Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible Computer Hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible Computer Hijack

Unread postby bjrod314 » April 15th, 2009, 12:54 am

Hi, I have been having an issue with being redirected to random sites when clicking on a search link.. I downloaded malwarebyte removal software but when I try to run it nothing opens up.. Im running windows vista professional sp1.. Please help me...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:33 AM, on 4/15/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\BJ\AppData\Local\CyberDefender Internet Security\AntiSpyware\cdase021.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\BJ\AppData\LocalLow\CyberDefender\cdmyidd.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\BJ\AppData\LocalLow\CyberDefender\cdmyidd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\RunOnce: [Wrapper] runonce
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /H
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Users\BJ\AppData\Local\CyberDefender Internet Security\AntiSpyware\cdase021.exe" /minimize
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resour ... cctrl2.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll (file missing)
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10342 bytes
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am
Advertisement
Register to Remove

Re: Possible Computer Hijack

Unread postby MWR 3 day Mod » April 26th, 2009, 11:58 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Possible Computer Hijack

Unread postby jmw3 » April 27th, 2009, 12:40 pm

Hello & Welcome to Malware Removal
Apologies for the late reply. As you can appreciate the forum is quite busy.
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is checked on the Post a reply page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

Is there any reason you ran HijackThis from Safe Mode?

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Gmer
Download GMER Rootkit Scanner from here.
  • Right click the .exe file & choose Run as Administrator to run the tool. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


To post in next reply:
Contents of DDS log
Contents of Attach.txt log
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Computer Hijack

Unread postby bjrod314 » April 27th, 2009, 8:25 pm

Hi,

I posted everything as attachments.. When I ran the Gmer scan a box popped up notifying me that there was rootkit activity but it didnt ask me to scan, it just gave me the option to say ok as if I understood what they were telling me... I'm pretty new to all this so I am actually not sure why I ran the initial HiJack This log in safe mode... I just thought it was best to do it that way at that particular moment.. Thanks again..

BJ
You do not have the required permissions to view the files attached to this post.
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am

Re: Possible Computer Hijack

Unread postby jmw3 » April 27th, 2009, 9:55 pm

Hi

If I could ask you not to post the logs as attachments. Just copy/paste the contents into your posts. If the logs are to large split them up over a couple of posts.
Thanks


ATF Cleaner
Download ATF Cleaner here by Atribune.
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Rename ComboFix.exe to Commy.exe BEFORE saving to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Right click on Commy.exe then choose Run as Administrator to run the tool & follow the prompts
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
Contents of Combofix log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Computer Hijack

Unread postby bjrod314 » April 27th, 2009, 10:14 pm

Sry bout that.. Here is the DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by BJ at 20:04:32.47 on Mon 04/27/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1731 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\BJ\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resour ... cctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bj\appdata\roaming\mozilla\firefox\profiles\uyafla1s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-4-15 310320]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-3-12 54656]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-4-15 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-4-15 482352]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090420.001\IDSvix86.sys [2009-4-26 292912]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-12 101936]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nis\1005000.087\symndisv.sys [2009-4-15 39984]

=============== Created Last 30 ================

2009-04-18 16:38 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-04-18 16:38 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-04-18 16:38 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-04-18 16:38 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-04-18 16:38 <DIR> --d----- c:\users\bj\appdata\roaming\PC Tools
2009-04-18 16:38 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-18 16:36 <DIR> --d----- c:\users\bj\appdata\roaming\GetRightToGo
2009-04-15 19:08 376,832 a------- c:\windows\system32\winhttp.dll
2009-04-15 19:08 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-04-15 19:08 38,912 a------- c:\windows\system32\xolehlp.dll
2009-04-15 19:08 3,600,880 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-15 19:08 3,548,656 a------- c:\windows\system32\ntoskrnl.exe
2009-04-15 19:08 551,424 a------- c:\windows\system32\rpcss.dll
2009-04-15 00:20 <DIR> --d----- c:\program files\Trend Micro
2009-04-12 20:52 <DIR> --d----- c:\programdata\SITEguard
2009-04-12 20:52 <DIR> --d----- c:\progra~2\SITEguard
2009-04-12 20:17 192,952,328 a------- c:\windows\MEMORY.DMP
2009-04-12 17:13 <DIR> --d--r-- c:\program files\Norton Support
2009-04-12 17:01 25,136 a----r-- c:\windows\system32\drivers\SymIMV.sys
2009-04-12 17:01 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-12 17:01 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-12 17:01 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-12 17:01 <DIR> --d----- c:\program files\Symantec
2009-04-12 17:01 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-04-12 17:00 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-04-12 17:00 <DIR> --d----- c:\program files\Norton Internet Security
2009-04-12 16:59 <DIR> --d----- c:\program files\NortonInstaller
2009-04-12 16:48 61,436,856 a------- C:\NIS09EN.exe
2009-04-12 16:29 <DIR> --d----- c:\windows\LMIBF49.tmp
2009-04-12 13:14 <DIR> --d----- c:\program files\STOPzilla!
2009-04-12 13:14 <DIR> --d----- c:\programdata\STOPzilla!
2009-04-12 13:14 <DIR> --d----- c:\program files\common files\iS3
2009-04-12 13:14 <DIR> --d----- c:\progra~2\STOPzilla!
2009-04-03 13:50 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2009-04-03 13:30 <DIR> --d----- c:\program files\HTC Touch Pro User Guide
2009-04-03 13:27 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2009-03-31 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-03-31 14:56 294,912 a----r-- c:\windows\system32\SZBase5.dll
2009-03-31 14:55 540,672 a----r-- c:\windows\system32\SZComp5.dll

==================== Find3M ====================

2009-04-16 23:23 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-16 23:23 86,016 a------- c:\windows\inf\infstor.dat
2009-04-16 23:23 51,200 a------- c:\windows\inf\infpub.dat
2009-04-12 20:13 66,946 a------- c:\programdata\nvModes.dat
2009-04-12 20:13 66,946 a------- c:\progra~2\nvModes.dat
2009-03-27 10:56 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-03-27 10:55 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-03-27 10:55 372,736 a----r-- c:\windows\system32\IS3UI5.dll
2009-03-27 10:55 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-03-27 10:54 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-03-27 10:54 221,184 a----r-- c:\windows\system32\IS3Win325.dll
2009-03-27 10:54 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-03-27 10:53 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-03-27 10:50 716,800 a----r-- c:\windows\system32\IS3Base5.dll
2009-03-16 23:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 23:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 23:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-12 12:18 54,656 a----r-- c:\windows\system32\drivers\SZKG.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 17:12 21,256 a------- c:\windows\help\oem\scripts\HPScript.exe
2009-03-05 20:23 0 a--shr-- c:\windows\system32\drivers\103C_HP_cNB_G60 Notebook PC_Y5335KV_0U_Q2CE905826L_E508165-001_4A_I303C_SWistron_V08.48_F.34_T081223_WV3-1_L409_M2814_J250_7AMD_8F31_92.10_#090204_N168C001C;10DE0760_(ZY538UA#ABA)_XMOBILE_CN10_Z_2F.34_G10DE0845.MRK
2009-03-05 12:29 16,648 a------- c:\windows\help\oem\scripts\HC_ProtectSmartPatch.exe
2009-03-03 00:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-03 00:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 00:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 00:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-03 00:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 00:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 00:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 23:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 22:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-02 22:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-02-13 04:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 04:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-02-08 23:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-05 00:11 1,053,232 a------- c:\windows\system32\MFC71u.dll
2009-02-05 00:11 505,392 a------- c:\windows\system32\msvcp71.dll
2009-02-05 00:11 353,840 a------- c:\windows\system32\msvcr71.dll
2009-02-05 00:11 1,066,544 a------- c:\windows\system32\MFC71.dll
2009-02-04 05:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-30 18:24 14,600 a------- c:\windows\help\oem\scripts\HC_InstallHPHC.exe
2008-10-25 19:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 20:06:47.44 ===============
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am

Re: Possible Computer Hijack

Unread postby bjrod314 » April 27th, 2009, 10:17 pm

Here is the Attach log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 2/4/2009 10:28:16 PM
System Uptime: 4/27/2009 12:35:22 PM (8 hours ago)

Motherboard: Wistron | | 303C
Processor: AMD Turion Dual-Core RM-72 | Socket A | 1050/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 222 GiB total, 183.722 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 1.818 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP7: 3/5/2009 7:24:36 PM - First_User_Boot
RP8: 3/5/2009 7:34:33 PM - Windows Update
RP9: 3/5/2009 7:47:56 PM - Windows Update
RP10: 3/7/2009 8:28:10 PM - Installed Java(TM) 6 Update 11
RP11: 3/7/2009 8:29:49 PM - Installed Java Runtime Environment
RP12: 3/12/2009 5:09:30 PM - Windows Update
RP13: 3/23/2009 6:41:40 PM - First restore point
RP14: 4/3/2009 1:18:35 PM - Windows Update
RP15: 4/3/2009 1:32:14 PM - Device Driver Package Install: Microsoft Corporation Network adapters
RP16: 4/3/2009 1:41:05 PM - Device Driver Package Install: Microsoft Corporation Network adapters
RP17: 4/3/2009 1:42:22 PM - Device Driver Package Install: Microsoft Corporation Mobile devices
RP18: 4/3/2009 1:43:00 PM - Device Driver Package Install: Microsoft Corporation Portable Devices
RP19: 4/3/2009 1:44:04 PM - Device Driver Package Install: Microsoft Corporation Bluetooth Radios
RP20: 4/3/2009 1:46:59 PM - Windows Update
RP21: 4/3/2009 1:50:09 PM - Installed Windows Mobile Device Center

==== Installed Programs ======================

Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9
Adobe Shockwave Player
Atheros Driver Installation Program
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CyberLink DVD Suite
CyberLink YouCam
ESU for Microsoft Vista
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Quick Launch Buttons 6.40 H2
HP Total Care Advisor
HP Update
HP User Guides 0118
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
HPTCSSetup
HTC Touch Pro™ User Guide
Java(TM) 6 Update 13
Java(TM) 6 Update 7
Juno Preloader
LabelPrint
LightScribe System Software 1.14.17.1
Microsoft .NET Framework 3.5 SP1
Microsoft Live Search Toolbar
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB954430)
muvee Reveal
My HP Games
NetWaiting
NetZero Preloader
Norton Internet Security
NVIDIA Drivers
Power2Go
PowerDirector
Realtek USB 2.0 Card Reader
SPORE Creature Creator Trial Edition
Spyware Doctor 6.0
STOPzilla
Synaptics Pointing Device Driver
Update for Office 2007 (KB934528)
Windows Live OneCare safety scanner
Windows Media Player Firefox Plugin
Windows Mobile Device Center
Windows Mobile Device Center Driver Update

==== Event Viewer Messages From Past Week ========

4/26/2009 12:53:37 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 00242B708495 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/26/2009 12:51:37 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
4/24/2009 3:56:44 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {A47979D2-C419-11D9-A5B4-001185AD2B89} to the user BJ-PC\BJ SID (S-1-5-21-1719491328-3051507964-394884036-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
4/24/2009 3:16:36 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 00242B708495 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/23/2009 6:38:29 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 00242B708495 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/22/2009 11:01:05 PM, Error: EventLog [6008] - The previous system shutdown at 11:55:01 PM on 4/20/2009 was unexpected.
4/20/2009 10:42:17 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the hpqwmiex service to connect.
4/20/2009 10:42:17 PM, Error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/20/2009 10:42:17 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service hpqwmiex with arguments "" in order to run the server: {F5539356-2F02-40D4-999E-FA61F45FE12E}
4/20/2009 10:42:00 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the STOPzilla Service service to connect.
4/20/2009 10:42:00 PM, Error: Service Control Manager [7000] - The STOPzilla Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/20/2009 10:42:00 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/20/2009 10:38:44 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Modules Installer service to connect.
4/20/2009 10:38:44 PM, Error: Service Control Manager [7000] - The Windows Modules Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/20/2009 10:38:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service TrustedInstaller with arguments "" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}

==== End Of File ===========================


Here is the Gmer log:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-27 20:16:27
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT 887C1CE8 ZwAlertResumeThread
SSDT 87BA2CD8 ZwAlertThread
SSDT 88686188 ZwAllocateVirtualMemory
SSDT 87A9BBC8 ZwAlpcConnectPort
SSDT 8868B048 ZwAssignProcessToJobObject
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0x8F0367A6]
SSDT 886BCBC0 ZwCreateMutant
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0x8F033794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0x8F033F1E]
SSDT 886799B8 ZwCreateSymbolicLinkObject
SSDT 88641BE8 ZwCreateThread
SSDT 88689050 ZwDebugActiveProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0x8F0371F0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0x8F03742A]
SSDT 88686460 ZwDuplicateObject
SSDT 88687268 ZwFreeVirtualMemory
SSDT 887CB048 ZwImpersonateAnonymousToken
SSDT 8871A6B0 ZwImpersonateThread
SSDT 87A2E358 ZwLoadDriver
SSDT 88687088 ZwMapViewOfSection
SSDT 8864E048 ZwOpenEvent
SSDT 88686840 ZwOpenProcess
SSDT 87B7AF00 ZwOpenProcessToken
SSDT 885E3330 ZwOpenSection
SSDT 88686670 ZwOpenThread
SSDT 88677C80 ZwProtectVirtualMemory
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0x8F03812A]
SSDT 87B42110 ZwResumeThread
SSDT 879AE398 ZwSetContextThread
SSDT 88688C70 ZwSetInformationProcess
SSDT 88687050 ZwSetSystemInformation
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0x8F03783C]
SSDT 8864F048 ZwSuspendProcess
SSDT 87B94238 ZwSuspendThread
SSDT 87A0A3A8 ZwTerminateProcess
SSDT 88154CF8 ZwTerminateThread
SSDT 87F4B450 ZwUnmapViewOfSection
SSDT 88687978 ZwWriteVirtualMemory
SSDT 886785D0 ZwCreateThreadEx
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateUserProcess [0x8F0346B6]

Code 87A01420 ZwEnumerateKey
Code 879F92F0 ZwFlushInstructionCache
Code 879F22BD IofCallDriver
Code 879BC2BE IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\gxvxcnecxtfmkiqnusfiyscxvcnpwscyuuitc.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [4564] 0x10000000

---- EOF - GMER 1.0.15 ----
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am

Re: Possible Computer Hijack

Unread postby bjrod314 » April 27th, 2009, 10:36 pm

I have a quick question before I do anything with combofix.exe, you stated to rename file as commy.exe, and when I click on the link to get combofix it doesnt allow me to rename it, it just asks if I want to save it??? Am I completely missing something here.. Didn't want to run anything until I was 100% sure I was doing it correctly... Thanks...

BJ
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am

Re: Possible Computer Hijack

Unread postby jmw3 » April 28th, 2009, 2:02 am

Hi
When asked, "Do you want save this file?", click Save, then in the File Name box type Commy.exe & save to your desktop. Then run the tool following instructions previous posted.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Computer Hijack

Unread postby bjrod314 » April 28th, 2009, 8:04 pm

Hi,

I have tried a million ways to save it and it never gives me the option to rename the file. As soon as I click on save it just automatically starts to download... And it gives it just saves it as combofix. exe and if I try again it will save it as combofix2.exe and so on... XP used to give me that option when I saved files but with Vista its not allowing me to... Sorry for the delay, I would have done it sooner but I want to make sure I do it exactly as you say to...

BJ
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am

Re: Possible Computer Hijack

Unread postby jmw3 » April 29th, 2009, 1:29 am

Are you using Firefox to download? If so download Combofix to your desktop then right click on it & choose Rename & rename it to commy.exe. Sorry I was assuming you were using Internet Explorer to download.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Computer Hijack

Unread postby bjrod314 » April 29th, 2009, 2:46 am

I was finally able to get it to work.. Thanks again for the explanation.. Here is the Combofix log:

ComboFix 09-04-28.02 - BJ 04/29/2009 2:20.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.2045 [GMT -4:00]
Running from: c:\users\BJ\Desktop\Commy.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gxvxctefpuoetsxxebxxjhgptbobwmxoymqqp.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcnecxtfmkiqnusfiyscxvcnpwscyuuitc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 12:52 . 2009-04-28 23:44 -------- d-----w C:\ComboFix
2009-04-18 20:38 . 2008-06-02 19:19 29576 ----a-w c:\windows\system32\drivers\kcom.sys
2009-04-18 20:38 . 2009-04-18 20:56 40840 ----a-w c:\windows\system32\drivers\ikfilesec.sys
2009-04-18 20:38 . 2009-04-18 20:56 81288 ----a-w c:\windows\system32\drivers\iksyssec.sys
2009-04-18 20:38 . 2009-04-18 20:56 66952 ----a-w c:\windows\system32\drivers\iksysflt.sys
2009-04-18 20:38 . 2009-04-18 20:38 -------- d-----w c:\users\BJ\AppData\Roaming\PC Tools
2009-04-18 20:38 . 2009-04-28 12:43 -------- d-----w c:\program files\Spyware Doctor
2009-04-18 20:36 . 2009-04-18 20:38 -------- d-----w c:\users\BJ\AppData\Roaming\GetRightToGo
2009-04-15 23:08 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-15 23:08 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-15 23:08 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-15 23:08 . 2009-03-03 04:37 3600880 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-04-15 23:08 . 2009-03-03 04:37 3548656 ----a-w c:\windows\system32\ntoskrnl.exe
2009-04-15 23:08 . 2009-03-03 04:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-04-15 04:20 . 2009-04-15 04:20 -------- d-----w c:\program files\Trend Micro
2009-04-15 03:11 . 2009-04-15 03:56 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-13 00:52 . 2009-04-13 00:52 -------- d-----w c:\programdata\SITEguard
2009-04-13 00:52 . 2009-04-13 00:52 -------- d-----w c:\users\All Users\SITEguard
2009-04-12 21:13 . 2009-04-12 21:14 -------- d-----r c:\program files\Norton Support
2009-04-12 21:01 . 2009-03-12 08:42 25136 ----a-r c:\windows\system32\drivers\SymIMV.sys
2009-04-12 21:01 . 2009-04-15 23:18 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-12 21:01 . 2009-04-12 21:06 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-12 21:01 . 2009-04-15 23:18 -------- d-----w c:\program files\Symantec
2009-04-12 21:00 . 2009-04-17 03:56 -------- d-----w c:\windows\system32\drivers\NIS
2009-04-12 21:00 . 2009-04-12 21:00 -------- d-----w c:\program files\Norton Internet Security
2009-04-12 20:59 . 2009-04-12 20:59 -------- d-----w c:\program files\NortonInstaller
2009-04-12 20:48 . 2008-09-19 18:02 61436856 ----a-w C:\NIS09EN.exe
2009-04-12 20:29 . 2009-04-12 20:47 -------- d-----w c:\windows\LMIBF49.tmp
2009-04-12 17:14 . 2009-04-13 00:53 -------- d-----w c:\program files\STOPzilla!
2009-04-12 17:14 . 2009-04-12 17:14 -------- d-----w c:\program files\Common Files\iS3
2009-04-12 17:14 . 2009-04-13 01:42 -------- d-----w c:\programdata\STOPzilla!
2009-04-12 17:14 . 2009-04-13 01:42 -------- d-----w c:\users\All Users\STOPzilla!
2009-04-03 17:30 . 2009-04-03 17:30 -------- d-----w c:\program files\HTC Touch Pro User Guide
2009-03-31 18:57 . 2009-03-31 18:57 17408 ----a-r c:\windows\system32\SZIO5.dll
2009-03-31 18:56 . 2009-03-31 18:56 294912 ----a-r c:\windows\system32\SZBase5.dll
2009-03-31 18:55 . 2009-03-31 18:55 540672 ----a-r c:\windows\system32\SZComp5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 03:53 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-17 03:23 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-04-17 03:23 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-17 03:23 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-15 23:42 . 2008-10-26 00:13 -------- d-----w c:\program files\Java
2009-04-15 23:18 . 2009-04-12 21:01 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-15 23:18 . 2009-04-12 21:01 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-13 01:44 . 2009-03-06 00:30 75264 ----a-w c:\users\BJ\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-13 00:13 . 2009-03-07 17:07 66946 ----a-w c:\users\All Users\nvModes.dat
2009-04-13 00:13 . 2009-03-07 17:07 66946 ----a-w c:\programdata\nvModes.dat
2009-04-11 18:28 . 2009-03-07 01:27 -------- d-----w c:\program files\LimeWire
2009-04-03 17:50 . 2009-04-03 17:50 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2009-04-03 17:27 . 2009-04-03 17:27 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2009-03-27 14:56 . 2009-03-27 14:56 126976 ----a-r c:\windows\system32\IS3HTUI5.dll
2009-03-27 14:55 . 2009-03-27 14:55 393216 ----a-r c:\windows\system32\IS3DBA5.dll
2009-03-27 14:55 . 2009-03-27 14:55 372736 ----a-r c:\windows\system32\IS3UI5.dll
2009-03-27 14:55 . 2009-03-27 14:55 61440 ----a-r c:\windows\system32\IS3Hks5.dll
2009-03-27 14:54 . 2009-03-27 14:54 23040 ----a-r c:\windows\system32\IS3XDat5.dll
2009-03-27 14:54 . 2009-03-27 14:54 221184 ----a-r c:\windows\system32\IS3Win325.dll
2009-03-27 14:54 . 2009-03-27 14:54 94208 ----a-r c:\windows\system32\IS3Inet5.dll
2009-03-27 14:53 . 2009-03-27 14:53 90112 ----a-r c:\windows\system32\IS3Svc5.dll
2009-03-27 14:50 . 2009-03-27 14:50 716800 ----a-r c:\windows\system32\IS3Base5.dll
2009-03-17 03:38 . 2009-04-15 23:07 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 23:07 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 23:07 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-12 16:18 . 2009-03-12 16:18 54656 ----a-r c:\windows\system32\drivers\SZKG.sys
2009-03-09 09:19 . 2009-03-08 01:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 21:12 . 2008-08-22 00:03 21256 ----a-w c:\windows\Help\OEM\scripts\HPScript.exe
2009-03-06 00:48 . 2009-03-06 00:48 -------- d-----w c:\program files\MSXML 4.0
2009-03-06 00:32 . 2008-10-26 00:17 -------- d-----w c:\program files\SMINST
2009-03-06 00:25 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Sidebar
2009-03-06 00:23 . 2009-03-06 00:23 0 --sha-r c:\windows\system32\drivers\103C_HP_cNB_G60 Notebook PC_Y5335KV_0U_Q2CE905826L_E508165-001_4A_I303C_SWistron_V08.48_F.34_T081223_WV3-1_L409_M2814_J250_7AMD_8F31_92.10_#090204_N168C001C;10DE0760_(ZY538UA#ABA)_XMOBILE_CN10_Z_2F.34_G10DE0845.MRK
2009-03-05 16:29 . 2009-03-15 20:33 16648 ----a-w c:\windows\Help\OEM\scripts\HC_ProtectSmartPatch.exe
2009-03-03 04:40 . 2009-04-15 23:07 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-15 23:07 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 23:07 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 23:07 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-15 23:07 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 23:07 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-15 23:07 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 23:07 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 23:07 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-15 23:07 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-02-13 08:49 . 2009-04-15 23:07 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-15 23:07 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 23:24 2033152 ----a-w c:\windows\system32\win32k.sys
2009-02-05 04:11 . 2008-10-26 00:00 1053232 ----a-w c:\windows\system32\MFC71u.dll
2009-02-05 04:11 . 2008-08-06 22:29 353840 ----a-w c:\windows\system32\msvcr71.dll
2009-02-05 04:11 . 2008-08-06 22:27 505392 ----a-w c:\windows\system32\msvcp71.dll
2009-02-05 04:11 . 2008-10-26 00:00 1066544 ----a-w c:\windows\system32\MFC71.dll
2009-02-04 09:45 . 2009-02-05 03:34 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-01-30 22:24 . 2009-03-15 20:33 14600 ----a-w c:\windows\Help\OEM\scripts\HC_InstallHPHC.exe
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-10-25 23:12 . 2008-10-25 22:59 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-11 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-11 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-04-18 1168264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{116E4D05-1782-4CEC-B486-8C0E36EF5903}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1FF9B5FA-F576-4093-AFC7-0A218C7D27C9}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4902CBA3-3773-4B14-B6C8-7E215919B83C}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{D8ADE57F-0ABD-4DD0-A895-E7372A9F5E89}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{196F88C8-34DF-4B52-A22C-94619EE7745E}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{5D8EA059-5679-4241-A851-F3EC779F9A6B}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{F35AD9EF-EB3E-4B91-B21E-EEA273853CC8}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SYMEFA.SYS [2009-03-12 310320]
S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys [2009-03-12 54656]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-12 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1005000.087\ccHPx86.sys [2009-04-15 482352]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090420.001\IDSvix86.sys [2009-01-29 292912]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-12 115560]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-12 101936]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1005000.087\SYMNDISV.SYS [2009-03-12 39984]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\HPCeeScheduleForBJ.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-25 18:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
FF - ProfilePath - c:\users\BJ\AppData\Roaming\Mozilla\Firefox\Profiles\uyafla1s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 02:29
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\BJ\AppData\Local\Temp\gxvxc000 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Shockwave Flash Object"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@SACL=
@="0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash.9"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash9f.ocx, 1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Macromedia Flash Factory Object"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="FlashFactory.FlashFactory.1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash9f.ocx, 1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="FlashFactory.FlashFactory"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
@SACL=
"Enabled"=dword:00000001

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@SACL=
@="IFlashBroker"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@SACL=
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Services\gxvxcserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxcbuwrcwppctpauxriehysxnwpolgmietx.sys"

[HKEY_USERS\SYSTEM\ControlSet002\Services\gxvxcserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxctefpuoetsxxebxxjhgptbobwmxoymqqp.sys"
"group"="file system"

[HKEY_USERS\SYSTEM\ControlSet003\Services\gxvxcserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxctefpuoetsxxebxxjhgptbobwmxoymqqp.sys"
"group"="file system"

[HKEY_USERS\SYSTEM\ControlSet004\Services\gxvxcserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxctefpuoetsxxebxxjhgptbobwmxoymqqp.sys"
"group"="file system"

[HKEY_USERS\SYSTEM\ControlSet005\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-04-29 2:32
ComboFix-quarantined-files.txt 2009-04-29 06:32

Pre-Run: 196,580,597,760 bytes free
Post-Run: 196,689,309,696 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
351 --- E O F --- 2009-04-17 03:34
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am

Re: Possible Computer Hijack

Unread postby jmw3 » April 29th, 2009, 9:51 am

Note about Stopzilla:
Stopzilla is quite a resource hog & to be honest, I wouldn't really recommend having it on your computer. It has been pushed by malware - which means, malware causes popups where it asks to install Stopzilla. This makes Stopzilla a questionable application. Your choice but personally I wouldn't touch it.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Rootkit::
c:\windows\system32\drivers\gxvxcbuwrcwppctpauxriehysxnwpolgmietx.sys
c:\users\BJ\AppData\Local\Temp\gxvxc000
Folder::
c:\program files\LimeWire
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5D8EA059-5679-4241-A851-F3EC779F9A6B}"=-
"{F35AD9EF-EB3E-4B91-B21E-EEA273853CC8}"=-
RegLock::
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
RegLockDel::
[HKEY_USERS\SYSTEM\ControlSet001\Services\gxvxcserv.sys]
[HKEY_USERS\SYSTEM\ControlSet002\Services\gxvxcserv.sys]
[HKEY_USERS\SYSTEM\ControlSet003\Services\gxvxcserv.sys]
[HKEY_USERS\SYSTEM\ControlSet004\Services\gxvxcserv.sys]

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Remove Programs
Click Start > Control Panel > Programs and Features
Remove these programs by right clicking then choose Uninstall/Change

Java(TM) 6 Update 7

If some programs listed are not present, please do not panic

Kaspersky Online Scan
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it
Go to Kaspersky website and perform an online antivirus scan
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply
I might get you ti run Gmer again as well, following the instructions posted previously.

To post in next reply:
Combofix og
Kaspersky Scan log
Gmer log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Computer Hijack

Unread postby bjrod314 » April 29th, 2009, 6:03 pm

I removed Stopzilla from my pc along with the Java update, but when I dragged the notepad file into the combofix icon after it starts up a box pops up indicating that I cannot rename combofix as commy??? Am I supposed to rename the combofix again??

BJ
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am

Re: Possible Computer Hijack

Unread postby jmw3 » April 30th, 2009, 1:55 am

Hi
Delete the copy of Combofix you have then download it again:
Link 1
Link 2
Link 3

You shouldn't need to rename it as the main infection has been taken out. Once you have a new copy try dragging the CFScript into it.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 481 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware