asilb
asked on
my ie search engines have been hijacked
my ie search engines have been hijacked.....
have tried to find the source with avg, ad-aware, spybot, spyware doctor, hijack this, msft windows software removal tool....to no avail.....
googled from other computer and found out something about wdmaud.sys virus (in system 32)....went into system 32 and changed the name of it (wd....).....and then it reappeared (with a different time (same date) shortly thereafter....so it seems to have some other source that see when its been "fixed" and reasserts itself....
help......
thanks,.....
have tried to find the source with avg, ad-aware, spybot, spyware doctor, hijack this, msft windows software removal tool....to no avail.....
googled from other computer and found out something about wdmaud.sys virus (in system 32)....went into system 32 and changed the name of it (wd....).....and then it reappeared (with a different time (same date) shortly thereafter....so it seems to have some other source that see when its been "fixed" and reasserts itself....
help......
thanks,.....
download malewarebyte and do the full scan in your pc
Need more information... In what way they are hijacked? what happens? which websites are you redirected to?
ASKER
sorry....but i forgot to mention that i did already try malewarebyte..and it showed no viruses.....
thanks....but that didn't help.....allan....
thanks....but that didn't help.....allan....
ASKER
gets redirected to various other commercial sites.....so far no porn....although a few times avg said it was being sent to a "bad" site and stopped it.....
thanks......
thanks......
goto this registry path and check whether those commerical URL's are present
HKEY_CURRENT_USER\Software \Microsoft \Internet Explorer\SearchUrl
if it is present then, delete the key values
HKEY_CURRENT_USER\Software
if it is present then, delete the key values
ASKER
itkamaraj:
could you please be more specific......not certain how you want me to proceed....how exactly do i go to that registry path?
thanks.....allan...
could you please be more specific......not certain how you want me to proceed....how exactly do i go to that registry path?
thanks.....allan...
In your windows taskbar click START, then RUN and type "regedit" then press enter.
Navigate the registery like you would a file explorer.
Navigate the registery like you would a file explorer.
ASKER
codeQuantum:
thanks......did what you said.....and found it.....
did you say to just delete it?
is it very safe to do so?
are you certain this cures the wdmaud virus?
thanks again.....allan....
thanks......did what you said.....and found it.....
did you say to just delete it?
is it very safe to do so?
are you certain this cures the wdmaud virus?
thanks again.....allan....
ASKER
rpggamergirl:
i think you helped with this problem (and also helpe dme personally with computer problems before) but i think i came in in the middle of your fixing it......
could you help me out here?
thanks again......
allan.....
i think you helped with this problem (and also helpe dme personally with computer problems before) but i think i came in in the middle of your fixing it......
could you help me out here?
thanks again......
allan.....
1) Download & Run CCleaner to wipe any related temp/junk files:
http://www.ccleaner.com/download
2) Download & run GMER (rootkit scanner) from (http://www2.gmer.net/gmer.zip)
Start GMER, select all options on the right side, after scanning is finished, click on save. Attach the log file here
3) What's the current AV installed?
4) Are your running IE7 or what?
http://www.ccleaner.com/download
2) Download & run GMER (rootkit scanner) from (http://www2.gmer.net/gmer.zip)
Start GMER, select all options on the right side, after scanning is finished, click on save. Attach the log file here
3) What's the current AV installed?
4) Are your running IE7 or what?
Hi,
Thanks for the email.
wdmaud.sys was an old hijacker MalwareBytes and or Combofix should take care of it unless it's a new variant.
Please run these tools and show us the logs. You would need to rename the tools before saving to your desktop if they are blocked.
1. MBAM:
http://www.malwarebytes.org/mbam.php
2. Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks for the email.
wdmaud.sys was an old hijacker MalwareBytes and or Combofix should take care of it unless it's a new variant.
Please run these tools and show us the logs. You would need to rename the tools before saving to your desktop if they are blocked.
1. MBAM:
http://www.malwarebytes.org/mbam.php
2. Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Here's some tips if programs are blocked..
https://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
There have been a few search hijackers that patched system files.... if MBAM or Combofix won't fix the problem then we need to run a diagnostic tool to check for patched files.
https://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
There have been a few search hijackers that patched system files.... if MBAM or Combofix won't fix the problem then we need to run a diagnostic tool to check for patched files.
ASKER
rpggamergirl:.....
here's the combofx log.....
thanks again.....
love and blessings.....allan....
ComboFix 09-12-09.04 - HP_Administrator 12/09/2009 15:01:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18. 2038.1416 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator. ALLAN.001\ Desktop\Co mboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-5 2D74245D6B F}
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
c:\windows\kb913800.exe
D:\Autorun.inf
Infected copy of c:\windows\system32\DRIVER S\atapi.sy s was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\DRIVER S\iaStor.s ys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))) )))))
.
2009-12-09 17:51 . 2009-12-09 17:51 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Local Settings\Application Data\Apple
2009-12-06 22:18 . 2009-12-06 22:18 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Local Settings\Application Data\Threat Expert
2009-12-06 21:07 . 2009-12-06 21:07 -------- d-----w- c:\program files\Trend Micro
2009-12-06 13:07 . 2009-12-06 13:07 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\Apple Computer
2009-12-06 13:07 . 2009-12-06 13:07 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Local Settings\Application Data\Apple Computer
2009-12-05 13:27 . 2009-12-09 16:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-05 13:27 . 2009-12-05 13:27 -------- d-----w- c:\program files\DBXTriever
2009-12-04 18:40 . 2009-12-04 18:40 -------- d-----w- c:\program files\CCleaner
2009-12-04 16:49 . 2009-12-04 16:49 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\Sonic
2009-12-04 16:48 . 2009-12-04 16:48 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\Leadertech
2009-12-04 02:21 . 2009-12-04 02:21 -------- d-----w- c:\windows\WinSafe XP
2009-12-04 02:21 . 2009-12-04 02:25 -------- d-s---w- c:\windows\WinSafe
2009-12-04 02:15 . 2009-12-04 02:15 -------- d-sh--w- c:\documents and settings\HP_Administrator. ALLAN.000\ PrivacIE
2009-12-04 02:15 . 2009-12-04 02:15 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.000\ Applicatio n Data\StumbleUpon
2009-12-04 02:14 . 2009-12-04 02:14 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.000\ Applicatio n Data\Yahoo!
2009-12-04 02:00 . 2009-12-04 02:00 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.000\ Applicatio n Data\Ipswitch
2009-12-04 02:00 . 2009-12-04 02:00 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\Yahoo!
2009-12-04 01:52 . 2009-12-04 02:14 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.000\ Applicatio n Data\EarthLink
2009-12-03 21:20 . 2009-12-09 17:06 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Local Settings\Application Data\Adobe
2009-12-03 20:58 . 2009-12-03 20:58 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\DivX
2009-12-03 20:57 . 2009-12-04 00:07 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\skypePM
2009-12-03 20:55 . 2009-12-04 01:56 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\Skype
2009-12-03 20:35 . 2009-12-03 20:35 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\Malwarebytes
2009-12-03 14:44 . 2009-12-03 14:44 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Local Settings\Application Data\Identities
2009-12-03 14:43 . 2009-12-03 14:43 -------- d-sh--w- c:\documents and settings\HP_Administrator. ALLAN.001\ PrivacIE
2009-12-03 14:43 . 2009-12-04 02:00 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\StumbleUpon
2009-12-03 14:42 . 2009-12-06 12:28 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\EarthLink
2009-12-03 14:14 . 2009-12-03 14:14 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN.001\ Applicatio n Data\Ipswitch
2009-12-03 00:02 . 2009-12-03 00:02 -------- d-sh--w- c:\documents and settings\HP_Administrator. ALLAN.000\ IETldCache
2009-12-02 23:49 . 2009-12-02 23:49 -------- d-sh--w- c:\documents and settings\HP_Administrator. ALLAN\IETl dCache
2009-12-02 23:49 . 2009-12-04 01:59 -------- d-----w- c:\documents and settings\HP_Administrator. ALLAN
2009-12-02 23:45 . 2009-12-02 23:45 -------- d-----w- c:\windows\system32\wbem\R epository
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2009-12-09 17:51 . 2006-09-19 17:54 -------- d-----w- c:\program files\Apple Software Update
2009-12-07 18:03 . 2006-08-24 20:12 -------- d-----w- c:\program files\DYMO Label
2009-12-07 11:19 . 2005-06-17 13:33 874240 ----a-w- c:\windows\system32\driver s\iaStor.s ys
2009-12-06 14:12 . 2006-05-28 07:43 -------- d-----w- c:\program files\Google
2009-12-04 18:59 . 2006-11-01 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-04 18:54 . 2006-08-24 21:40 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-12-04 02:02 . 2009-01-24 21:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 02:00 . 2007-12-22 15:06 -------- d-----w- c:\program files\StumbleUpon
2009-12-04 00:14 . 2009-01-24 21:57 38224 ----a-w- c:\windows\system32\driver s\mbamswis sarmy.sys
2009-12-04 00:13 . 2009-01-24 21:57 19160 ----a-w- c:\windows\system32\driver s\mbam.sys
2009-11-20 18:56 . 2009-06-05 15:27 -------- d-----w- c:\program files\QuickTime
2009-11-20 18:56 . 2006-09-19 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-15 18:26 . 2006-05-28 06:52 -------- d-----w- c:\program files\Java
2009-11-09 16:43 . 2008-05-30 20:31 360584 ----a-w- c:\windows\system32\driver s\avgtdix. sys
2009-11-05 22:30 . 2008-05-30 20:31 333192 ----a-w- c:\windows\system32\driver s\avgldx86 .sys
2009-11-05 22:30 . 2008-05-30 20:31 28424 ----a-w- c:\windows\system32\driver s\avgmfx86 .sys
2009-11-05 22:30 . 2008-05-30 20:31 12464 ----a-w- c:\windows\system32\avgrss tx.dll
2009-11-05 22:30 . 2009-11-05 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-05 22:30 . 2008-05-30 20:31 -------- d-----w- c:\program files\AVG
2009-11-01 03:13 . 2006-05-28 07:23 -------- d-----w- c:\program files\HP Games
2009-11-01 03:12 . 2006-05-28 07:32 -------- d-----w- c:\program files\muvee Technologies
2009-11-01 03:12 . 2006-05-28 07:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-01 03:07 . 2006-05-28 06:47 -------- d-----w- c:\program files\GemMaster
2009-11-01 03:03 . 2006-05-28 07:33 -------- d-----w- c:\program files\Quicken
2009-10-29 07:45 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\winine t.dll
2009-10-29 00:28 . 2006-10-14 17:00 -------- d-----w- c:\program files\Mozy
2009-10-27 20:46 . 2009-10-27 20:46 93360 ----a-w- c:\windows\system32\driver s\SBREDrv. sys
2009-10-27 20:46 . 2009-04-24 20:43 15880 ----a-w- c:\windows\system32\lsdele te.exe
2009-10-21 05:38 . 2004-08-10 04:00 75776 ----a-w- c:\windows\system32\strmfi lt.dll
2009-10-21 05:38 . 2004-08-10 04:00 25088 ----a-w- c:\windows\system32\httpap i.dll
2009-10-20 16:20 . 2004-08-10 04:00 265728 ------w- c:\windows\system32\driver s\http.sys
2009-10-14 21:05 . 2009-10-14 21:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-8 4F2-1EC861 9FADA6}
2009-10-13 10:30 . 2004-08-10 04:00 270336 ----a-w- c:\windows\system32\oakley .dll
2009-10-12 13:38 . 2004-08-10 04:00 149504 ----a-w- c:\windows\system32\rastls .dll
2009-10-12 13:38 . 2004-08-10 04:00 79872 ----a-w- c:\windows\system32\rascha p.dll
2009-10-11 12:17 . 2008-12-01 17:21 411368 ----a-w- c:\windows\system32\deploy tk.dll
2009-10-01 17:11 . 2006-05-28 07:20 154512 -c--a-w- c:\documents and settings\Administrator\Loc al Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 12:55 . 2009-04-24 16:09 64288 ----a-w- c:\windows\system32\driver s\Lbd.sys
2009-09-14 20:04 . 2006-10-14 17:00 54776 ----a-w- c:\windows\system32\driver s\mozy.sys
2009-09-11 14:18 . 2004-08-10 04:00 136192 ----a-w- c:\windows\system32\msv1_0 .dll
2006-09-13 19:47 . 2006-09-13 19:47 55827 -c--a-w- c:\program files\MS Pilgrim Terrace.pdf
2006-09-13 19:47 . 2006-09-13 19:47 72152 -c--a-w- c:\program files\MS Bridging Office.pdf
2006-09-13 19:47 . 2006-09-13 19:47 67731 -c--a-w- c:\program files\M Home Plus & Lot v.1.pdf
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\expl orer\shell iconoverla yidentifie rs\Mozy2]
@="{747E722C-CB46-4a9d-BDF E-192AAD50 99B1}"
[HKEY_CLASSES_ROOT\CLSID\{ 747E722C-C B46-4a9d-B DFE-192AAD 5099B1}]
2009-10-20 19:51 2846008 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\expl orer\shell iconoverla yidentifie rs\Mozy3]
@="{EE6F5A00-7898-40f7-AB7 7-51FF9D6D EB20}"
[HKEY_CLASSES_ROOT\CLSID\{ EE6F5A00-7 898-40f7-A B77-51FF9D 6DEB20}]
2009-10-20 19:51 2846008 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe -winstart" [X]
"swg"="c:\program files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe" [2009-12-06 39408]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"ISUSPM Startup"="c:\progra~1\COMM ON~1\INSTA L~1\UPDATE ~1\isuspm. exe -startup" [X]
"ISUSScheduler"="c:\progra m files\common files\installshield\update service\is sch.exe -start" [X]
"DISCover"="c:\program files\DISC\DISCover.exe nogui" [X]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\reals ched.exe -osboot" [X]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSy ncManager. exe startup" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]
"ehTray"="c:\windows\ehome \ehtray.ex e" [2005-09-30 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"igfxhkcmd"="c:\windows\sy stem32\hkc md.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\sys tem32\igfx pers.exe" [2006-02-07 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-13 139264]
"Recguard"="c:\windows\SMI NST\RECGUA RD.EXE" [2005-07-23 237568]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AA WTray.exe" [2009-11-19 788880]
"VX3000"="c:\windows\vVX30 00.exe" [2007-04-10 709992]
"AVG9_TRAY"="c:\progra~1\A VG\AVG9\av gtray.exe" [2009-11-12 2020120]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]
"Samsung PanelMgr"="c:\windows\Sams ung\PanelM gr\ssmmgr. exe" [2006-02-15 507904]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.e xe" [2009-12-06 122880]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\Mozy\mozystat.exe [2009-10-20 2890552]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\av grsstarter ]
2009-11-05 22:30 12464 ----a-w- c:\windows\system32\avgrss tx.dll
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\Lavaso ft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Adob e Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adob e Gamma Loader.lnk
backup=c:\windows\pss\Adob e Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Micr osoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Micr osoft Office.lnk
backup=c:\windows\pss\Micr osoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Quic kBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quic kBooks Update Agent.lnk
backup=c:\windows\pss\Quic kBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Side ACT!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Side ACT!.lnk
backup=c:\windows\pss\Side ACT!.lnkCo mmon Startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ hpbdfawep]
c:\program files\HP\Dfawep\bin\hpbdfa wep.exe 1 [X]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ QuickTime Task]
c:\program files\QuickTime\qttask.exe -atboottime [X]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Google Desktop Search]
2009-10-30 16:15 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HPBootOp]
2006-02-16 05:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HPHUPD08]
2005-06-02 06:35 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1 b-A11D-988 95B3A3729} \hphupd08. exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HPUsageTra cking]
2007-11-02 21:52 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ LifeCam]
2007-05-17 21:45 279912 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Samsung PanelMgr]
2006-02-15 01:32 507904 ----a-w- c:\windows\Samsung\PanelMg r\SSMMgr.e xe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SunJavaUpd ateSched]
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusche d.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ swg]
2009-12-06 14:12 39408 ----a-w- c:\program files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"%windir%\\system32\\sessm gr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe" =
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl. exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.ex e"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Upda tes from HP.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe" =
"c:\\Program Files\\Messenger\\msmsgs.e xe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe" =
"c:\\Program Files\\Java\\jre1.5.0_11\\ bin\\javaw .exe"=
"c:\\Program Files\\DISC\\DISCover.exe" =
"c:\\Program Files\\DISC\\DiscStreamHub .exe"=
"c:\\WINDOWS\\system32\\zh hp1600.exe "=
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP 12\\wsftpgui.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.e xe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.e xe"=
"c:\\Program Files\\Skype\\Phone\\Skype .exe"=
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
R0 Lbd;Lbd;c:\windows\system3 2\drivers\ Lbd.sys [4/24/2009 8:09 AM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\dr ivers\avgl dx86.sys [5/30/2008 12:31 PM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\syst em32\drive rs\avgtdix .sys [5/30/2008 12:31 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.ex e [11/5/2009 2:30 PM 285392]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonit or.exe [1/26/2005 10:47 AM 65604]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AA WService.e xe [9/24/2009 3:17 AM 1184912]
R2 MMIndexer;Media Manager Indexer;c:\program files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE [7/14/1997 11:00 PM 136704]
S2 gupdate1c9974bcdc9a83a;Goo gle Update Service (gupdate1c9974bcdc9a83a);c :\program files\Google\Update\Google Update.exe [2/25/2009 5:20 AM 133104]
S3 BW2NDIS5;BW2NDIS5;c:\windo ws\system3 2\drivers\ BW2NDIS5.S YS [11/1/2004 1:16 PM 17536]
S3 GoogleDesktopManager-09300 9-130223;G oogle Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/1/2009 7:51 AM 30192]
S3 StumbleUponUpdateService;S tumbleUpon UpdateServ ice;c:\pro gram files\StumbleUpon\StumbleU ponUpdateS ervice.exe [9/28/2009 1:43 PM 120232]
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/ svs/rdr?TY PE=3&tp=ie search&loc ale=EN_US& c=63&bd=PA VILION&pf= desktop
mSearch Bar = hxxp://ie.redirect.hp.com/ svs/rdr?TY PE=3&tp=ie search&loc ale=EN_US& c=63&bd=PA VILION&pf= desktop
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhoto s.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFIC E11\EXCEL. EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleTo olbarDynam ic_mui_en_ 60D6097707 281E79.dll /cmsidewik i.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogi mage
Trusted Zone: trymedia.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-8 6486D72E74 9} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggablePro tocol.dll
DPF: {32305793-C19A-48E7-AD2F-D 87FF7B264A 4} - hxxp://download.tenebril.c om/pub/bin /scanner20 08/Tenebri lSpywareSc anner.ocx
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE- 46EB-B09E- D2AAB95CAB E3} - (no file)
HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\Adobe Updater.ex e
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
************************** ********** ********** ********** ********** ********
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 15:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{39 9560AD-16A 1-1C42-B8A BCDA82BB95 BD1}\{612A 140D-0F00- 4178-3873E 27B5855179 3}\{AE627B FA-B567-4F 9A-57DD344 42A0D5150} *]
"S6KI1YERXJTIP3T5RVDI41UR2 G1"=hex:01 ,00,01,00, 00,00,00,0 0,26,ff,b1 ,c2,08,0b, 50,
9e,35,81,92,71,e8,29,5a,84 ,14,35,16, 70,d8,6e,f f,61
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{58 108EA6-F0F 8-838F-6C2 A403DB017D CAF}\{7C39 18A7-E77A- 99CB-B21F6 D376FB586C 0}\{5E9787 CE-D944-C3 77-C12E117 E9C86E636} *]
"S6KI1YERXJTIP3T5RVDI41UR2 G1"=hex:01 ,00,01,00, 00,00,00,0 0,26,ff,b1 ,c2,08,0b, 50,
9e,35,81,92,71,e8,29,5a,84 ,14,35,16, 70,d8,6e,f f,61
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{84 72BA1A-B0F A-88F3-903 86E614F860 D47}\{66D8 1DF1-2E53- 4A0F-1B744 E2CE8CEDA5 6}\{65C0E5 86-2284-7A 2C-F227063 A6BD7FEE6} *]
"S6KI1YERXJTIP3T5RVDI41UR2 G1"=hex:01 ,00,01,00, 00,00,00,0 0,26,ff,b1 ,c2,08,0b, 50,
9e,35,81,92,71,e8,29,5a,84 ,14,35,16, 70,d8,6e,f f,61
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{EE C79885-478 6-49D7-ED3 6B6E7637E5 0FF}\{25B1 71C9-78C7- 18E7-FBBA7 E6592C7CB7 0}\{6B8ADD 0A-85A7-C5 B5-191A289 5BD30C6E1} *]
"S6KI1YERXJTIP3T5RVDI41UR2 G1"=hex:01 ,00,01,00, 00,00,00,0 0,26,ff,b1 ,c2,08,0b, 50,
9e,35,81,92,71,e8,29,5a,84 ,14,35,16, 70,d8,6e,f f,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(740)
c:\windows\system32\WININE T.dll
c:\program files\Mozy\mozyshell.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.162\qsb.d ll
c:\windows\system32\iefram e.dll
c:\windows\system32\webche ck.dll
c:\windows\system32\WPDShS erviceObj. dll
c:\windows\system32\UnToAn si.dll
c:\windows\system32\Portab leDeviceTy pes.dll
c:\windows\system32\Portab leDeviceAp i.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.ex e
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.ex e
c:\program files\Google\Update\1.2.18 3.13\Googl eCrashHand ler.exe
c:\windows\eHome\ehRecvr.e xe
c:\windows\eHome\ehSched.e xe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateServic e.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Java\jre6\bin\jqs.ex e
c:\program files\Common Files\LightScribe\LSSrvc.e xe
c:\program files\common files\installshield\update service\is sch.exe
c:\program files\DISC\DISCover.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\EarthLink TotalAccess\TaskPanl.exe
c:\program files\Mozy\mozybackup.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Common Files\Intuit\QuickBooks\QB CFMonitorS ervice.exe
c:\windows\ehome\mcrdsvc.e xe
c:\windows\system32\dllhos t.exe
c:\windows\system32\wbem\u nsecapp.ex e
c:\windows\system32\wscntf y.exe
c:\program files\DISC\DiscStreamHub.e xe
c:\windows\eHome\ehmsas.ex e
.
************************** ********** ********** ********** ********** ********
.
Completion time: 2009-12-09 15:56:59 - machine was rebooted
ComboFix-quarantined-files .txt 2009-12-09 23:56
Pre-Run: 121,089,437,696 bytes free
Post-Run: 121,168,146,432 bytes free
WindowsXP-KB310994-SP2-Pro -BootDisk- ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdi sk(0)parti tion(1)\WI NDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M icrosoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)par tition(1)\ WINDOWS="W indows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - BECA71B0481DA54824BCAFC566 8C24DA
here's the combofx log.....
thanks again.....
love and blessings.....allan....
ComboFix 09-12-09.04 - HP_Administrator 12/09/2009 15:01:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.
Running from: c:\documents and settings\HP_Administrator.
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-5
.
((((((((((((((((((((((((((
.
c:\windows\kb913800.exe
D:\Autorun.inf
Infected copy of c:\windows\system32\DRIVER
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\DRIVER
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 ))))))))))))))))))))))))))
.
2009-12-09 17:51 . 2009-12-09 17:51 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-06 22:18 . 2009-12-06 22:18 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-06 21:07 . 2009-12-06 21:07 -------- d-----w- c:\program files\Trend Micro
2009-12-06 13:07 . 2009-12-06 13:07 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-06 13:07 . 2009-12-06 13:07 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-05 13:27 . 2009-12-09 16:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-05 13:27 . 2009-12-05 13:27 -------- d-----w- c:\program files\DBXTriever
2009-12-04 18:40 . 2009-12-04 18:40 -------- d-----w- c:\program files\CCleaner
2009-12-04 16:49 . 2009-12-04 16:49 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-04 16:48 . 2009-12-04 16:48 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-04 02:21 . 2009-12-04 02:21 -------- d-----w- c:\windows\WinSafe XP
2009-12-04 02:21 . 2009-12-04 02:25 -------- d-s---w- c:\windows\WinSafe
2009-12-04 02:15 . 2009-12-04 02:15 -------- d-sh--w- c:\documents and settings\HP_Administrator.
2009-12-04 02:15 . 2009-12-04 02:15 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-04 02:14 . 2009-12-04 02:14 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-04 02:00 . 2009-12-04 02:00 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-04 02:00 . 2009-12-04 02:00 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-04 01:52 . 2009-12-04 02:14 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-03 21:20 . 2009-12-09 17:06 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-03 20:58 . 2009-12-03 20:58 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-03 20:57 . 2009-12-04 00:07 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-03 20:55 . 2009-12-04 01:56 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-03 20:35 . 2009-12-03 20:35 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-03 14:44 . 2009-12-03 14:44 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-03 14:43 . 2009-12-03 14:43 -------- d-sh--w- c:\documents and settings\HP_Administrator.
2009-12-03 14:43 . 2009-12-04 02:00 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-03 14:42 . 2009-12-06 12:28 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-03 14:14 . 2009-12-03 14:14 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-03 00:02 . 2009-12-03 00:02 -------- d-sh--w- c:\documents and settings\HP_Administrator.
2009-12-02 23:49 . 2009-12-02 23:49 -------- d-sh--w- c:\documents and settings\HP_Administrator.
2009-12-02 23:49 . 2009-12-04 01:59 -------- d-----w- c:\documents and settings\HP_Administrator.
2009-12-02 23:45 . 2009-12-02 23:45 -------- d-----w- c:\windows\system32\wbem\R
.
((((((((((((((((((((((((((
.
2009-12-09 17:51 . 2006-09-19 17:54 -------- d-----w- c:\program files\Apple Software Update
2009-12-07 18:03 . 2006-08-24 20:12 -------- d-----w- c:\program files\DYMO Label
2009-12-07 11:19 . 2005-06-17 13:33 874240 ----a-w- c:\windows\system32\driver
2009-12-06 14:12 . 2006-05-28 07:43 -------- d-----w- c:\program files\Google
2009-12-04 18:59 . 2006-11-01 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-04 18:54 . 2006-08-24 21:40 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-12-04 02:02 . 2009-01-24 21:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 02:00 . 2007-12-22 15:06 -------- d-----w- c:\program files\StumbleUpon
2009-12-04 00:14 . 2009-01-24 21:57 38224 ----a-w- c:\windows\system32\driver
2009-12-04 00:13 . 2009-01-24 21:57 19160 ----a-w- c:\windows\system32\driver
2009-11-20 18:56 . 2009-06-05 15:27 -------- d-----w- c:\program files\QuickTime
2009-11-20 18:56 . 2006-09-19 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-15 18:26 . 2006-05-28 06:52 -------- d-----w- c:\program files\Java
2009-11-09 16:43 . 2008-05-30 20:31 360584 ----a-w- c:\windows\system32\driver
2009-11-05 22:30 . 2008-05-30 20:31 333192 ----a-w- c:\windows\system32\driver
2009-11-05 22:30 . 2008-05-30 20:31 28424 ----a-w- c:\windows\system32\driver
2009-11-05 22:30 . 2008-05-30 20:31 12464 ----a-w- c:\windows\system32\avgrss
2009-11-05 22:30 . 2009-11-05 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-05 22:30 . 2008-05-30 20:31 -------- d-----w- c:\program files\AVG
2009-11-01 03:13 . 2006-05-28 07:23 -------- d-----w- c:\program files\HP Games
2009-11-01 03:12 . 2006-05-28 07:32 -------- d-----w- c:\program files\muvee Technologies
2009-11-01 03:12 . 2006-05-28 07:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-01 03:07 . 2006-05-28 06:47 -------- d-----w- c:\program files\GemMaster
2009-11-01 03:03 . 2006-05-28 07:33 -------- d-----w- c:\program files\Quicken
2009-10-29 07:45 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\winine
2009-10-29 00:28 . 2006-10-14 17:00 -------- d-----w- c:\program files\Mozy
2009-10-27 20:46 . 2009-10-27 20:46 93360 ----a-w- c:\windows\system32\driver
2009-10-27 20:46 . 2009-04-24 20:43 15880 ----a-w- c:\windows\system32\lsdele
2009-10-21 05:38 . 2004-08-10 04:00 75776 ----a-w- c:\windows\system32\strmfi
2009-10-21 05:38 . 2004-08-10 04:00 25088 ----a-w- c:\windows\system32\httpap
2009-10-20 16:20 . 2004-08-10 04:00 265728 ------w- c:\windows\system32\driver
2009-10-14 21:05 . 2009-10-14 21:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-8
2009-10-13 10:30 . 2004-08-10 04:00 270336 ----a-w- c:\windows\system32\oakley
2009-10-12 13:38 . 2004-08-10 04:00 149504 ----a-w- c:\windows\system32\rastls
2009-10-12 13:38 . 2004-08-10 04:00 79872 ----a-w- c:\windows\system32\rascha
2009-10-11 12:17 . 2008-12-01 17:21 411368 ----a-w- c:\windows\system32\deploy
2009-10-01 17:11 . 2006-05-28 07:20 154512 -c--a-w- c:\documents and settings\Administrator\Loc
2009-09-23 12:55 . 2009-04-24 16:09 64288 ----a-w- c:\windows\system32\driver
2009-09-14 20:04 . 2006-10-14 17:00 54776 ----a-w- c:\windows\system32\driver
2009-09-11 14:18 . 2004-08-10 04:00 136192 ----a-w- c:\windows\system32\msv1_0
2006-09-13 19:47 . 2006-09-13 19:47 55827 -c--a-w- c:\program files\MS Pilgrim Terrace.pdf
2006-09-13 19:47 . 2006-09-13 19:47 72152 -c--a-w- c:\program files\MS Bridging Office.pdf
2006-09-13 19:47 . 2006-09-13 19:47 67731 -c--a-w- c:\program files\M Home Plus & Lot v.1.pdf
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\softwa
@="{747E722C-CB46-4a9d-BDF
[HKEY_CLASSES_ROOT\CLSID\{
2009-10-20 19:51 2846008 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_LOCAL_MACHINE\softwa
@="{EE6F5A00-7898-40f7-AB7
[HKEY_CLASSES_ROOT\CLSID\{
2009-10-20 19:51 2846008 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWAR
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe -winstart" [X]
"swg"="c:\program files\Google\GoogleToolbar
[HKEY_LOCAL_MACHINE\SOFTWA
"ISUSPM Startup"="c:\progra~1\COMM
"ISUSScheduler"="c:\progra
"DISCover"="c:\program files\DISC\DISCover.exe nogui" [X]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\reals
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSy
"QuickTime Task"="c:\program files\QuickTime\qttask.exe
"ehTray"="c:\windows\ehome
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"igfxhkcmd"="c:\windows\sy
"igfxpers"="c:\windows\sys
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-13 139264]
"Recguard"="c:\windows\SMI
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AA
"VX3000"="c:\windows\vVX30
"AVG9_TRAY"="c:\progra~1\A
"DMAScheduler"="c:\program
"Samsung PanelMgr"="c:\windows\Sams
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.e
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\Mozy\mozystat.exe [2009-10-20 2890552]
[HKEY_LOCAL_MACHINE\softwa
2009-11-05 22:30 12464 ----a-w- c:\windows\system32\avgrss
[HKEY_LOCAL_MACHINE\SYSTEM
@="Service"
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adob
backup=c:\windows\pss\Adob
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Micr
backup=c:\windows\pss\Micr
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quic
backup=c:\windows\pss\Quic
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Side
backup=c:\windows\pss\Side
[HKEY_LOCAL_MACHINE\softwa
c:\program files\HP\Dfawep\bin\hpbdfa
[HKEY_LOCAL_MACHINE\softwa
c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\softwa
2009-10-30 16:15 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\softwa
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\softwa
2006-02-16 05:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
[HKEY_LOCAL_MACHINE\softwa
2005-06-02 06:35 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1
[HKEY_LOCAL_MACHINE\softwa
2007-11-02 21:52 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
[HKEY_LOCAL_MACHINE\softwa
2007-05-17 21:45 279912 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
[HKEY_LOCAL_MACHINE\softwa
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\softwa
2006-02-15 01:32 507904 ----a-w- c:\windows\Samsung\PanelMg
[HKEY_LOCAL_MACHINE\softwa
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusche
[HKEY_LOCAL_MACHINE\softwa
2009-12-06 14:12 39408 ----a-w- c:\program files\Google\GoogleToolbar
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.ex
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Upda
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"
"c:\\Program Files\\Messenger\\msmsgs.e
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"c:\\Program Files\\Java\\jre1.5.0_11\\
"c:\\Program Files\\DISC\\DISCover.exe"
"c:\\Program Files\\DISC\\DiscStreamHub
"c:\\WINDOWS\\system32\\zh
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP 12\\wsftpgui.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.e
"c:\\Program Files\\AVG\\AVG9\\avgnsx.e
"c:\\Program Files\\Skype\\Phone\\Skype
[HKLM\~\services\sharedacc
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
R0 Lbd;Lbd;c:\windows\system3
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\dr
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\syst
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.ex
R2 EarthLinkMonitor;EarthLink
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AA
R2 MMIndexer;Media Manager Indexer;c:\program files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE [7/14/1997 11:00 PM 136704]
S2 gupdate1c9974bcdc9a83a;Goo
S3 BW2NDIS5;BW2NDIS5;c:\windo
S3 GoogleDesktopManager-09300
S3 StumbleUponUpdateService;S
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/
mSearch Bar = hxxp://ie.redirect.hp.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhoto
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFIC
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleTo
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogi
Trusted Zone: trymedia.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-8
DPF: {32305793-C19A-48E7-AD2F-D
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-
HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\Adobe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 15:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\softwa
"S6KI1YERXJTIP3T5RVDI41UR2
9e,35,81,92,71,e8,29,5a,84
[HKEY_LOCAL_MACHINE\softwa
"S6KI1YERXJTIP3T5RVDI41UR2
9e,35,81,92,71,e8,29,5a,84
[HKEY_LOCAL_MACHINE\softwa
"S6KI1YERXJTIP3T5RVDI41UR2
9e,35,81,92,71,e8,29,5a,84
[HKEY_LOCAL_MACHINE\softwa
"S6KI1YERXJTIP3T5RVDI41UR2
9e,35,81,92,71,e8,29,5a,84
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(740)
c:\windows\system32\WININE
c:\program files\Mozy\mozyshell.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.162\qsb.d
c:\windows\system32\iefram
c:\windows\system32\webche
c:\windows\system32\WPDShS
c:\windows\system32\UnToAn
c:\windows\system32\Portab
c:\windows\system32\Portab
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.ex
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.ex
c:\program files\Google\Update\1.2.18
c:\windows\eHome\ehRecvr.e
c:\windows\eHome\ehSched.e
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateServic
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Java\jre6\bin\jqs.ex
c:\program files\Common Files\LightScribe\LSSrvc.e
c:\program files\common files\installshield\update
c:\program files\DISC\DISCover.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\EarthLink TotalAccess\TaskPanl.exe
c:\program files\Mozy\mozybackup.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Common Files\Intuit\QuickBooks\QB
c:\windows\ehome\mcrdsvc.e
c:\windows\system32\dllhos
c:\windows\system32\wbem\u
c:\windows\system32\wscntf
c:\program files\DISC\DiscStreamHub.e
c:\windows\eHome\ehmsas.ex
.
**************************
.
Completion time: 2009-12-09 15:56:59 - machine was rebooted
ComboFix-quarantined-files
Pre-Run: 121,089,437,696 bytes free
Post-Run: 121,168,146,432 bytes free
WindowsXP-KB310994-SP2-Pro
[boot loader]
timeout=2
default=multi(0)disk(0)rdi
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M
multi(0)disk(0)rdisk(0)par
- - End Of File - - BECA71B0481DA54824BCAFC566
The patched atapi.sys and iastor.sys would've been the ones causing the hijacks.. and now that they have been replaced has the search hijacks stopped?
Combofix did not detect the presence of wdmaud.sys... also it wasn't among the newly created files unless wdmaud.sys got in the system over 3 months ago.
Combofix did not detect the presence of wdmaud.sys... also it wasn't among the newly created files unless wdmaud.sys got in the system over 3 months ago.
ASKER
rpggamergirl:
not sure what fixed it......but somehow seems to be working properly now....i'm just thankful something.....you....combo fix or something.....seems to have corrected/deleted the problem......
let's give it a few das and see if everything holds perfectly.....
thanks again.....for everything.....
love and blessings.....allan....
not sure what fixed it......but somehow seems to be working properly now....i'm just thankful something.....you....combo
let's give it a few das and see if everything holds perfectly.....
thanks again.....for everything.....
love and blessings.....allan....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
rpggamergirl:
yes.... i think you're right.....let's give it a few days to see if everything holds before we close the question.....
thanks again....
love and blessings....allan....
yes.... i think you're right.....let's give it a few days to see if everything holds before we close the question.....
thanks again....
love and blessings....allan....
ASKER
rpggamergirl really knows her stuff.......and readily makes it available in a beautiful way.....so thanks to her and experts-exchange for their wonderful help and support.....love and blessings.....allan
Hi allan,
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /Uninstall
Thanks for using Experts-Exchange!
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /Uninstall
Thanks for using Experts-Exchange!
ASKER
rpggamergirl: thanks again,,,,of course.....love and blessings....allan....