-4-0.real.com/
Trusted Zone: //rhapapp.real.com/
Trusted Zone: yahoo.com\my
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://clubgames.pogo.com/online2/pogop ... uncher.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/realarcade-web ... player.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://clubgames.pogo.com/online2/pogop ... uncher.cab
FF - ProfilePath - c:\documents and settings\Nikki Hester\Application Data\Mozilla\Firefox\Profiles\nmz0nzaa.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 00:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Nikki Hester\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Nikki Hester\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2540)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\fxssvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-10 00:43:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-10 05:43
ComboFix2.txt 2010-02-04 18:36
ComboFix3.txt 2010-02-04 04:26
ComboFix4.txt 2010-02-03 01:50

Pre-Run: 48,562,601,984 bytes free
Post-Run: 48,651,751,424 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,3,4,5,6
- - End Of File - - ED7F0350FD72A9EFD10297D65FAFA0E7





Malwarebytes' Anti-Malware 1.44
Database version: 3718
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/10/2010 1:34:02 AM
mbam-log-2010-02-10 (01-34-02).txt

Scan type: Quick Scan
Objects scanned: 136348
Time elapsed: 16 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
suitelady28
Active Member
 
Posts: 9
Joined: January 24th, 2010, 2:31 pm

Re: Browser Hijacked, Touchpad Disabled, HELP!

Unread postby askey127 » February 10th, 2010, 9:46 am

suitelady28,
You are doing well. This is a difficult infection, which tries all kinds of tricks to prevent removal, but we are getting it.
A little repair, and double check:
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard
    Code: Select all
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------
Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Disable or Exit your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile will be created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please paste the contents of this file in your post.

So we are looking for the contents of C:\Combofix.txt and the log from the ESET scan.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Browser Hijacked, Touchpad Disabled, HELP!

Unread postby suitelady28 » February 11th, 2010, 12:38 am

ComboFix 10-02-10.04 - Nikki Hester 02/10/2010 21:01:03.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.267 [GMT -5:00]
Running from: c:\documents and settings\Nikki Hester\Desktop\ComboFix.exe.exe
Command switches used :: c:\documents and settings\Nikki Hester\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-01-11 to 2010-02-11 )))))))))))))))))))))))))))))))
.

2010-02-10 20:20 . 2010-02-10 20:20 -------- d-----w- c:\windows\LastGood
2010-02-06 23:19 . 2010-02-06 23:19 -------- d-----w- c:\program files\ESET
2010-02-06 22:53 . 2010-02-06 22:53 -------- d-----w- c:\program files\CCleaner
2010-02-06 17:28 . 2009-08-21 17:50 15360 ----a-w- c:\windows\system32\drivers\nnrnstdi.sys
2010-02-06 17:28 . 2009-08-21 17:44 9088 ----a-w- c:\windows\system32\drivers\km_filter.sys
2010-02-06 17:27 . 2009-08-21 17:50 24192 ----a-w- c:\windows\system32\drivers\nielprt.sys
2010-02-06 17:27 . 2009-08-21 17:51 9088 ----a-w- c:\windows\system32\drivers\nielgfx.sys
2010-02-06 17:22 . 2010-02-06 17:22 -------- d-----w- c:\program files\NetRatingsNetSight
2010-02-05 03:25 . 2010-02-05 03:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-02-05 02:59 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 02:59 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 01:19 . 2010-02-05 01:19 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-05 01:17 . 2010-02-05 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-05 01:17 . 2010-02-05 01:17 -------- d-----w- c:\program files\NOS
2010-02-04 03:25 . 2010-02-04 03:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-04 03:20 . 2010-02-04 03:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-04 03:19 . 2010-02-04 03:20 -------- d-----w- c:\program files\Google
2010-01-30 21:24 . 2010-01-30 21:25 -------- d-----w- C:\rsit
2010-01-30 17:49 . 2010-02-02 20:38 0 ----a-w- c:\windows\Akomeroqaxacod.bin
2010-01-30 17:49 . 2010-02-02 20:38 120 ----a-w- c:\windows\Amufanunev.dat
2010-01-21 00:40 . 2010-01-21 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-21 00:39 . 2010-01-21 00:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-21 00:39 . 2010-01-21 00:39 -------- d-----w- c:\documents and settings\Nikki Hester\Application Data\SUPERAntiSpyware.com
2010-01-19 03:19 . 2010-01-19 03:19 -------- d-----w- c:\documents and settings\Nikki Hester\Local Settings\Application Data\Mozilla
2010-01-18 16:54 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-01-17 20:05 . 2010-01-17 20:05 -------- d-----w- c:\program files\Trend Micro
2010-01-16 06:12 . 2008-04-13 18:57 14336 ------w- c:\windows\system32\drivers\asyncmac.sys
2010-01-15 19:11 . 2010-01-15 19:11 -------- d-----w- c:\documents and settings\Nikki Hester\Application Data\FoxyTunes
2010-01-15 19:11 . 2010-01-15 19:11 -------- d-----w- c:\program files\FoxyTunes
2010-01-15 06:14 . 2010-01-15 06:14 -------- d-----w- c:\documents and settings\Nikki Hester\Local Settings\Application Data\Yahoo
2010-01-15 06:12 . 2010-01-15 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-13 23:06 . 2010-01-13 23:06 -------- d-----w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 03:30 . 2008-10-22 05:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 01:30 . 2005-10-18 04:39 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-05 01:17 . 2010-02-05 01:17 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-01 08:50 . 2004-08-04 03:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-30 20:00 . 2005-10-18 05:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-30 19:54 . 2005-10-07 00:09 -------- d-----w- c:\program files\Java
2010-01-30 19:54 . 2005-10-07 00:09 -------- d-----w- c:\program files\Common Files\Java
2010-01-30 19:27 . 2008-04-19 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-30 19:27 . 2005-10-18 05:16 -------- d-----w- c:\program files\Lavasoft
2010-01-27 03:00 . 2010-01-27 03:00 348160 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cde8872-n\msvcr71.dll
2010-01-27 03:00 . 2010-01-27 03:00 503808 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cde8872-n\msvcp71.dll
2010-01-27 03:00 . 2010-01-27 03:00 499712 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cde8872-n\jmc.dll
2010-01-27 03:00 . 2010-01-27 03:00 61440 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a1d2174-n\decora-sse.dll
2010-01-27 03:00 . 2010-01-27 03:00 12800 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a1d2174-n\decora-d3d.dll
2010-01-22 01:42 . 2005-10-24 14:03 48096 ----a-w- c:\documents and settings\Nikki Hester\Application Data\wklnhst.dat
2010-01-21 00:41 . 2010-01-21 00:41 52224 ----a-w- c:\documents and settings\Nikki Hester\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-21 00:41 . 2010-01-21 00:41 117760 ----a-w- c:\documents and settings\Nikki Hester\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-20 23:54 . 2006-03-31 18:11 -------- d-----w- c:\program files\McAfee
2010-01-18 16:55 . 2010-01-18 16:55 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-01-15 06:15 . 2007-08-04 04:33 -------- d-----w- c:\documents and settings\Nikki Hester\Application Data\Yahoo!
2010-01-15 06:11 . 2005-10-19 00:49 -------- d-----w- c:\program files\Yahoo!
2010-01-15 06:07 . 2007-08-04 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-13 23:08 . 2005-10-07 00:26 -------- d-----w- c:\program files\Common Files\Real
2010-01-13 22:55 . 2010-01-13 22:55 402952 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Real\RealPlayer\setup\AU_setup11.exe
2010-01-11 00:42 . 2009-05-17 20:15 -------- d-----w- c:\documents and settings\Nikki Hester\Application Data\ZoomBrowser EX
2010-01-11 00:08 . 2007-07-18 01:48 -------- d-----w- c:\program files\Common Files\Apple
2010-01-10 08:10 . 2009-10-01 03:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-01-10 06:16 . 2010-01-10 06:11 -------- d-----w- c:\program files\DivX
2010-01-10 06:13 . 2010-01-10 06:11 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-10 04:46 . 2010-01-10 04:42 -------- d-----w- c:\program files\QuickTime
2009-12-21 19:14 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2009-02-18 19:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-13 02:43 . 2009-12-13 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-12-13 02:42 . 2009-12-13 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayTime
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2010-02-05 01:21 38784 ----a-w- c:\documents and settings\Nikki Hester\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-14 00:49 . 2010-01-10 06:15 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-14 00:49 . 2010-01-10 06:15 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-11-14 00:49 . 2010-01-10 06:15 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-11-14 00:49 . 2010-01-10 06:15 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-14 00:49 . 2010-01-10 06:15 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-14 00:49 . 2010-01-10 06:15 129784 ------w- c:\windows\system32\pxafs.dll
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2008-10-21 03:16 . 2008-10-21 03:16 16624 ----a-w- c:\program files\Common Files\byzuwa.com
2008-10-21 03:16 . 2008-10-21 03:16 15370 ----a-w- c:\program files\Common Files\ymunagu.lib
2005-10-18 05:02 . 2007-02-20 02:42 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-08-21 17:52 . 2010-02-06 17:28 180224 ----a-w- c:\program files\mozilla firefox\components\nsgkff31_meter1.dll
2004-08-04 10:00 . 2006-01-12 19:42 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-02-04_04.17.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-10 06:04 . 2010-02-10 06:04 16384 c:\windows\Temp\Perflib_Perfdata_45c.dat
+ 2010-02-04 04:27 . 2010-02-10 22:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-10-13 03:13 . 2010-02-10 22:20 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-10-13 03:13 . 2010-02-04 00:52 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-02-10 17:17 . 2010-02-10 22:20 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-02-05 01:22 . 2010-02-05 01:22 24576 c:\windows\Installer\9ae8418.msi
+ 2010-02-05 01:20 . 2010-02-05 01:20 27648 c:\windows\Installer\9ae8413.msi
+ 2010-02-06 17:28 . 2009-08-21 17:51 9088 c:\windows\system32\ReinstallBackups\0015\DriverFiles\nielgfx.sys
- 2009-04-28 18:09 . 2008-12-16 17:44 1112288 c:\windows\system32\WdfCoInstaller01007.dll
+ 2009-04-28 18:09 . 2008-12-16 18:44 1112288 c:\windows\system32\WdfCoInstaller01007.dll
+ 2010-02-05 01:32 . 2010-02-05 01:32 3940352 c:\windows\Installer\9ae841d.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-04 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-13 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2009-10-30 47456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\PokerStars.NET\\PokerStarsUpdate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys [2/6/2010 12:27 PM 24192]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2/6/2010 12:28 PM 15360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/30/2009 10:18 PM 93320]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/30/2009 5:19 PM 24652]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2/6/2010 12:28 PM 9088]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:20 PM 135664]
S3 0879oo;0879oo;\??\c:\windows\system32\drivers\0879oo.sys --> c:\windows\system32\drivers\0879oo.sys [?]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [2/6/2010 12:27 PM 9088]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 03:20]

2010-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 03:20]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-01 16:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-01 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: //rhap-app-4-0.real.com/
Trusted Zone: //rhapapp.real.com/
Trusted Zone: yahoo.com\my
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://clubgames.pogo.com/online2/pogop ... uncher.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/realarcade-web ... player.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://clubgames.pogo.com/online2/pogop ... uncher.cab
FF - ProfilePath - c:\documents and settings\Nikki Hester\Application Data\Mozilla\Firefox\Profiles\nmz0nzaa.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 21:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Nikki Hester\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Nikki Hester\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-02-10 21:22:51
ComboFix-quarantined-files.txt 2010-02-11 02:22
ComboFix2.txt 2010-02-10 05:43
ComboFix3.txt 2010-02-04 18:36
ComboFix4.txt 2010-02-04 04:26
ComboFix5.txt 2010-02-11 01:58

Pre-Run: 49,739,919,360 bytes free
Post-Run: 49,805,729,792 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,3,4,5,6
- - End Of File - - EA4C0B6F0F64DC9FEC5F51D7A96F5C70





ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7467cc83ce0f3a4196b99625eb1e6257
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-07 01:03:52
# local_time=2010-02-06 08:03:52 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1657540 1657540 0 0
# compatibility_mode=5121 16776869 100 96 5929076 17507784 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=84400
# found=15
# cleaned=0
# scan_time=5573
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.SJ virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP18\A0009681.dll a variant of Win32/Losfondup.A trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP20\A0011718.dll a variant of Win32/Losfondup.A trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0003113.dll a variant of Win32/Kryptik.CBR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0003114.dll a variant of Win32/Kryptik.CBR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0003115.dll a variant of Win32/Kryptik.CBR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0005108.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0005111.dll a variant of Win32/Kryptik.CBR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0005112.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0005113.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0005114.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0005115.dll a variant of Win32/Kryptik.CBR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0005116.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\fogigar.dll a variant of Win32/Losfondup.A trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\spool\prtprocs\w32x86\68.tmp a variant of Win32/Kryptik.BQU trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7467cc83ce0f3a4196b99625eb1e6257
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-11 04:30:17
# local_time=2010-02-10 11:30:17 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 2015701 2015701 0 0
# compatibility_mode=5121 16776869 100 96 6287237 17865945 0 0
# compatibility_mode=8192 67108863 100 0 276051 276051 0 0
# scanned=82185
# found=2
# cleaned=0
# scan_time=5402
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.SJ virus 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\68.tmp.vir a variant of Win32/Kryptik.BQU trojan 00000000000000000000000000000000 I
suitelady28
Active Member
 
Posts: 9
Joined: January 24th, 2010, 2:31 pm

Re: Browser Hijacked, Touchpad Disabled, HELP!

Unread postby askey127 » February 11th, 2010, 7:22 am

suitelady28,
Good work. It appears that your system is clean.
A couple tidying up operations followed by a few suggestions for your safety going forward:
-----------------------------------------------------------
Click START then RUN
Type Combofix /uninstall in the Runbox and click OK. Note the space between Combofix and /uninstall
When shown the disclaimer, Select "2"
-----------------------------------------------------------
Start Internet Explorer and click on Tools, Internet Options.
Click on the Security tab. Click on Trusted Sites and the Sites button
Highlight all the Yahoo.com and real.com entries and choose Remove.
(Don't ever allow anything except Microsoft or your Internet Provider into the Trusted Zone.)
-----------------------------------------------------------
You can use SuperAntiSpyware and scan with it if you wish, but don't ever use its BOOTSAFE utility. It could render your machine unbootable.
If you decide on the paid version of Malwarebytes Anti-Malware, it runs continuously, so you would need to shut off or Uninstall SuperAntiSpyware.
You can only safely run One Anti-Spyware application at a time, in addition to McAfee AntiVirus.
-----------------------------------------------------------
Check the Security center in Control Panel and make sure it shows Firewall ON, Antivirus ON, Automatic Updates ON.
-----------------------------------------------------------
Replace the Current HOSTS File with MVPs
Download HostsXpert and unzip (extract) it to your computer, somewhere where you can find it.
  • Double click on HostsXpert.exe to launch the program. Give whatever Permissions are required.
  • In the bottom half of the left pane, click on File Handling
  • If the first button at the top is labeled Make Writeable?, click on it so the label changes to Make Read Only
  • Click third button from the bottom, labeled Download. A couple new buttons will appear at the top.
  • Click on the top button labeled MVPs Hosts and choose Replace
  • When asked to verify if you want to Replace present Hosts file, click OK.
  • When it finishes , click on File Handling again.
  • Click the button at the top labeled Make Read Only, so the label changes to Make Writeable?
  • Hit the X in the upper right corner to exit HostsXpert
If you have a separate third party firewall, or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.
-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system.

Good Luck !
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Browser Hijacked, Touchpad Disabled, HELP!

Unread postby NonSuch » February 15th, 2010, 1:27 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 301 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware