Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Possible Computer Hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Possible Computer Hijack

Unread postby bjrod314 » April 30th, 2009, 10:17 am

Computer is running a lot better.. not redirected anymore with search engines.. Here are the scan results and logs:

Thanks again.. BJ

Combo Fix:

ComboFix 09-04-28.02 - BJ 04/29/2009 21:44.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1317 [GMT -4:00]
Running from: c:\users\BJ\Desktop\CBF.exe
Command switches used :: c:\users\BJ\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWire
c:\program files\LimeWire\lib\additional_resources.jar
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\AppFramework.jar
c:\program files\LimeWire\lib\base64-2.2.2.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-math-1.2.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava-2.0.6.jar
c:\program files\LimeWire\lib\EventBus-1.2b.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\glazedlists-1.7.0_java15.jar
c:\program files\LimeWire\lib\guice-assistedinject-snapshot.jar
c:\program files\LimeWire\lib\guice-snapshot.jar
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-beta1.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\iTunes-0.0.1.jar
c:\program files\LimeWire\lib\jacob-1.14.1.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcip-annotations.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jna.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\jxlayer.jar
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\miglayout.jar
c:\program files\LimeWire\lib\mozdom4java.jar
c:\program files\LimeWire\lib\MozillaGlue-1.9.jar
c:\program files\LimeWire\lib\MozillaInterfaces-1.9.jar
c:\program files\LimeWire\lib\mozswing.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\smack.jar
c:\program files\LimeWire\lib\smackx-debug.jar
c:\program files\LimeWire\lib\smackx.jar
c:\program files\LimeWire\lib\swing-worker-1.1.jar
c:\program files\LimeWire\lib\swingx-0.9.4.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-29 06:09 . 2009-04-29 06:32 -------- d-----w C:\Commy
2009-04-28 12:52 . 2009-04-29 21:56 -------- d-----w C:\ComboFix
2009-04-18 20:38 . 2008-06-02 19:19 29576 ----a-w c:\windows\system32\drivers\kcom.sys
2009-04-18 20:38 . 2009-04-18 20:56 40840 ----a-w c:\windows\system32\drivers\ikfilesec.sys
2009-04-18 20:38 . 2009-04-18 20:56 81288 ----a-w c:\windows\system32\drivers\iksyssec.sys
2009-04-18 20:38 . 2009-04-18 20:56 66952 ----a-w c:\windows\system32\drivers\iksysflt.sys
2009-04-18 20:38 . 2009-04-18 20:38 -------- d-----w c:\users\BJ\AppData\Roaming\PC Tools
2009-04-18 20:38 . 2009-04-29 21:53 -------- d-----w c:\program files\Spyware Doctor
2009-04-18 20:36 . 2009-04-18 20:38 -------- d-----w c:\users\BJ\AppData\Roaming\GetRightToGo
2009-04-15 23:08 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-15 23:08 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-15 23:08 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-15 23:08 . 2009-03-03 04:37 3600880 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-04-15 23:08 . 2009-03-03 04:37 3548656 ----a-w c:\windows\system32\ntoskrnl.exe
2009-04-15 23:08 . 2009-03-03 04:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-04-15 04:20 . 2009-04-15 04:20 -------- d-----w c:\program files\Trend Micro
2009-04-15 03:11 . 2009-04-15 03:56 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-13 00:52 . 2009-04-13 00:52 -------- d-----w c:\programdata\SITEguard
2009-04-13 00:52 . 2009-04-13 00:52 -------- d-----w c:\users\All Users\SITEguard
2009-04-12 21:13 . 2009-04-12 21:14 -------- d-----r c:\program files\Norton Support
2009-04-12 21:01 . 2009-03-12 08:42 25136 ----a-r c:\windows\system32\drivers\SymIMV.sys
2009-04-12 21:01 . 2009-04-15 23:18 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-12 21:01 . 2009-04-12 21:06 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-12 21:01 . 2009-04-15 23:18 -------- d-----w c:\program files\Symantec
2009-04-12 21:00 . 2009-04-17 03:56 -------- d-----w c:\windows\system32\drivers\NIS
2009-04-12 21:00 . 2009-04-12 21:00 -------- d-----w c:\program files\Norton Internet Security
2009-04-12 20:59 . 2009-04-12 20:59 -------- d-----w c:\program files\NortonInstaller
2009-04-12 20:48 . 2008-09-19 18:02 61436856 ----a-w C:\NIS09EN.exe
2009-04-12 20:29 . 2009-04-12 20:47 -------- d-----w c:\windows\LMIBF49.tmp
2009-04-12 17:14 . 2009-04-29 21:45 -------- d-----w c:\program files\STOPzilla!
2009-04-12 17:14 . 2009-04-29 21:45 -------- d-----w c:\programdata\STOPzilla!
2009-04-12 17:14 . 2009-04-29 21:45 -------- d-----w c:\users\All Users\STOPzilla!
2009-04-03 17:30 . 2009-04-03 17:30 -------- d-----w c:\program files\HTC Touch Pro User Guide

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 21:52 . 2008-10-26 00:13 -------- d-----w c:\program files\Java
2009-04-17 03:53 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-17 03:23 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-04-17 03:23 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-17 03:23 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-15 23:18 . 2009-04-12 21:01 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-15 23:18 . 2009-04-12 21:01 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-13 01:44 . 2009-03-06 00:30 75264 ----a-w c:\users\BJ\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-13 00:13 . 2009-03-07 17:07 66946 ----a-w c:\users\All Users\nvModes.dat
2009-04-13 00:13 . 2009-03-07 17:07 66946 ----a-w c:\programdata\nvModes.dat
2009-04-03 17:50 . 2009-04-03 17:50 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2009-04-03 17:27 . 2009-04-03 17:27 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2009-03-17 03:38 . 2009-04-15 23:07 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 23:07 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 23:07 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-09 09:19 . 2009-03-08 01:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 21:12 . 2008-08-22 00:03 21256 ----a-w c:\windows\Help\OEM\scripts\HPScript.exe
2009-03-06 00:48 . 2009-03-06 00:48 -------- d-----w c:\program files\MSXML 4.0
2009-03-06 00:32 . 2008-10-26 00:17 -------- d-----w c:\program files\SMINST
2009-03-06 00:25 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Sidebar
2009-03-06 00:23 . 2009-03-06 00:23 0 --sha-r c:\windows\system32\drivers\103C_HP_cNB_G60 Notebook PC_Y5335KV_0U_Q2CE905826L_E508165-001_4A_I303C_SWistron_V08.48_F.34_T081223_WV3-1_L409_M2814_J250_7AMD_8F31_92.10_#090204_N168C001C;10DE0760_(ZY538UA#ABA)_XMOBILE_CN10_Z_2F.34_G10DE0845.MRK
2009-03-05 16:29 . 2009-03-15 20:33 16648 ----a-w c:\windows\Help\OEM\scripts\HC_ProtectSmartPatch.exe
2009-03-03 04:40 . 2009-04-15 23:07 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-15 23:07 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 23:07 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 23:07 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-15 23:07 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 23:07 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-15 23:07 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 23:07 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 23:07 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-15 23:07 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-02-13 08:49 . 2009-04-15 23:07 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-15 23:07 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 23:24 2033152 ----a-w c:\windows\system32\win32k.sys
2009-02-05 04:11 . 2008-10-26 00:00 1053232 ----a-w c:\windows\system32\MFC71u.dll
2009-02-05 04:11 . 2008-08-06 22:29 353840 ----a-w c:\windows\system32\msvcr71.dll
2009-02-05 04:11 . 2008-08-06 22:27 505392 ----a-w c:\windows\system32\msvcp71.dll
2009-02-05 04:11 . 2008-10-26 00:00 1066544 ----a-w c:\windows\system32\MFC71.dll
2009-02-04 09:45 . 2009-02-05 03:34 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-01-30 22:24 . 2009-03-15 20:33 14600 ----a-w c:\windows\Help\OEM\scripts\HC_InstallHPHC.exe
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-10-25 23:12 . 2008-10-25 22:59 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_06.29.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 06:39 . 2009-04-11 06:28 51712 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wrpint.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 83968 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wmiutils.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 30208 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wbemprox.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 35328 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\mspatcha.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 22016 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\CbsMsg.dll
+ 2008-01-21 01:58 . 2009-04-30 01:56 38184 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-04-30 01:56 85634 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-06 00:22 . 2009-04-30 01:54 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-06 00:22 . 2009-04-29 06:18 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-06 00:22 . 2009-04-29 06:18 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-06 00:22 . 2009-04-30 01:54 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-06 00:22 . 2009-04-30 01:54 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-06 00:22 . 2009-04-29 06:18 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-06 00:36 . 2009-04-10 19:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-06 00:36 . 2009-04-29 21:31 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-06 00:36 . 2009-04-10 19:23 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-06 00:36 . 2009-04-29 21:31 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-06 00:36 . 2009-04-10 19:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-06 00:36 . 2009-04-29 21:31 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-21 02:38 . 2009-04-30 01:52 1748 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-03-06 00:24 . 2009-04-29 21:32 8484 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1719491328-3051507964-394884036-1000_UserData.bin
- 2009-04-29 06:18 . 2009-04-29 06:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-30 01:54 . 2009-04-30 01:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-30 01:54 . 2009-04-30 01:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-04-29 06:18 . 2009-04-29 06:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-04-29 06:39 . 2009-04-11 06:28 182784 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\xmllite.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 218624 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wdscore.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 744448 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wbemcore.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 357888 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wbemcomn.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 116736 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\smipi.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 139264 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\SmiInstaller.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 705536 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\smiengine.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 126464 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\rescinst.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 265728 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\repdrvfs.dll
+ 2009-04-29 06:39 . 2009-04-11 06:27 119296 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe
+ 2009-04-29 06:39 . 2009-04-11 06:27 130560 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\PkgMgr.exe
+ 2009-04-29 06:39 . 2009-04-11 06:28 146432 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\OEMHelpIns.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 305152 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\msdelta.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 102400 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\mofinstall.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 189440 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\mofd.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 222720 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\locdrv.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 100352 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\helpcins.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 614912 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\fastprox.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 265728 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\esscli.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 247808 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\drvstore.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 100352 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\DrUpdate.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 258048 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\dpx.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 243712 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\CntrtextInstaller.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 271360 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\cmitrust.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 119808 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\cmiadapter.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 535040 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\CbsCore.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 199168 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\apss.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 222208 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\apircl.dll
+ 2006-11-02 10:33 . 2009-04-29 21:35 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-04-29 06:24 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-04-29 21:35 101350 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-04-29 06:24 101350 c:\windows\System32\perfc009.dat
+ 2009-03-06 03:27 . 2009-04-30 01:52 273256 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-03-06 03:27 . 2009-04-29 06:16 273256 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-04-29 06:39 . 2009-04-11 06:28 1835520 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wcp.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 2032640 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\cmiv2.dll
+ 2009-04-29 06:39 . 2009-04-11 06:28 1744384 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\apds.dll
+ 2006-11-02 10:22 . 2009-04-29 07:04 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2009-04-17 04:38 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-06-06 17:27 . 2009-04-29 06:39 72047196 c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-11 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-11 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-04-18 1168264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{116E4D05-1782-4CEC-B486-8C0E36EF5903}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1FF9B5FA-F576-4093-AFC7-0A218C7D27C9}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4902CBA3-3773-4B14-B6C8-7E215919B83C}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{D8ADE57F-0ABD-4DD0-A895-E7372A9F5E89}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{196F88C8-34DF-4B52-A22C-94619EE7745E}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SYMEFA.SYS [2009-03-12 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-12 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1005000.087\ccHPx86.sys [2009-04-15 482352]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090420.001\IDSvix86.sys [2009-01-29 292912]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-12 115560]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-12 101936]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1005000.087\SYMNDISV.SYS [2009-03-12 39984]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\HPCeeScheduleForBJ.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-25 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
FF - ProfilePath - c:\users\BJ\AppData\Roaming\Mozilla\Firefox\Profiles\uyafla1s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 21:56
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Shockwave Flash Object"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@SACL=
@="0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash.9"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash9f.ocx, 1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Macromedia Flash Factory Object"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="FlashFactory.FlashFactory.1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash9f.ocx, 1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="FlashFactory.FlashFactory"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
@SACL=
"Enabled"=dword:00000001

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@SACL=
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@SACL=
@="IFlashBroker"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@SACL=
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\rundll32.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-04-30 22:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 02:01
ComboFix2.txt 2009-04-29 06:32

Pre-Run: 193,703,006,208 bytes free
Post-Run: 193,056,800,768 bytes free

449 --- E O F --- 2009-04-29 07:00



Gmer log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-04-30 10:10:17
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT 87D663D0 ZwAlertResumeThread
SSDT 87D64828 ZwAlertThread
SSDT 88713590 ZwAllocateVirtualMemory
SSDT 87B4CB90 ZwAlpcConnectPort
SSDT 88748A08 ZwAssignProcessToJobObject
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0x8EB797A6]
SSDT 88747728 ZwCreateMutant
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0x8EB76794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0x8EB76F1E]
SSDT 88748788 ZwCreateSymbolicLinkObject
SSDT 8870B460 ZwCreateThread
SSDT 88748AC8 ZwDebugActiveProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0x8EB7A1F0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0x8EB7A42A]
SSDT 887136E8 ZwDuplicateObject
SSDT 88713230 ZwFreeVirtualMemory
SSDT 88709490 ZwImpersonateAnonymousToken
SSDT 8870C050 ZwImpersonateThread
SSDT 87BC32B8 ZwLoadDriver
SSDT 88713150 ZwMapViewOfSection
SSDT 88707330 ZwOpenEvent
SSDT 887138C8 ZwOpenProcess
SSDT 88192C88 ZwOpenProcessToken
SSDT 88748C90 ZwOpenSection
SSDT 887137B8 ZwOpenThread
SSDT 88748938 ZwProtectVirtualMemory
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0x8EB7B12A]
SSDT 87CD59B0 ZwResumeThread
SSDT 8808C990 ZwSetContextThread
SSDT 88740F40 ZwSetInformationProcess
SSDT 88748B88 ZwSetSystemInformation
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0x8EB7A83C]
SSDT 88748F50 ZwSuspendProcess
SSDT 87D4F118 ZwSuspendThread
SSDT 87F88308 ZwTerminateProcess
SSDT 88418D98 ZwTerminateThread
SSDT 87CED9E0 ZwUnmapViewOfSection
SSDT 887133C0 ZwWriteVirtualMemory
SSDT 88748858 ZwCreateThreadEx
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateUserProcess [0x8EB776B6]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----


KasperskyScan results:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 30, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 23:15:23
Records in database: 2101635
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 132512
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:45:55


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\gxvxcnecxtfmkiqnusfiyscxvcnpwscyuuitc.dll.vir Infected: Trojan.Win32.Agent2.hoq 1

The selected area was scanned.
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am
Top
Advertisement
Register to Remove

Re: Possible Computer Hijack

Unread postby jmw3 » April 30th, 2009, 1:26 pm

OTMoveIt3
Download OTMoveIt3.exe by OldTimer and save it to your desktop.
  • Right click on OTMoveIt3.exe, choose Run as Administrator to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error
Code: Select all
:Files
c:\windows\LMIBF49.tmp
c:\program files\STOPzilla!
c:\programdata\STOPzilla!
c:\users\All Users\STOPzilla!
:Commands
[Purity]
[EmptyTemp]
[Reboot]

  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Possible Computer Hijack

Unread postby bjrod314 » April 30th, 2009, 11:48 pm

Here is the OTMoveIt3.exe log:

BJ


========== FILES ==========
c:\windows\LMIBF49.tmp moved successfully.
c:\program files\STOPzilla! moved successfully.
c:\programdata\STOPzilla!\Quarantine moved successfully.
c:\programdata\STOPzilla! moved successfully.
File/Folder c:\users\All Users\STOPzilla! not found.
========== COMMANDS ==========
File delete failed. C:\Users\BJ\AppData\Local\Temp\etilqs_Id6kvckhRhEtqLqJshFd scheduled to be deleted on reboot.
File delete failed. C:\Users\BJ\AppData\Local\Temp\JETC6E.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\BJ\AppData\Local\Temp\MainFrame.Log.txt scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Windows\temp\JET9BC1.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
File delete failed. C:\Users\BJ\AppData\Local\Mozilla\Firefox\Profiles\uyafla1s.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\BJ\AppData\Local\Mozilla\Firefox\Profiles\uyafla1s.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\BJ\AppData\Local\Mozilla\Firefox\Profiles\uyafla1s.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\BJ\AppData\Local\Mozilla\Firefox\Profiles\uyafla1s.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\BJ\AppData\Local\Mozilla\Firefox\Profiles\uyafla1s.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04302009_234015

Files moved on Reboot...
File C:\Users\BJ\AppData\Local\Temp\etilqs_Id6kvckhRhEtqLqJshFd not found!
File C:\Users\BJ\AppData\Local\Temp\JETC6E.tmp not found!
C:\Users\BJ\AppData\Local\Temp\MainFrame.Log.txt moved successfully.
File C:\Windows\temp\JET9BC1.tmp not found!
C:\Users\BJ\AppData\Local\Mozilla\Firefox\Profiles\uyafla1s.default\Cache\_CACHE_001_ moved successfully.
C:\Users\BJ\AppData\Local\Mozilla\Firefox\Profiles\uyafla1s.default\Cache\_CACHE_002_ moved successfully.
C:\Users\BJ\AppData\Local\Mozilla\Firefox\Profiles\uyafla1s.default\Cache\_CACHE_003_ moved successfully.
C:\Users\BJ\AppData\Local\Mozilla\Firefox\Profiles\uyafla1s.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\BJ\AppData\Local\Mozilla\Firefox\Profiles\uyafla1s.default\urlclassifier3.sqlite moved successfully.
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am
Top

Re: Possible Computer Hijack

Unread postby jmw3 » May 1st, 2009, 8:39 pm

Hi
Apologies for the late reply. I've been having phone line & ISP issues of late leading to intermittent internet access.

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
  • Double-click OTMoveIt3.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it yourself
You can also uninstall HijackThis by clicking Start>Control Panel> Programs and Features, right click on HijackThis 2.0.2 & choose uninstall/change
You can delete the following:
DDS
Any logs saved to your desktop
You can either delete or keep ATF-Cleaner. It's a handy tool for cleaning out temporary folders.

How's the computer running? Any problems?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Possible Computer Hijack

Unread postby bjrod314 » May 2nd, 2009, 1:16 am

Finished the whole clean up process.. Computer seems to be running great.. Thanks so much!!! Was just wondering should I still use Norton? Its actually been popping up stating there is a low security tracking cookie it wants to remove.. But everything seems to be running fantastic....

BJ
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am
Top

Re: Possible Computer Hijack

Unread postby jmw3 » May 2nd, 2009, 1:43 am

bjrod314 wrote:Finished the whole clean up process.. Computer seems to be running great.. Thanks so much!!! Was just wondering should I still use Norton? Its actually been popping up stating there is a low security tracking cookie it wants to remove.. But everything seems to be running fantastic....
Excellent... good to hear.
With regard to Norton - well it's a known resource hog & personally I wouldn't use it. If you want to remove it , here are some free alternatives. All are good but my personal choice would be Avira Antivir:
1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.


All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can download it here & find a tutorial here.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Possible Computer Hijack

Unread postby bjrod314 » May 3rd, 2009, 2:29 pm

Downloaded and installed everything in your list.. Computer is running great again!!! Thanks so very much!! I really don't know what I would have done without your assistance... i will definitely make a contribution to your site... And I will now hopefully never have any similar issues.. Thanks a million!!!

BJ
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am
Top

Re: Possible Computer Hijack

Unread postby bjrod314 » May 3rd, 2009, 2:33 pm

1 last thing.. In regards to the Hosts Manager.. After the download and install, when i hit the replace button and then the Save, A message popped up indicating that access was denied and it could not be saved... I tried a few more times with the same result.. Is that common???

BJ
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am
Top

Re: Possible Computer Hijack

Unread postby bjrod314 » May 3rd, 2009, 2:35 pm

Disregard that last post.. It saved upon exiting.. Thanks so much again!!!

BJ
bjrod314
Regular Member
 
Posts: 16
Joined: April 15th, 2009, 12:30 am
Top

Re: Possible Computer Hijack

Unread postby jmw3 » May 3rd, 2009, 5:10 pm

OK... no worries

Good luck & safe surfing :)
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Possible Computer Hijack

Unread postby Gary R » May 4th, 2009, 10:13 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 432 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index