Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HiJackThis Logs.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: HiJackThis Logs.

Unread postby askey127 » August 24th, 2010, 6:20 am

Bezzy2829
I would like to try running Gmer again.
------------------------------------------------
Download and Run Rkill
Please download Rkill from one of the following links and save to your Desktop:
One, Two,Three or Four
  • Double click on Rkill. (Right-click and "Run as administrator" in Vista/Win7).
  • A command window will open, then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue. If you cannot get one of the downloads to work for you, try one of the other links.
If you cannot get Rkill to run without being stopped, don't proceed further, and post back to tell me about it.
-------------------------------------------------
Please run GMER Rootkit Scanner from your desktop
  • Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Re: HiJackThis Logs.

Unread postby Bezzy2829 » August 24th, 2010, 8:34 am

Computer crashed again
Bezzy2829
Regular Member
 
Posts: 19
Joined: August 17th, 2010, 6:30 am

Re: HiJackThis Logs.

Unread postby askey127 » August 24th, 2010, 9:51 am

Did Rkill open a window and then close it again?
Did it only crash on Gmer?
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HiJackThis Logs.

Unread postby Bezzy2829 » August 24th, 2010, 9:59 am

Only crashed on Gmer
Bezzy2829
Regular Member
 
Posts: 19
Joined: August 17th, 2010, 6:30 am

Re: HiJackThis Logs.

Unread postby askey127 » August 24th, 2010, 11:38 am

Bezzy,
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE NORTON ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a Imagesign.
    • right-click it -> chose "Disable Auto-Protect."
    • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
    • click "Ok."
    • a popup will warn that protection will now be disabled.
    Norton Antivirus Guard is now disabled.
  • Now start ComboFix (zzz.exe) Right click and choose "Run as administrator".
  • OK any disclaimers and start the Scan.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HiJackThis Logs.

Unread postby Bezzy2829 » August 24th, 2010, 7:05 pm

Just to let you know and this is probably a bit late , when i click a link it always has this website :-http://www.ohtgnoenriga.com/search.php?q
just before it sends me to a random site
Bezzy2829
Regular Member
 
Posts: 19
Joined: August 17th, 2010, 6:30 am

Re: HiJackThis Logs.

Unread postby Bezzy2829 » August 24th, 2010, 7:08 pm

and also when i right click norton it has :-
'Open Norton Protection Center'
'Change Notification Options'
Bezzy2829
Regular Member
 
Posts: 19
Joined: August 17th, 2010, 6:30 am

Re: HiJackThis Logs.

Unread postby askey127 » August 25th, 2010, 5:19 am

If you click "Open Norton Protection center, you should be able to stop(disable) the Norton protection.
That's what you need to do immediately before scanning with Combofix (zzz.exe)
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HiJackThis Logs.

Unread postby Bezzy2829 » August 25th, 2010, 10:15 am

Bezzy2829
Regular Member
 
Posts: 19
Joined: August 17th, 2010, 6:30 am

Re: HiJackThis Logs.

Unread postby askey127 » August 25th, 2010, 11:46 am

Any chance of a screenshot of the other tab? "Norton Internet Security"
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HiJackThis Logs.

Unread postby Bezzy2829 » August 25th, 2010, 3:00 pm

Bezzy2829
Regular Member
 
Posts: 19
Joined: August 17th, 2010, 6:30 am

Re: HiJackThis Logs.

Unread postby askey127 » August 25th, 2010, 5:02 pm

Click the Settings bar, and see if you can turn it off.
....amid probable warnings, "no protections", etc.
Then run ComboFix (zzz.exe).
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HiJackThis Logs.

Unread postby Bezzy2829 » August 26th, 2010, 8:27 am

ComboFix 10-08-25.01 - Kieran 26/08/2010 13:02:25.1.3 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3070.2030 [GMT 1:00]
Running from: c:\users\Kieran\Desktop\zzz.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\UNWISE.EXE
c:\users\Kieran\AppData\Roaming\cglogs.dat
c:\windows\system32\PCLECoInst.dll

c:\windows\system32\wininit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.

2010-08-26 12:09 . 2010-08-26 12:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-25 15:46 . 2010-05-07 09:39 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-08-25 15:44 . 2010-08-25 15:44 -------- d-----w- c:\programdata\Eastman Kodak Company
2010-08-25 15:44 . 2010-08-25 15:44 -------- d-----w- c:\users\Kieran\AppData\Local\Eastman_Kodak_Company
2010-08-25 15:44 . 2010-08-25 15:44 -------- d-----w- c:\users\Kieran\AppData\Local\Microsoft Corporation
2010-08-25 15:40 . 2010-08-25 15:40 -------- d-----w- c:\program files\Kodak
2010-08-25 15:40 . 2010-08-25 15:40 -------- d-----w- c:\program files\Bonjour
2010-08-25 15:37 . 2010-08-25 15:44 -------- d-----w- c:\users\Kieran\AppData\Local\Eastman Kodak Company
2010-08-25 15:36 . 2010-08-26 12:20 -------- d-----w- c:\programdata\Kodak
2010-08-25 15:33 . 2010-08-25 15:42 -------- d-----w- c:\windows\system32\kodak
2010-08-23 22:01 . 2010-08-23 22:01 -------- d-----w- c:\users\Kieran\AppData\Roaming\SYSTEMAX Software Development
2010-08-23 22:01 . 2010-08-23 22:01 -------- d-----w- c:\programdata\SYSTEMAX Software Development
2010-08-23 21:57 . 2010-08-23 21:57 -------- d-----w- c:\users\Kieran\AppData\Local\Zame
2010-08-23 21:45 . 2010-08-23 21:45 -------- d-----w- C:\_OTL
2010-08-21 23:14 . 2010-08-21 23:14 552 ----a-w- c:\users\Kieran\AppData\Local\d3d8caps.dat
2010-08-21 22:38 . 2010-08-21 22:38 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-21 22:32 . 2010-08-21 22:32 -------- d-----w- c:\program files\Common Files\Java
2010-08-21 22:31 . 2010-08-21 22:31 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-21 02:57 . 2010-08-21 02:57 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-08-17 10:35 . 2010-08-17 10:35 -------- d-----w- c:\program files\Trend Micro
2010-08-15 15:36 . 2010-08-15 15:36 -------- d-----w- c:\program files\IWONGEI
2010-08-15 03:11 . 2010-08-15 03:11 -------- d-----w- C:\Perfect World Entertainment
2010-08-15 03:09 . 2010-08-15 03:01 258352 ----a-w- c:\windows\system32\unicows.dll
2010-08-15 01:41 . 2010-08-15 03:09 -------- d-----w- c:\users\Kieran\AppData\Roaming\GetRightToGo
2010-08-14 01:09 . 2010-08-14 01:29 -------- d-----w- c:\users\Kieran\AppData\Roaming\IGN_DLM
2010-08-14 01:09 . 2010-08-14 01:09 -------- d-----w- c:\program files\Download Manager
2010-08-13 23:28 . 2010-08-13 23:28 -------- d-----w- c:\program files\Activision
2010-08-11 14:36 . 2010-06-11 15:31 274432 ----a-w- c:\windows\system32\schannel.dll
2010-08-11 14:36 . 2010-06-21 13:18 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-08-11 14:36 . 2010-06-18 16:43 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-08-11 14:36 . 2010-06-08 17:00 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-11 14:36 . 2010-06-08 17:00 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-11 14:36 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-08-11 14:36 . 2010-06-18 14:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-11 14:36 . 2010-06-18 14:43 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-11 14:36 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-11 07:53 . 2010-08-11 07:53 -------- d-----w- c:\windows\system32\Adobe
2010-08-09 15:27 . 2010-08-09 15:27 -------- d-----w- c:\users\Kieran\AppData\Local\Sony Ericsson
2010-08-09 15:04 . 2010-08-09 15:04 57344 --sha-r- c:\windows\system32\bootstr2.dll
2010-08-09 14:22 . 2010-08-09 14:22 -------- d-----w- c:\programdata\Sony Corporation
2010-08-09 14:22 . 2010-08-09 14:22 -------- d-----w- c:\program files\Sony
2010-08-09 14:21 . 2010-08-09 14:22 -------- d-----w- c:\program files\QuickTime
2010-08-09 14:21 . 2010-08-09 14:21 -------- d-----w- c:\programdata\Apple Computer
2010-08-09 14:20 . 2010-08-09 14:20 -------- d-----w- c:\program files\Common Files\Apple
2010-08-09 14:19 . 2010-08-09 14:19 -------- d-----w- c:\users\Kieran\AppData\Local\Apple
2010-08-09 14:19 . 2010-08-09 14:19 -------- d-----w- c:\program files\Apple Software Update
2010-08-09 14:19 . 2010-08-09 14:19 -------- d-----w- c:\programdata\Apple
2010-08-09 14:17 . 2010-08-09 14:18 -------- d-----w- c:\users\Kieran\AppData\Roaming\Sony Setup
2010-08-09 14:17 . 2010-08-09 14:17 -------- d-----w- c:\users\Kieran\AppData\Roaming\Sony
2010-08-09 14:17 . 2010-08-09 14:17 -------- d-----w- c:\program files\Sony Setup
2010-08-09 14:12 . 2010-08-09 14:12 -------- d-----w- c:\users\Kieran\AppData\Roaming\Tibia
2010-08-09 13:51 . 2010-08-09 13:51 -------- d-----w- c:\program files\Tibia
2010-08-08 20:35 . 2010-08-08 20:35 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2010-08-08 20:35 . 2010-08-08 20:35 17212 ----a-w- c:\windows\system32\SIntf32.dll
2010-08-08 20:35 . 2010-08-08 20:35 12067 ----a-w- c:\windows\system32\SIntf16.dll
2010-08-08 20:35 . 2010-08-08 20:35 -------- d-----w- c:\program files\directx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-26 12:22 . 2010-07-18 18:33 -------- d-----w- c:\program files\Steam
2010-08-26 12:21 . 2010-07-18 13:57 35757 ----a-w- c:\programdata\nvModes.dat
2010-08-25 15:03 . 2008-08-06 00:34 -------- d-----w- c:\programdata\Microsoft Help
2010-08-24 22:58 . 2010-07-18 18:33 -------- d-----w- c:\program files\Common Files\Steam
2010-08-24 13:06 . 2010-07-18 18:35 -------- d-----w- c:\users\Kieran\AppData\Roaming\Xfire
2010-08-21 23:14 . 2010-07-18 13:36 680 ----a-w- c:\users\Kieran\AppData\Local\d3d9caps.dat
2010-08-21 02:58 . 2010-07-24 23:29 -------- d-----w- c:\users\Kieran\AppData\Roaming\Command & Conquer 3 Tiberium Wars
2010-08-21 02:29 . 2010-07-18 18:35 -------- d-----w- c:\users\Kieran\AppData\Roaming\GameTracker
2010-08-20 23:44 . 2010-07-18 18:42 224960 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-20 23:39 . 2010-07-18 18:42 137944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-14 22:26 . 2010-07-18 18:42 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-08-13 23:51 . 2010-07-18 18:42 22328 ----a-w- c:\users\Kieran\AppData\Roaming\PnkBstrK.sys
2010-08-13 23:51 . 2010-07-18 18:42 22328 ----a-w- c:\users\Kieran\AppData\Roaming\PnkBstrK.sys
2010-08-13 23:50 . 2008-08-06 00:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-12 16:49 . 2008-08-06 00:24 -------- d-----w- c:\program files\Microsoft Works
2010-08-12 16:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-09 15:27 . 2010-08-09 13:55 -------- d-----w- c:\program files\Sony Ericsson
2010-08-09 14:19 . 2010-08-09 14:18 33850672 ----a-w- c:\users\Kieran\AppData\Roaming\Sony Setup\9234765D-29DF-48d0-93FB-284B7B6009B9\QuickTimeInstaller.exe
2010-08-09 13:55 . 2010-08-09 13:55 -------- d-----w- c:\programdata\Sony Ericsson
2010-08-08 20:31 . 2010-07-18 14:15 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-26 10:45 . 2010-07-26 10:45 -------- d-----w- c:\users\Kieran\AppData\Roaming\dvdcss
2010-07-26 10:45 . 2010-07-26 10:45 -------- d-----w- c:\users\Kieran\AppData\Roaming\ImTOO
2010-07-26 10:44 . 2010-07-26 10:44 -------- d-----w- c:\program files\ImTOO
2010-07-26 10:22 . 2010-07-26 10:22 -------- d-----w- c:\program files\Java
2010-07-24 23:29 . 2010-07-24 23:29 -------- d--h--r- c:\users\Kieran\AppData\Roaming\SecuROM
2010-07-24 22:59 . 2010-07-24 22:59 -------- d-----w- c:\program files\Electronic Arts
2010-07-22 07:25 . 2008-08-06 00:30 -------- d-----w- c:\programdata\Symantec
2010-07-21 19:08 . 2010-07-21 15:28 -------- d-----w- c:\users\Kieran\AppData\Roaming\FinalMediaPlayer
2010-07-21 19:07 . 2008-08-06 00:31 -------- d-----w- c:\program files\Norton Internet Security
2010-07-21 15:28 . 2010-07-21 15:28 -------- d-----w- c:\program files\FinalMediaPlayer
2010-07-21 15:27 . 2010-07-21 15:27 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-07-20 18:55 . 2010-07-20 18:55 -------- d-----w- c:\program files\BreakPoint Software
2010-07-20 18:11 . 2010-07-20 18:11 -------- d-----w- c:\program files\Noel Danjou
2010-07-20 18:09 . 2010-07-20 18:09 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-20 17:59 . 2010-07-20 16:15 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-20 07:08 . 2010-07-18 13:42 80544 ----a-w- c:\users\Kieran\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-19 21:41 . 2010-07-19 21:40 -------- d-----w- c:\programdata\Pinnacle
2010-07-19 21:41 . 2010-07-19 17:43 -------- d-----w- c:\program files\Pinnacle
2010-07-19 17:44 . 2010-07-19 17:44 29926 ----a-r- c:\users\Kieran\AppData\Roaming\Microsoft\Installer\{9870C7AE-7C6A-478D-9A75-35827382220F}\ARPPRODUCTICON.exe
2010-07-18 22:35 . 2010-07-18 22:35 -------- d-----w- c:\users\Kieran\AppData\Roaming\Datel
2010-07-18 22:35 . 2010-07-18 22:35 -------- d-----w- c:\program files\Datel
2010-07-18 22:04 . 2010-07-18 22:04 -------- d-----w- c:\users\Kieran\AppData\Roaming\GameTuts
2010-07-18 21:53 . 2010-07-18 21:53 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-07-18 21:53 . 2010-07-18 21:53 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-07-18 21:53 . 2010-07-18 21:53 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-07-18 21:53 . 2010-07-18 21:53 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-07-18 21:53 . 2010-07-18 21:53 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-07-18 21:53 . 2010-07-18 21:53 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-07-18 21:53 . 2010-07-18 21:53 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-07-18 21:53 . 2010-07-18 21:53 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-07-18 21:53 . 2010-07-18 21:53 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-07-18 21:53 . 2010-07-18 21:52 -------- d-----w- c:\program files\Common Files\Real
2010-07-18 21:53 . 2010-07-18 21:52 -------- d-----w- c:\program files\Real
2010-07-18 21:53 . 2010-07-18 21:53 -------- d-----w- c:\program files\Common Files\xing shared
2010-07-18 21:51 . 2010-07-18 21:51 -------- d-----w- c:\users\Kieran\AppData\Roaming\OxelonMC
2010-07-18 21:51 . 2010-07-18 21:51 -------- d-----w- c:\program files\OxelonMedia
2010-07-18 20:32 . 2010-07-18 20:32 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-07-18 20:02 . 2008-08-06 00:36 -------- d-----w- c:\program files\Microsoft.NET
2010-07-18 19:46 . 2010-07-18 19:46 -------- d-----w- c:\program files\MSXML 4.0
2010-07-18 18:44 . 2010-07-18 18:35 -------- d-----w- c:\programdata\Xfire
2010-07-18 18:42 . 2010-07-18 18:42 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-07-18 18:42 . 2010-07-18 18:42 -------- d-----w- c:\program files\EA Sports
2010-07-18 18:37 . 2010-07-18 18:36 -------- d-----w- c:\program files\GameTracker
2010-07-18 18:35 . 2010-07-18 18:35 -------- d-----w- c:\program files\XfireXO
2010-07-18 18:35 . 2010-07-18 18:35 -------- d-----w- c:\program files\Conduit
2010-07-18 18:35 . 2010-07-18 18:35 -------- d-----w- c:\program files\Xfire
2010-07-18 14:34 . 2010-07-18 14:34 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-07-18 14:28 . 2010-07-18 14:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-07-18 14:15 . 2010-07-18 14:11 -------- d-----w- c:\program files\Windows Live
2010-07-18 14:15 . 2010-07-18 14:15 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-18 14:14 . 2010-07-18 14:14 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-18 14:12 . 2010-07-18 14:12 -------- d-----w- c:\program files\Microsoft
2010-07-18 14:12 . 2010-07-18 14:12 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-18 14:07 . 2008-08-06 00:26 -------- d-----w- c:\program files\Google
2010-07-18 14:06 . 2010-07-18 14:06 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-18 14:05 . 2010-07-18 14:05 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbC208.tmp.exe
2010-07-18 13:57 . 2008-08-06 00:30 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-18 13:57 . 2008-08-06 00:13 -------- d-----w- c:\programdata\NVIDIA
2010-07-18 13:52 . 2008-08-06 00:30 -------- d-----w- c:\program files\Symantec
2010-07-18 13:52 . 2008-08-06 00:30 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-07-18 13:52 . 2008-08-06 00:30 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-18 13:52 . 2008-08-06 00:30 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-18 13:43 . 2010-07-18 13:43 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-18 13:42 . 2010-07-18 13:42 -------- d-----w- c:\users\Kieran\AppData\Roaming\Symantec
2010-07-09 19:00 . 2010-07-09 19:00 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-06-26 06:05 . 2010-08-11 14:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-11 14:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-11 14:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-11 14:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-11 01:08 . 2010-07-18 18:35 52224 ------w- c:\users\Kieran\AppData\Roaming\Mozilla\Firefox\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
2010-06-11 01:08 . 2010-07-18 18:35 101376 ------w- c:\users\Kieran\AppData\Roaming\Mozilla\Firefox\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
2010-06-01 17:37 . 2010-07-20 18:13 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-03-31 21:47 . 2008-08-06 00:34 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2010-08-08 18:26 . 2008-08-06 00:41 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-11-28 19:31 . 2008-08-06 00:23 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:31 . 2008-08-06 00:23 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:31 . 2008-08-06 00:23 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:31 . 2008-08-06 00:23 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:31 . 2008-08-06 00:23 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-06 09:03 . 2008-08-06 08:54 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2010-06-13 18:10 2734688 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\program files\Packard Bell\SetUpMyPC\SmpSys.exe" [2008-02-04 1038136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-18 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Steam"="c:\program files\steam\steam.exe" [2010-08-23 1242448]
"Sony Ericsson PC Companion"="c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" [2009-12-08 774144]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-07 6139904]
"CarboniteSetupLite"="c:\program files\Packard Bell\Carbonite\CarboniteSetupLitePBPreInstaller.exe" [2008-04-07 306112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-08 30192]
"toolbar_eula_launcher"="c:\program files\Packard Bell\GOOGLE_EULA\EULALauncher.exe" [2007-02-20 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-18 202256]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-10-16 202312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Conime"="c:\windows\system32\conime.exe" [2008-01-21 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-05-07 1638400]

c:\users\Kieran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-7-9 3493776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~4\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-18 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-08 30192]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-25 42368]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2009-03-25 86824]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [2009-03-25 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [2009-03-25 114728]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [2009-03-25 106208]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [2009-03-25 26024]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [2009-03-25 104744]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [2009-03-25 109864]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20100819.002\IDSvix86.sys [2010-06-23 281648]
S2 GS In-Game Service;GS In-Game Service;c:\program files\GameTracker\GSInGameService.exe [2010-04-14 1648480]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2010-05-17 308592]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-07-15 102448]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2010-07-21 21:22]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-18 14:07]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-18 14:07]

2010-07-19 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Kieran.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 07:05]

2010-08-26 c:\windows\Tasks\Recovery DVD Creator-Kieran.job
- c:\program files\Packard Bell\SetupMyPc\MCDCheck.exe [2008-08-06 10:13]

2010-08-26 c:\windows\Tasks\User_Feed_Synchronization-{CDD8B57C-9F49-4B3B-8078-A97F1399FBB5}.job
- c:\windows\system32\msfeedssync.exe [2010-08-11 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/tri ... /wrc32.ocx
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-USB2Check - c:\windows\system32\PCLECoInst.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-26 13:21
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1443754645-2102013441-809164651-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f5,92,89,e5,37,4f,18,58,e6,e1,e8,4a,1c,93,5f,39,94,86,c8,c7,6f,b8,e0,
51,77,b4,01,94,d0,af,f4,46,b8,53,a0,ab,73,31,25,e1,46,16,fb,53,4f,b7,e5,74,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(980)
c:\program files\Xfire\xfire_toucan_43094.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\RtHDVCpl.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Steam\SteamService.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-08-26 13:26:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-26 12:26

Pre-Run: 186,687,213,568 bytes free
Post-Run: 186,796,740,608 bytes free

- - End Of File - - 5294AC608F2DCEEE435000CBAF7F7768
Bezzy2829
Regular Member
 
Posts: 19
Joined: August 17th, 2010, 6:30 am

Re: HiJackThis Logs.

Unread postby askey127 » August 26th, 2010, 8:59 am

Bezzy,
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click this Entry, and choose Uninstall/Change, and give permission to Continue:
Microsoft Security Essentials
Take extra care in answering questions posed by any Uninstaller.
----------------------------------------------
Run Temp File Cleaner
Right click TFC.exe on your desktop and choose "Run as Administrator"
If you have a lot of junk files to remove, it could take a while, so please be patient and let it finish.
When it's done, if it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.

Tell me how it's running
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HiJackThis Logs.

Unread postby Bezzy2829 » August 26th, 2010, 9:28 am

Its removed them, thanks for your patience. I know im a bit stupid :)
Your a legend :)
Bezzy2829
Regular Member
 
Posts: 19
Joined: August 17th, 2010, 6:30 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 499 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware