Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijacked Browser?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hijacked Browser?

Unread postby Dlweis » September 1st, 2009, 7:51 pm

Found my VISTA OS disk and booted from it.
I got as far as the "REN system system.old" after I hit the enter key I got
"System cannot find file Specified"

Thanks

Dennis
Dlweis
Regular Member
 
Posts: 15
Joined: August 24th, 2009, 9:06 pm
Advertisement
Register to Remove

Re: Hijacked Browser?

Unread postby Dlweis » September 1st, 2009, 7:57 pm

Found my VISTA OS disk and booted from it.
I got as far as the "REN system system.old" after I hit the enter key I got
"System cannot find file Specified"

Thanks

Dennis
Dlweis
Regular Member
 
Posts: 15
Joined: August 24th, 2009, 9:06 pm

Re: Hijacked Browser?

Unread postby Dakeyras » September 2nd, 2009, 6:24 am

Hi Dennis :)

This does not bode well I'm afraid, the error you have informed myself about, reaffirms for myself that a significant part of the registry is either corrupted and or missing.

I will have a think about this and carry out some further research on your behalf.

In the meantime I advise you begin to create backups of any files/folders you do not wish to loose to a form of removable storage media. Also please check if any System Restore points/and or System Backups are available and let myself know please, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Hijacked Browser?

Unread postby Dlweis » September 2nd, 2009, 7:52 pm

I checked for system restore points via "systempropertiesprotection" and there are none.

:( Dennis
Dlweis
Regular Member
 
Posts: 15
Joined: August 24th, 2009, 9:06 pm

Re: Hijacked Browser?

Unread postby Dlweis » September 2nd, 2009, 8:38 pm

My Norton anti-virus program detected a "Backdoor.Tidserv" virus and fixed it. I went to the internet and tried my browser and so far it hasn't taken me to any unwanted sites when I tried several web links. I don't know if this has anything to do with my current problems or not

Dennis
Dlweis
Regular Member
 
Posts: 15
Joined: August 24th, 2009, 9:06 pm

Re: Hijacked Browser?

Unread postby Dakeyras » September 2nd, 2009, 9:06 pm

Thank you for the update. :)

What you have mentioned does sound like rootkit characteristics, most strange the F-Secure Blacklight scan did not pick this up as should if the variation I think it is.

Do continue and or create any backups you do need.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Hijacked Browser?

Unread postby Dlweis » September 2nd, 2009, 9:51 pm

My links are currently working :P Below is requested log:

ComboFix 09-09-02.02 - DENNIS 09/02/2009 21:34.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.2110 [GMT -4:00]
Running from: c:\users\DENNIS.Dennis-PC\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2176694402-3255639231-4089149711-1001
c:\$recycle.bin\S-1-5-21-2176694402-3255639231-4089149711-500
c:\windows\system32\drivers\kbiwkmlpufxcie.sys
c:\windows\system32\kbiwkmnxfqopxk.dll
c:\windows\system32\kbiwkmpcxipevj.dll
c:\windows\system32\kbiwkmsefyupyb.dat
c:\windows\system32\kbiwkmvcchixgo.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmiuepwsvo
-------\Service_kbiwkmiuepwsvo


((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-03 01:37 . 2009-09-03 01:39 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\temp
2009-09-03 01:37 . 2009-09-03 01:37 -------- d-----w- c:\users\Pam\AppData\Local\temp
2009-09-03 01:37 . 2009-09-03 01:37 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-09-01 21:10 . 2009-09-01 21:11 -------- d-----w- c:\program files\ERUNT
2009-08-31 20:56 . 2009-08-31 20:56 1137360 ----a-w- C:\fsbl.exe
2009-08-30 02:00 . 2009-08-31 20:49 -------- d-----w- C:\rsit
2009-08-28 17:34 . 2009-08-28 17:34 -------- d-----w- c:\users\Pam\AppData\Roaming\Malwarebytes
2009-08-27 07:01 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-26 08:59 . 2009-06-05 12:34 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-26 08:59 . 2009-06-05 10:08 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-25 00:31 . 2009-08-25 00:31 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Roaming\Malwarebytes
2009-08-25 00:31 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-25 00:31 . 2009-08-25 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-25 00:31 . 2009-08-25 00:31 -------- d-----w- c:\programdata\Malwarebytes
2009-08-25 00:31 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 00:24 . 2009-08-25 00:24 -------- d-----w- c:\program files\Trend Micro
2009-08-24 23:59 . 2001-10-04 04:14 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-08-24 22:19 . 2009-08-24 22:39 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-24 19:16 . 2009-08-24 19:16 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\Apple
2009-08-20 15:10 . 2009-08-20 15:10 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\Roxio
2009-08-19 23:43 . 2009-08-19 23:43 -------- d-----w- c:\users\Pam\AppData\Local\Mozilla
2009-08-19 23:21 . 2009-08-19 23:21 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\Mozilla
2009-08-19 21:37 . 2009-08-23 17:05 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\Adobe
2009-08-19 21:12 . 2009-08-19 21:12 -------- d-----w- C:\3f48cbb0d3a0979353f8153d3f9e7c59
2009-08-19 00:44 . 2009-08-19 00:44 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-19 00:43 . 2009-08-19 20:28 -------- d-----w- c:\program files\Common Files\Real
2009-08-18 02:25 . 2009-08-18 02:25 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\Google
2009-08-18 02:24 . 2009-08-18 02:24 121408 ----a-w- c:\users\DENNIS.Dennis-PC\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-18 02:24 . 2009-08-18 02:24 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Roaming\Logitech
2009-08-18 02:24 . 2009-08-18 02:24 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Roaming\Symantec
2009-08-13 07:03 . 2009-08-13 07:03 -------- d-sh--w- c:\windows\system32\%APPDATA%
2009-08-12 20:39 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 20:39 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 20:39 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 20:38 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 20:38 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 20:38 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 20:38 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 20:38 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 01:38 . 2007-09-19 21:47 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-24 23:30 . 2008-12-20 16:03 -------- d-----w- c:\programdata\NOS
2009-08-24 23:30 . 2008-12-20 16:03 -------- d-----w- c:\program files\NOS
2009-08-19 21:08 . 2007-09-12 11:00 -------- d-----w- c:\program files\Google
2009-08-19 20:25 . 2008-10-19 16:59 -------- d-----w- c:\programdata\Viewpoint
2009-08-18 02:23 . 2009-08-18 02:23 -------- d--h--w- c:\users\DENNIS.Dennis-PC\AppData\Roaming\GTek
2009-08-13 07:09 . 2007-10-06 20:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-13 07:03 . 2009-04-26 01:59 -------- d-----w- c:\programdata\Microsoft Help
2009-08-13 07:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-25 15:26 . 2007-09-20 13:58 121408 ----a-w- c:\users\Pam\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-24 21:42 . 2007-09-12 11:00 -------- d-----w- c:\program files\Microsoft Works
2009-07-21 21:52 . 2009-07-29 17:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 17:32 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 17:32 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 17:32 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-12 03:14 . 2009-05-31 02:58 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-06-15 15:24 . 2009-07-15 11:51 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-15 11:51 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-15 11:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-15 11:51 289792 ----a-w- c:\windows\system32\atmfd.dll
2007-09-12 18:17 . 2007-09-12 18:14 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-19 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-19 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-19 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-12 101136]

c:\users\DENNIS.Dennis-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-9-12 50688]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2007-9-12 679936]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-3-14 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E90BD9E8-554B-464C-8855-54EE7D0B5CCD}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{A83B2E21-158F-491A-B229-A094B88D3B43}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{2B53E217-F70C-4344-BBE2-FD974D1F4009}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{D2034F35-245F-456D-A8C2-7234814E7D4D}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{9CAC8998-58BA-4695-8742-5B030101E14A}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{6B3CE1FB-CEAC-4856-B177-FDB38BBBB95F}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{D501C735-1D02-4306-8F54-C312EBF01B14}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel(R) Viiv(TM) Media Server Discovery
"{5FDC8D13-8447-43C5-A03B-20C45D361FAC}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel(R) Viiv(TM) Media Server UPnP Discovery
"{1E16118B-8C28-4BBA-A779-DD087AC6E66B}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 4.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{427DE92B-67BA-4F68-8518-E493411B3CED}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 4.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{C201E276-1402-4943-82EB-183CEF2B8EDB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{689227DF-50ED-4DD9-A54B-D363E68A66C4}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5C5426A5-7869-4AF0-A308-B34CE106C303}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{22737F3C-6EDE-4111-9CE9-DF6DE1FC5831}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{3423008D-17EE-4017-A86A-91DB29AB2AB8}"= UDP:c:\program files\TurboTax\Premier 2007\32bit\ttax.exe:TurboTax
"{8EC38D51-CE96-4AE5-BDDB-0074A50E9D1B}"= TCP:c:\program files\TurboTax\Premier 2007\32bit\ttax.exe:TurboTax
"{673DB804-1271-477D-855C-2EE96D92B982}"= UDP:c:\program files\TurboTax\Premier 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{2057C8DE-F41A-4945-9B91-501B725719CD}"= TCP:c:\program files\TurboTax\Premier 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{C0BA0E41-9A75-4D00-91BE-27537843B818}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{91759461-424C-45CE-BE72-FE819D0E0E86}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{83BD1BFD-D28E-4648-A2D1-AF245719392F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7F4BCBE4-20CE-4F16-9F29-255ABCB714A8}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090826.001\IDSvix86.sys [9/1/2009 5:17 PM 272432]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 10:03 AM 208896]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/8/2008 5:34 PM 149352]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 5:37 PM 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 4:49 PM 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2/26/2008 12:10 PM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 8:35 PM 102448]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2/19/2009 12:31 PM 41008]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [5/29/2007 4:55 PM 23888]
S3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [9/12/2007 6:43 AM 5504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Dennis.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
FF - ProfilePath - c:\users\DENNIS.Dennis-PC\AppData\Roaming\Mozilla\Firefox\Profiles\oq9mcakd.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3552)
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
.
**************************************************************************
.
Completion time: 2009-09-03 21:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-03 01:42

Pre-Run: 179,407,151,104 bytes free
Post-Run: 179,233,095,680 bytes free

231 --- E O F --- 2009-08-28 01:13
Dlweis
Regular Member
 
Posts: 15
Joined: August 24th, 2009, 9:06 pm

Re: Hijacked Browser?

Unread postby Dakeyras » September 3rd, 2009, 8:24 am

Hi :)

A marked improvement indeed! :thumbup:

Custom ComboFix-Script:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    Code: Select all
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
    [-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
    [-HKEY_CLASSES_ROOT\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BHR"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
    [-HKEY_CLASSES_ROOT\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}]
    [-HKEY_CLASSES_ROOT\CLSID\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}]
    
    ADS::
    C:\ProgramData\TEMP:DFC5A2B2
    C:\ProgramData\TEMP:D1B5B4F1
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform a Quick Scan
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

When completed the above, please post back the following:

  • Inform myself how your computer is running. Any problems encountered and or further symptoms?
  • ComboFix Log.
  • Malwarebytes Anti-Malware Log.
  • ESET Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Hijacked Browser?

Unread postby Dlweis » September 3rd, 2009, 10:25 pm

here are the 3 log files:

ComboFix 09-09-02.02 - DENNIS 09/03/2009 20:42.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1926 [GMT -4:00]
Running from: c:\users\DENNIS.Dennis-PC\Desktop\ComboFix.exe
Command switches used :: c:\users\DENNIS.Dennis-PC\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-04 00:45 . 2009-09-04 00:45 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\temp
2009-09-04 00:45 . 2009-09-04 00:45 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-04 00:45 . 2009-09-04 00:45 -------- d-----w- c:\users\Pam\AppData\Local\temp
2009-09-04 00:45 . 2009-09-04 00:45 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-09-04 00:45 . 2009-09-04 00:45 -------- d-----w- c:\users\Dennis\AppData\Local\temp
2009-09-04 00:45 . 2009-09-04 00:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-02 20:35 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-02 20:35 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-01 21:10 . 2009-09-01 21:11 -------- d-----w- c:\program files\ERUNT
2009-08-31 20:56 . 2009-08-31 20:56 1137360 ----a-w- C:\fsbl.exe
2009-08-30 02:00 . 2009-08-31 20:49 -------- d-----w- C:\rsit
2009-08-28 17:34 . 2009-08-28 17:34 -------- d-----w- c:\users\Pam\AppData\Roaming\Malwarebytes
2009-08-27 07:01 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-25 00:31 . 2009-08-25 00:31 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Roaming\Malwarebytes
2009-08-25 00:31 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-25 00:31 . 2009-08-25 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-25 00:31 . 2009-08-25 00:31 -------- d-----w- c:\programdata\Malwarebytes
2009-08-25 00:31 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 00:24 . 2009-08-25 00:24 -------- d-----w- c:\program files\Trend Micro
2009-08-24 23:59 . 2001-10-04 04:14 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-08-24 22:19 . 2009-08-24 22:39 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-24 19:16 . 2009-08-24 19:16 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\Apple
2009-08-20 15:10 . 2009-08-20 15:10 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\Roxio
2009-08-19 23:43 . 2009-08-19 23:43 -------- d-----w- c:\users\Pam\AppData\Local\Mozilla
2009-08-19 23:21 . 2009-08-19 23:21 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\Mozilla
2009-08-19 21:37 . 2009-08-23 17:05 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\Adobe
2009-08-19 21:12 . 2009-08-19 21:12 -------- d-----w- C:\3f48cbb0d3a0979353f8153d3f9e7c59
2009-08-19 00:44 . 2009-08-19 00:44 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-19 00:43 . 2009-08-19 20:28 -------- d-----w- c:\program files\Common Files\Real
2009-08-18 02:25 . 2009-08-18 02:25 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Local\Google
2009-08-18 02:24 . 2009-08-18 02:24 121408 ----a-w- c:\users\DENNIS.Dennis-PC\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-18 02:24 . 2009-08-18 02:24 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Roaming\Logitech
2009-08-18 02:24 . 2009-08-18 02:24 -------- d-----w- c:\users\DENNIS.Dennis-PC\AppData\Roaming\Symantec
2009-08-13 07:03 . 2009-08-13 07:03 -------- d-sh--w- c:\windows\system32\%APPDATA%
2009-08-12 20:39 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 20:39 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 20:39 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 20:38 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 20:38 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 20:38 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 20:38 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 20:38 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 22:00 . 2008-12-20 16:03 -------- d-----w- c:\programdata\NOS
2009-09-03 22:00 . 2008-12-20 16:03 -------- d-----w- c:\program files\NOS
2009-09-03 21:57 . 2007-09-19 21:47 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-19 21:08 . 2007-09-12 11:00 -------- d-----w- c:\program files\Google
2009-08-19 20:25 . 2008-10-19 16:59 -------- d-----w- c:\programdata\Viewpoint
2009-08-18 02:23 . 2009-08-18 02:23 -------- d--h--w- c:\users\DENNIS.Dennis-PC\AppData\Roaming\GTek
2009-08-13 07:09 . 2007-10-06 20:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-13 07:03 . 2009-04-26 01:59 -------- d-----w- c:\programdata\Microsoft Help
2009-08-13 07:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-25 15:26 . 2007-09-20 13:58 121408 ----a-w- c:\users\Pam\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-24 21:42 . 2007-09-12 11:00 -------- d-----w- c:\program files\Microsoft Works
2009-07-21 21:52 . 2009-07-29 17:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 17:32 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 17:32 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 17:32 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-12 03:14 . 2009-05-31 02:58 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-06-15 15:24 . 2009-07-15 11:51 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-15 11:51 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-15 11:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-15 11:51 289792 ----a-w- c:\windows\system32\atmfd.dll
2007-09-12 18:17 . 2007-09-12 18:14 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_01.39.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-02 20:35 . 2009-08-29 00:19 28672 c:\windows\winsxs\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22213_none_846a2103770ca798\Apphlpdm.dll
+ 2009-09-02 20:35 . 2009-08-29 00:14 28672 c:\windows\winsxs\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18101_none_83e953905de8b92f\Apphlpdm.dll
+ 2009-09-02 20:35 . 2009-08-28 12:24 28672 c:\windows\winsxs\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22509_none_829480c379d8ce8d\Apphlpdm.dll
+ 2009-09-02 20:35 . 2009-08-28 12:39 28672 c:\windows\winsxs\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18320_none_81ec3fa060d3856f\Apphlpdm.dll
+ 2009-09-02 20:35 . 2009-08-29 03:32 28672 c:\windows\winsxs\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21117_none_80a147d97cbc5cfa\Apphlpdm.dll
+ 2009-09-02 20:35 . 2009-08-29 03:40 28672 c:\windows\winsxs\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16917_none_8017d2ec639e89ee\Apphlpdm.dll
+ 2007-09-12 11:07 . 2009-09-03 22:01 41518 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2007-09-12 11:07 . 2009-09-03 00:23 41518 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-03 22:01 80328 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-04-28 14:44 . 2009-09-03 02:04 88589 c:\windows\System32\Macromed\Flash\uninstall_activeX.exe
+ 2007-09-19 21:44 . 2009-09-04 00:37 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-09-19 21:44 . 2009-09-03 01:33 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-09-19 21:44 . 2009-09-03 01:33 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-19 21:44 . 2009-09-04 00:37 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-19 21:44 . 2009-09-04 00:37 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-09-19 21:44 . 2009-09-03 01:33 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-02 20:35 . 2009-08-29 00:24 2560 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22213_none_0e8a7f670895bd4d\AcRes.dll
+ 2009-09-02 20:35 . 2009-08-28 10:09 2560 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22509_none_0cb4df270b61e442\AcRes.dll
+ 2009-09-02 20:35 . 2009-08-28 23:11 2560 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21117_none_0ac1a63d0e4572af\AcRes.dll
+ 2009-09-02 20:35 . 2009-08-28 23:15 2560 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16917_none_0a38314ff5279fa3\AcRes.dll
+ 2007-10-08 16:28 . 2009-09-03 21:57 2464 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-08-19 21:10 . 2009-09-03 01:40 3562 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2176694402-3255639231-4089149711-1003_UserData.bin
+ 2007-09-26 12:45 . 2009-09-03 22:01 7250 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2176694402-3255639231-4089149711-1002_UserData.bin
+ 2009-09-03 21:58 . 2009-09-03 21:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-09-03 21:58 . 2009-09-03 21:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-02 20:35 . 2009-08-29 02:46 173056 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22213_none_0e8e808f089222a9\AcXtrnal.dll
+ 2009-09-02 20:35 . 2009-08-29 02:46 542720 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22213_none_0e8e808f089222a9\AcLayers.dll
+ 2009-09-02 20:35 . 2009-08-29 02:30 173056 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18101_none_0e0db31bef6e3440\AcXtrnal.dll
+ 2009-09-02 20:35 . 2009-08-29 02:30 542720 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18101_none_0e0db31bef6e3440\AcLayers.dll
+ 2009-09-02 20:35 . 2009-08-28 12:24 173056 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22509_none_0cb8e04f0b5e499e\AcXtrnal.dll
+ 2009-09-02 20:35 . 2009-08-28 12:24 541696 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22509_none_0cb8e04f0b5e499e\AcLayers.dll
+ 2009-09-02 20:35 . 2009-08-28 12:39 173056 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18320_none_0c109f2bf2590080\AcXtrnal.dll
+ 2009-09-02 20:35 . 2009-08-28 12:38 541696 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18320_none_0c109f2bf2590080\AcLayers.dll
+ 2009-09-02 20:35 . 2009-08-29 03:31 173056 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21117_none_0ac5a7650e41d80b\AcXtrnal.dll
+ 2009-09-02 20:35 . 2009-08-29 03:31 537600 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21117_none_0ac5a7650e41d80b\AcLayers.dll
+ 2009-09-02 20:35 . 2009-08-29 03:40 173056 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16917_none_0a3c3277f52404ff\AcXtrnal.dll
+ 2009-09-02 20:35 . 2009-08-29 03:40 537600 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16917_none_0a3c3277f52404ff\AcLayers.dll
+ 2009-09-02 20:35 . 2009-08-29 02:46 458752 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22213_none_0e8d804508930952\AcSpecfc.dll
+ 2009-09-02 20:35 . 2009-08-29 02:30 458752 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18101_none_0e0cb2d1ef6f1ae9\AcSpecfc.dll
+ 2009-09-02 20:35 . 2009-08-28 12:24 459776 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22509_none_0cb7e0050b5f3047\AcSpecfc.dll
+ 2009-09-02 20:35 . 2009-08-28 12:38 459776 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18320_none_0c0f9ee1f259e729\AcSpecfc.dll
+ 2009-09-02 20:35 . 2009-08-29 03:31 450560 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21117_none_0ac4a71b0e42beb4\AcSpecfc.dll
+ 2009-09-02 20:35 . 2009-08-29 03:40 449024 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16917_none_0a3b322df524eba8\AcSpecfc.dll
+ 2008-09-25 10:04 . 2009-09-04 00:22 346612 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2009-09-03 22:03 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-03 00:26 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-03 00:26 101144 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-09-03 22:03 101144 c:\windows\System32\perfc009.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\System32\Macromed\Flash\FlashUtil10c.exe
- 2009-07-25 15:26 . 2009-09-03 01:33 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-25 15:26 . 2009-09-04 00:37 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-09-02 20:35 . 2009-08-28 12:39 173056 c:\windows\AppPatch\AcXtrnal.dll
- 2009-08-26 08:59 . 2009-06-05 12:34 173056 c:\windows\AppPatch\AcXtrnal.dll
- 2009-08-26 08:59 . 2009-06-05 12:33 459776 c:\windows\AppPatch\AcSpecfc.dll
+ 2009-09-02 20:35 . 2009-08-28 12:38 459776 c:\windows\AppPatch\AcSpecfc.dll
- 2009-08-26 08:59 . 2009-06-05 12:33 541696 c:\windows\AppPatch\AcLayers.dll
+ 2009-09-02 20:35 . 2009-08-28 12:38 541696 c:\windows\AppPatch\AcLayers.dll
+ 2009-09-02 20:35 . 2009-08-29 00:34 4240384 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22213_none_4468964bd78652fb\GameUXLegacyGDFs.dll
+ 2009-09-02 20:35 . 2009-08-29 02:47 1696256 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22213_none_4468964bd78652fb\gameux.dll
+ 2009-09-02 20:35 . 2009-08-29 00:27 4240384 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18101_none_43e7c8d8be626492\GameUXLegacyGDFs.dll
+ 2009-09-02 20:35 . 2009-08-28 10:19 4240384 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22509_none_4292f60bda5279f0\GameUXLegacyGDFs.dll
+ 2009-09-02 20:35 . 2009-08-28 12:25 1695744 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22509_none_4292f60bda5279f0\gameux.dll
+ 2009-09-02 20:35 . 2009-08-28 10:15 4240384 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18320_none_41eab4e8c14d30d2\GameUXLegacyGDFs.dll
+ 2009-09-02 20:35 . 2009-08-28 23:26 4247552 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21117_none_409fbd21dd36085d\GameUXLegacyGDFs.dll
+ 2009-09-02 20:35 . 2009-08-29 03:33 1686528 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21117_none_409fbd21dd36085d\gameux.dll
+ 2009-09-02 20:35 . 2009-08-28 23:31 4247552 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16917_none_40164834c4183551\GameUXLegacyGDFs.dll
+ 2009-09-02 20:35 . 2009-08-29 03:41 1686528 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16917_none_40164834c4183551\gameux.dll
+ 2009-09-02 20:35 . 2009-08-29 02:46 2159616 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22213_none_0e8c7ffb0893effb\AcGenral.dll
+ 2009-09-02 20:35 . 2009-08-29 02:30 2159616 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18101_none_0e0bb287ef700192\AcGenral.dll
+ 2009-09-02 20:35 . 2009-08-28 12:24 2157056 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22509_none_0cb6dfbb0b6016f0\AcGenral.dll
+ 2009-09-02 20:35 . 2009-08-28 12:38 2153984 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18320_none_0c0e9e97f25acdd2\AcGenral.dll
+ 2009-09-02 20:35 . 2009-08-29 03:31 2144768 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21117_none_0ac3a6d10e43a55d\AcGenral.dll
+ 2009-09-02 20:35 . 2009-08-29 03:40 2143744 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16917_none_0a3a31e3f525d251\AcGenral.dll
- 2006-11-02 10:22 . 2009-09-03 00:16 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2009-09-03 21:57 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-09-02 20:35 . 2009-08-28 12:38 2153984 c:\windows\AppPatch\AcGenral.dll
- 2009-08-26 08:59 . 2009-06-05 12:33 2153984 c:\windows\AppPatch\AcGenral.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-19 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-19 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-19 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-12 101136]

c:\users\DENNIS.Dennis-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-9-12 50688]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2007-9-12 679936]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-3-14 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E90BD9E8-554B-464C-8855-54EE7D0B5CCD}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{A83B2E21-158F-491A-B229-A094B88D3B43}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{2B53E217-F70C-4344-BBE2-FD974D1F4009}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{D2034F35-245F-456D-A8C2-7234814E7D4D}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{9CAC8998-58BA-4695-8742-5B030101E14A}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{6B3CE1FB-CEAC-4856-B177-FDB38BBBB95F}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{D501C735-1D02-4306-8F54-C312EBF01B14}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel(R) Viiv(TM) Media Server Discovery
"{5FDC8D13-8447-43C5-A03B-20C45D361FAC}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel(R) Viiv(TM) Media Server UPnP Discovery
"{1E16118B-8C28-4BBA-A779-DD087AC6E66B}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 4.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{427DE92B-67BA-4F68-8518-E493411B3CED}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 4.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{C201E276-1402-4943-82EB-183CEF2B8EDB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{689227DF-50ED-4DD9-A54B-D363E68A66C4}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5C5426A5-7869-4AF0-A308-B34CE106C303}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{22737F3C-6EDE-4111-9CE9-DF6DE1FC5831}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{3423008D-17EE-4017-A86A-91DB29AB2AB8}"= UDP:c:\program files\TurboTax\Premier 2007\32bit\ttax.exe:TurboTax
"{8EC38D51-CE96-4AE5-BDDB-0074A50E9D1B}"= TCP:c:\program files\TurboTax\Premier 2007\32bit\ttax.exe:TurboTax
"{673DB804-1271-477D-855C-2EE96D92B982}"= UDP:c:\program files\TurboTax\Premier 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{2057C8DE-F41A-4945-9B91-501B725719CD}"= TCP:c:\program files\TurboTax\Premier 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{C0BA0E41-9A75-4D00-91BE-27537843B818}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{91759461-424C-45CE-BE72-FE819D0E0E86}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{83BD1BFD-D28E-4648-A2D1-AF245719392F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7F4BCBE4-20CE-4F16-9F29-255ABCB714A8}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090826.001\IDSvix86.sys [9/1/2009 5:17 PM 272432]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 10:03 AM 208896]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/8/2008 5:34 PM 149352]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 5:37 PM 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 4:49 PM 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2/26/2008 12:10 PM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 8:35 PM 102448]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2/19/2009 12:31 PM 41008]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [5/29/2007 4:55 PM 23888]
S3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [9/12/2007 6:43 AM 5504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Dennis.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\users\DENNIS.Dennis-PC\AppData\Roaming\Mozilla\Firefox\Profiles\oq9mcakd.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 20:45
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5500)
c:\program files\SetPoint\lgscroll.dll
.
Completion time: 2009-09-04 20:47
ComboFix-quarantined-files.txt 2009-09-04 00:47
ComboFix2.txt 2009-09-03 01:42

Pre-Run: 173,948,203,008 bytes free
Post-Run: 173,829,464,064 bytes free

305 --- E O F --- 2009-09-03 19:30



Malwarebytes' Anti-Malware 1.40
Database version: 2738
Windows 6.0.6001 Service Pack 1

9/3/2009 8:54:59 PM
mbam-log-2009-09-03 (20-54-59).txt

Scan type: Quick Scan
Objects scanned: 106304
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




SETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=aa4fda0f1da3a0488f00dcf15fdf4dd7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-09-04 02:20:18
# local_time=2009-09-03 10:20:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=3586 62 60 14 582366336949909
# compatibility_mode=5889 61 66 100 513024995544547
# scanned=153827
# found=0
# cleaned=0
# scan_time=2700
Dlweis
Regular Member
 
Posts: 15
Joined: August 24th, 2009, 9:06 pm

Re: Hijacked Browser?

Unread postby Dakeyras » September 4th, 2009, 5:25 am

Hi :)

Any other issues remaining?
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Hijacked Browser?

Unread postby Dlweis » September 4th, 2009, 8:23 am

;) Not Yet!

Thanks so much for your help


Dennis
Dlweis
Regular Member
 
Posts: 15
Joined: August 24th, 2009, 9:06 pm

Re: Hijacked Browser?

Unread postby Dakeyras » September 4th, 2009, 1:38 pm

Hi :)

Congratulations your computer now appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall ComboFix:

  • Click on Start(Vista orb) >> Run...(or press the Windows key and R together)
  • Now type in Combofix /u in the and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image

Clean up with OTL:

  • Right-click OTL and select run as admin' mode to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed combination security application, Norton Internet Security automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:

  • Click on Start(Vista Orb) >> All Programs >> Windows Update.
  • In the navigation pane, click Check for updates.
  • After Windows Update has finished checking for updates, click View available updates.
  • Click to select the check box for any found, then click Install.
  • When completed Reboot(restart) your computer if not prompted to do so.

Be careful when opening attachments and downloading files:

  • Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  • Never open emails from unknown senders.
  • Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  • Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Make your Internet Explorer safer:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:


Only use one of the above!

Finally a educational source:

To learn more about how to protect yourself while on the internet read this article by Tony Klein:

So how did I get infected in the first place?

Some consider this article outdated, personally I still think it bares relevance and the author is well respected in the Anti-Malware community and by myself also!

Any questions, feel free to ask. If not stay safe!
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Hijacked Browser?

Unread postby Gary R » September 6th, 2009, 12:06 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 299 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware