virus problem
-
virus problem
Hello,
My friend has a dell laptop and recently sought my help in fixing an issue that seems to be related to a virus. Here is the issue that I have seen so far on the machine. I will do a search in google and when I click on any of the results it will automatically take me to a bogus webpage. No matter what search I do the link will always send me to a bogus webpage. The one difference is if I actually type the address of the webpage into the browser. That will take me to the correct webpage. Here is the results of the hijack this log from the machine. Thank you for your time, I appreciate the help.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:37:37 PM, on 5/23/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.ex e
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\MSN\Toolbar\3.0.0541.0\msntask.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Users\Charles\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ESPN: The Worldwide Leader In Sports
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\s wg.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKCU\..\Run: [sdlwidgd] C:\Users\Charles\AppData\Local\sshmdllmp\ihjimiyts sd.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B799EDA-58D6-4188-9459-0DB3466BE71B}: NameServer = 93.188.163.154,93.188.161.86
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.154,93.188.161.86
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B799EDA-58D6-4188-9459-0DB3466BE71B}: NameServer = 93.188.163.154,93.188.161.86
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.154,93.188.161.86
O17 - HKLM\System\CS2\Services\Tcpip\..\{3B799EDA-58D6-4188-9459-0DB3466BE71B}: NameServer = 93.188.163.154,93.188.161.86
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.154,93.188.161.86
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
-
Print these instructions out.
NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe
***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***
STEP 1. Download Malwarebytes' Anti-Malware: Malwarebytes' Anti-Malware: Malwarebytes to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
STEP 2. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15281 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.
IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
RESTART COMPUTER
STEP 3. Download HijackThis:
HijackThis - Trend Micro USA
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
I have followed the steps and so far there seems to be success. Here are the logs of the three programs. If there is any issues you see let me know. Thank you for your support on fixing the machine.
Malwarebytes:
Malwarebytes' Anti-Malware 1.46
Malwarebytes
Database version: 4052
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18882
5/28/2010 1:46:24 AM
mbam-log-2010-05-28 (01-46-24).txt
Scan type: Quick scan
Objects scanned: 116200
Time elapsed: 4 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\sdlwidgd (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\urmgwbqe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.154,93.188.161.86 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{3b799eda-58d6-4188-9459-0db3466be71b}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.154,93.188.161.86 -> Quarantined and deleted successfully.
Folders Infected:
C:\ProgramData\33681728 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\Users\Charles\AppData\Local\rngffgnsh\ileybaqts sd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
GMER Rootkit detector:
GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit scan 2010-05-28 02:22:57
Windows 6.0.6002 Service Pack 2
Running: 6rygnccq.exe; Driver: C:\Users\Charles\AppData\Local\Temp\pwtdafob.sys
---- Kernel code sections - GMER 1.0.15 ----
? System32\drivers\gkqsuek.sys The system cannot find the path specified. !
---- Files - GMER 1.0.15 ----
File C:\Windows\winsxs\Manifests\x86_b0a08a0b969c890e4a 25fb32d780c94a_31bf3856ad364e35_6.0.6001.18427_non e_138d528857289632.manifest 702 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.0.6000.1 7021_none_0fe812727f4356a5.manifest 17110 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.0.6000.2 1226_none_1076b295985c7249.manifest 17110 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.0.6001.1 8427_none_11d47c987c644985.manifest 19132 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.0.6001.2 2636_none_12524b13958ae910.manifest 18383 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.0.6002.1 8209_none_13d290d27978969c.manifest 19132 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.0.6002.2 2341_none_1428eb9d92bddb72.manifest 18383 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.18904_none_df3b1 5c3f08ba11e.manifest 13296 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.22995_none_df646 1a709f15891.manifest 13296 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.0.6002.22341_none_88630ed 21bd06a58.manifest 4845 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-mediaplayer-mp3_31bf3856ad364e35_6.0.6000.17006_none_529e4bead 821ca50.manifest 6700 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-mediaplayer-mp3_31bf3856ad364e35_6.0.6000.21208_none_5329eb2ff 13d99ef.manifest 6700 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-mediaplayer-mp3_31bf3856ad364e35_6.0.6001.18409_none_5487b532d 545712b.manifest 7132 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-mediaplayer-mp3_31bf3856ad364e35_6.0.6001.22611_none_54fe81a7e e725f55.manifest 6700 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-mediaplayer-mp3_31bf3856ad364e35_6.0.6002.18191_none_5604d57ed 2bbf710.manifest 7132 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-mediaplayer-mp3_31bf3856ad364e35_6.0.6002.22319_none_56ecf5dfe b917f31.manifest 6700 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22636_none_cd93 a82a43bb5573.manifest 127634 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.17021_none_5f8a957 c924295b7.manifest 28871 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.21226_none_6019359 fab5bb15b.manifest 28871 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..timezones.resources_31bf3856ad364e35_6.0.6001.1 8464_en-us_83387b4281f3873e.manifest 2487 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..timezones.resources_31bf3856ad364e35_6.0.6001.2 2677_en-us_83ba4ae59b168c25.manifest 2487 bytes
File C:\Windows\winsxs\Manifests\x86_b22b9e2195e17df281 e9f90044c04871_31bf3856ad364e35_8.0.6001.22995_non e_80b5f6a15bf83e52.manifest 724 bytes
File C:\Windows\winsxs\Manifests\x86_8acda9570fb333da6d 852084486c9964_31bf3856ad364e35_8.0.6001.18904_non e_631e41e9f3a537de.manifest 707 bytes
File C:\Windows\winsxs\Manifests\x86_a95cada2e869d484ed 3996eb993afa56_31bf3856ad364e35_6.0.6002.18209_non e_5ec6c260e376d398.manifest 716 bytes
File C:\Windows\winsxs\Manifests\x86_7ab96720c8be227145 93929db3dde6bf_31bf3856ad364e35_8.0.6001.18904_non e_67c3a94b83abc719.manifest 704 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-extcompat_31bf3856ad364e35_8.0.6001.18904_none_1f9 cd2bcec63a373.manifest 61356 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-extcompat_31bf3856ad364e35_8.0.6001.22995_none_1fc 61ea005c95ae6.manifest 61356 bytes
File C:\Windows\winsxs\Manifests\x86_1ed18a6c1bd9940c7b 2765548626084b_31bf3856ad364e35_6.0.6001.22636_non e_f54bcee64a328a0c.manifest 702 bytes
File C:\Windows\winsxs\Manifests\x86_35894a1a19a1cddb19 2c8ae890285e4d_31bf3856ad364e35_8.0.6001.23013_non e_fec783df66640902.manifest 699 bytes
File C:\Windows\winsxs\Manifests\x86_93a9424a1e5820b569 0d57f2420853a3_31bf3856ad364e35_6.0.6000.16937_non e_d4365f14d4961a3f.manifest 698 bytes
File C:\Windows\winsxs\Manifests\x86_e442cf3a8aef419143 54ef7cb2550618_31bf3856ad364e35_8.0.6001.23000_non e_4b2833c7c839ba88.manifest 706 bytes
File C:\Windows\winsxs\Manifests\x86_de8fd39ba26d20d099 0fbe127b2afc45_31bf3856ad364e35_6.0.6002.18121_non e_25554c825ab4d4a2.manifest 698 bytes
File C:\Windows\winsxs\Manifests\x86_69831c36e275f901ca cc13edced94292_31bf3856ad364e35_8.0.6001.18904_non e_da6a08cd7706db37.manifest 698 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18904_none _f630395637f31875.manifest 985552 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.22995_none _f65985395158cfe8.manifest 985552 bytes
File C:\Windows\winsxs\Manifests\x86_c93bfc508b4ee2c44d 631633bd8edcc9_31bf3856ad364e35_6.0.6000.17021_non e_c2787feeb36de2ee.manifest 716 bytes
File C:\Windows\winsxs\Manifests\x86_c94bf57fc0d8a47f57 79593ceb2f3ece_31bf3856ad364e35_8.0.6001.18904_non e_1d22e0b048bc4232.manifest 707 bytes
File C:\Windows\winsxs\Manifests\x86_273d6b78f7e7f0ad49 601c0aff8d50dd_31bf3856ad364e35_6.0.6002.22245_non e_b7c809f4923c3660.manifest 698 bytes
File C:\Windows\winsxs\Manifests\x86_3b47485cbab61ea83a 7ce0b0987112e4_31bf3856ad364e35_6.0.6001.22677_non e_ce7c51809d8c1786.manifest 711 bytes
File C:\Windows\winsxs\Manifests\x86_6ee2b7dabf3ccbf9df 467cb7adc0d39e_31bf3856ad364e35_6.0.6001.22541_non e_738d76869382c740.manifest 698 bytes
File C:\Windows\winsxs\Manifests\x86_af4f0b1475b677f7b8 08061712ab1bc0_31bf3856ad364e35_8.0.6001.18904_non e_800b501a48402e83.manifest 700 bytes
File C:\Windows\winsxs\Manifests\x86_572cfef8f76b889ac6 c00d9b8fcf99af_31bf3856ad364e35_6.0.6001.18427_non e_3b566e7f1aae4ac4.manifest 716 bytes
File C:\Windows\winsxs\Manifests\x86_38fd629f144e53a87e c957caa54684eb_31bf3856ad364e35_6.0.6002.18209_non e_61e513e19b62a40f.manifest 697 bytes
File C:\Windows\winsxs\Manifests\x86_62e2f0c71b2e275fbc 93a4ee808cefe3_31bf3856ad364e35_6.0.6001.18464_non e_a78b17ea7dbf57fc.manifest 719 bytes
File C:\Windows\winsxs\Manifests\x86_b71be7784c7d3fe2cf 342f86c445997f_31bf3856ad364e35_6.0.6001.22636_non e_546801d698cbe759.manifest 1056 bytes
File C:\Windows\winsxs\Manifests\x86_6b42cb539a2ed03954 0ef15e09b9e826_31bf3856ad364e35_6.0.6002.22341_non e_9711991bece63ab7.manifest 717 bytes
File C:\Windows\winsxs\Manifests\x86_e8b5be863c24aa9197 9e93ca380b2c15_31bf3856ad364e35_6.0.6001.22636_non e_99475da412366362.manifest 716 bytes
File C:\Windows\winsxs\Manifests\x86_9044f8e3c1a6dcfcd9 febe52488162fd_31bf3856ad364e35_6.0.6002.22319_non e_c7a19b1cd9df53cf.manifest 703 bytes
File C:\Windows\winsxs\Manifests\x86_9dc26bb98f6a2d4098 5203af1c88dce8_31bf3856ad364e35_6.0.6000.21208_non e_59e20932bd5ce2dc.manifest 703 bytes
File C:\Windows\winsxs\Manifests\x86_7b98614afcf573be5b 89275bd52ed7b6_31bf3856ad364e35_8.0.6001.18904_non e_7ac808f132afaa34.manifest 710 bytes
File C:\Windows\winsxs\Manifests\x86_de562739c438d96d58 ba11ab0bc3f098_31bf3856ad364e35_8.0.6001.22995_non e_97406b97fdff325b.manifest 698 bytes
File C:\Windows\winsxs\Manifests\x86_352dc8d9e280eec035 9d689b0f41f41a_31bf3856ad364e35_6.0.6001.18341_non e_4926ffed96f8a17a.manifest 698 bytes
File C:\Windows\winsxs\Manifests\x86_b8cfc3a8724c7a046b 55d25e8a746a11_31bf3856ad364e35_6.0.6002.18209_non e_0a3a582b280d4642.manifest 702 bytes
File C:\Windows\winsxs\Manifests\x86_66032678a639475831 dee588d47d84a8_31bf3856ad364e35_8.0.6001.22995_non e_5b4c0dec5965aefb.manifest 707 bytes
File C:\Windows\winsxs\Manifests\x86_6809a97ede2c0c7d52 99ea9611d4baea_31bf3856ad364e35_8.0.6001.22995_non e_b6829d60cdb2670f.manifest 707 bytes
File C:\Windows\winsxs\Manifests\x86_8a0dd8d971d2be56c4 460fa12cfde37e_31bf3856ad364e35_8.0.6001.22995_non e_8c4c87c0aa59e45f.manifest 700 bytes
File C:\Windows\winsxs\Manifests\x86_792b41167822795ac3 e75581e7566b6e_31bf3856ad364e35_6.0.6002.22341_non e_103f062e92483613.manifest 697 bytes
File C:\Windows\winsxs\Manifests\x86_0d7d491dec856da000 fd8edaca11ba6e_31bf3856ad364e35_6.0.6001.22677_non e_2a044b741fce4b35.manifest 719 bytes
File C:\Windows\winsxs\Manifests\x86_c8b179990291b6237c 49becd7e849073_31bf3856ad364e35_6.0.6001.18409_non e_4d46902466d98343.manifest 703 bytes
File C:\Windows\winsxs\Manifests\x86_c8cd5062bb00183b10 8e3e07f3cfef20_31bf3856ad364e35_6.0.6000.21226_non e_cefe8114490fbf19.manifest 1393 bytes
File C:\Windows\winsxs\Manifests\x86_c8df752f7d97127105 869ed29304a181_31bf3856ad364e35_8.0.6001.18869_non e_f2dc8606db03d03b.manifest 705 bytes
File C:\Windows\winsxs\Manifests\x86_5d7c7db43f530ccb7e 263296165c7448_31bf3856ad364e35_6.0.6001.18427_non e_76f8d923b4db6767.manifest 697 bytes
File C:\Windows\winsxs\Manifests\x86_cfd9a77b79a6bb58f0 630270e4e7814b_31bf3856ad364e35_6.0.6002.22341_non e_efb4a27eaf74efbe.manifest 702 bytes
File C:\Windows\winsxs\Manifests\x86_96d3fdf0aa9b9ed3e9 65de612e5c31d7_31bf3856ad364e35_6.0.6002.22341_non e_c823d07a753f9996.manifest 716 bytes
File C:\Windows\winsxs\Manifests\x86_6ce51012f14ac9f176 2f3726869bdcef_31bf3856ad364e35_8.0.6001.18904_non e_c34775ff33a7ef8e.manifest 711 bytes
File C:\Windows\winsxs\Manifests\x86_da53d6291b9c66638e 682f1f123a7252_31bf3856ad364e35_6.0.6000.21226_non e_7c183fbc983f6971.manifest 697 bytes
File C:\Windows\winsxs\Manifests\x86_7e2072b406b684b051 6d33d3b5193171_31bf3856ad364e35_8.0.6001.18922_non e_c72640666da0c903.manifest 699 bytes
File C:\Windows\winsxs\Manifests\x86_ee60e47c91ae24f082 bd98f9b158723c_31bf3856ad364e35_8.0.6001.18904_non e_24a32fa53a2f0bfc.manifest 704 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6000.21226_non e_552f0c98d14f8e02.manifest 3908 bytes
File C:\Windows\winsxs\Manifests\x86_859ba3110d55e0690a 9c26ee960d8ae4_31bf3856ad364e35_8.0.6001.18909_non e_91f7fd9f926d74e5.manifest 706 bytes
File C:\Windows\winsxs\Manifests\x86_85a91fd32c9f548029 c29dbc9263ceba_31bf3856ad364e35_8.0.6001.22960_non e_64884ccfcf73452a.manifest 705 bytes
File C:\Windows\winsxs\Manifests\x86_4468947691a491693c 2ba3e06ce34c70_31bf3856ad364e35_6.0.6000.21226_non e_71503c99885a9600.manifest 716 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6002.22391_none_175 71fa5201e0c64.manifest 185738 bytes
File C:\Windows\winsxs\Manifests\x86_b459c51dae34ab296d 1e097e83c72558_31bf3856ad364e35_8.0.6001.22995_non e_c2ca0f1112760c45.manifest 698 bytes
File C:\Windows\winsxs\Manifests\x86_b49e750f8a779952d1 0911628e2b67ad_31bf3856ad364e35_6.0.6002.18191_non e_f0980096522ff3ca.manifest 703 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18869_none_65912 f550d1a1d98.manifest 43202 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22960_none_6611c 986263fd953.manifest 43202 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6000.21226_none_cbb8 0fac468cdeac.manifest 126920 bytes
File C:\Windows\winsxs\Manifests\x86_8cc0bb0a25c3eb6170 a8927a10fa6eef_31bf3856ad364e35_6.0.6002.22391_non e_b4fadb8abee8452b.manifest 719 bytes
File C:\Windows\winsxs\Manifests\x86_14fe6db0f9d5625fea 63815efd4862d2_31bf3856ad364e35_6.0.6000.17006_non e_cbf263bb63d7afb6.manifest 703 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.1 8904_none_e4d61a37b79caf3f.manifest 52672 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.6001.1 8904_none_97d03e95ec9388ac.manifest 272574 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..timezones.resources_31bf3856ad364e35_6.0.6002.1 8248_en-us_853890107f060703.manifest 2487 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..timezones.resources_31bf3856ad364e35_6.0.6002.2 2391_en-us_85851b3998528121.manifest 2487 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_8.0.6001.1 8904_none_c3b2cd5e923c481b.manifest 15774 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_8.0.6001.2 2995_none_c3dc1941aba1ff8e.manifest 15774 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18904_none_a8bdd bde7442e6c7.manifest 28954 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18904_n one_124f26c32fc81e22.manifest 134730 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22995_n one_127872a6492dd595.manifest 134730 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18922_none_83c5 0ec446c5c666.manifest 2386 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.23013_none_845a 52015fda99b1.manifest 2386 bytes
File C:\Windows\winsxs\Manifests\x86_77872d87e9beb6df5e 80c24bb871bb60_31bf3856ad364e35_8.0.6001.22995_non e_25c24904fbbe258f.manifest 698 bytes
File C:\Windows\winsxs\Manifests\x86_f67c272845c3d64c9d 3172169f5ebc27_31bf3856ad364e35_8.0.6001.18904_non e_89de2b534e745cc3.manifest 698 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.18904_none_fe7f4 08acfc6238c.manifest 5743 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.22995_none_fea88 c6de92bdaff.manifest 5743 bytes
File C:\Windows\winsxs\Manifests\x86_f09ae515a6b3ed1134 41342f5a9276d5_31bf3856ad364e35_6.0.6001.18464_non e_994886c3d534921e.manifest 711 bytes
File C:\Windows\winsxs\Manifests\x86_7496b48767a78df4a3 378df086652e35_31bf3856ad364e35_6.0.6000.16908_non e_bb01dd1836eb1ea9.manifest 1045 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-ieproxy_31bf3856ad364e35_8.0.6001.22995_none_73455 6fc79bff131.manifest 141487 bytes
File C:\Windows\winsxs\Manifests\x86_95779630de1dc2e346 adbdf639cfa6a4_31bf3856ad364e35_8.0.6001.18904_non e_05bfb7b47dbeb7b7.manifest 712 bytes
File C:\Windows\winsxs\Manifests\x86_9580e1e3b3a2d2a135 3a232c769933b8_31bf3856ad364e35_6.0.6000.17021_non e_af14e3904c397175.manifest 697 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..nternetcontrolpanel_31bf3856ad364e35_8.0.6001.1 8904_none_7226ccca67a22dd0.manifest 521063 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..nternetcontrolpanel_31bf3856ad364e35_8.0.6001.2 2995_none_725018ad8107e543.manifest 521063 bytes
File C:\Windows\winsxs\Manifests\x86_0b3c07f1fe66e66957 4924e1f0603bbf_31bf3856ad364e35_8.0.6001.18904_non e_65c8234766e876e7.manifest 700 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.6001.2 2995_none_97f98a7905f9401f.manifest 272574 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.18904_none_42d3 b106504001f7.manifest 45956 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.22995_none_42fc fce969a5b96a.manifest 45956 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.2 2995_none_e4ff661ad10266b2.manifest 52672 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-behaviors_31bf3856ad364e35_8.0.6001.18904_none_1fb 0ab6907d777a1.manifest 68141 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-behaviors_31bf3856ad364e35_8.0.6001.22995_none_1fd 9f74c213d2f14.manifest 68141 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.6001.18904_n one_573d93336d46d006.manifest 17769 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.6001.22995_n one_5766df1686ac8779.manifest 17769 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.22636_none_6c9f99 e1cd538fd2.manifest 17806 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6002.18209_none_6e1fdf a0b1413d5e.manifest 17806 bytes
File C:\Windows\winsxs\Manifests\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6002.22341_none_6e763a 6bca868234.manifest 17806 bytes
File C:\Windows\winsxs\x86_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.0.6001.1 8427_none_11d47c987c644985 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.0.6002.1 8209_none_13d290d27978969c 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-mp3_31bf3856ad364e35_6.0.6001.18409_none_5487b532d 545712b 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-moviemaker_31bf3856ad364e35_6.0.6000.16937_none_f0 62458e10091290 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-moviemaker_31bf3856ad364e35_6.0.6000.21139_none_f0 edbb0f2925184a 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-moviemaker_31bf3856ad364e35_6.0.6001.18341_none_f2 37b28c0d3d2768 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-moviemaker_31bf3856ad364e35_6.0.6001.22541_none_f2 c1513d265ac459 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-moviemaker_31bf3856ad364e35_6.0.6002.18121_none_f4 33c6320a5341d1 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-moviemaker_31bf3856ad364e35_6.0.6002.22245_none_f4 abc44d237d7ed9 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6000.21226_none_cbb8 0fac468cdeac 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22636_none_cd93 a82a43bb5573 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18904_none_a8bdd bde7442e6c7 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.18904_none_42d3 b106504001f7 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.22995_none_42fc fce969a5b96a 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.22995_none_a8e72 7c18da89e3a 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.18904_none_df3b1 5c3f08ba11e 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.22995_none_df646 1a709f15891 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.6001.1890 4_none_1a138ee629ecb30a 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.6001.2299 5_none_1a3cdac943526a7d 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18904_n one_124f26c32fc81e22 0 bytes
File C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22995_n one_127872a6492dd595 0 bytes
---- EOF - GMER 1.0.15 ----
Hijack this Log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:27:52 AM, on 5/28/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Charles\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ESPN: The Worldwide Leader In Sports
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\s wg.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 6038 bytes
-
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
Here is the log from the combo program:
ComboFix 10-05-28.02 - Charles 05/29/2010 1:57.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1978.1154 [GMT -4:00]
Running from: c:\users\Charles\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))
.
2010-05-29 06:06 . 2010-05-29 06:07 -------- d-----w- c:\users\Charles\AppData\Local\temp
2010-05-29 06:06 . 2010-05-29 06:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-29 05:52 . 2010-05-29 05:53 -------- d-----w- c:\program files\QuickTime
2010-05-29 05:52 . 2010-05-29 05:52 -------- d-----w- c:\programdata\Apple Computer
2010-05-28 06:33 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-05-28 06:33 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-05-28 06:33 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-28 06:32 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-28 06:32 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-28 06:32 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-28 06:32 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-05-28 06:30 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-28 06:22 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-28 06:04 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-28 06:04 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-05-28 05:34 . 2010-05-28 05:34 -------- d-----w- c:\users\Charles\AppData\Roaming\Malwarebytes
2010-05-28 05:33 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-28 05:33 . 2010-05-28 05:33 -------- d-----w- c:\programdata\Malwarebytes
2010-05-28 05:33 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-28 05:33 . 2010-05-28 05:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 00:11 . 2010-05-28 05:46 -------- d-----w- c:\users\Charles\AppData\Local\rngffgnsh
2010-05-23 23:34 . 2010-05-23 23:34 388096 ----a-r- c:\users\Charles\AppData\Roaming\Microsoft\Install er\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-23 23:34 . 2010-05-23 23:34 -------- d-----w- c:\program files\Trend Micro
2010-05-08 21:23 . 2010-05-08 23:11 -------- d-----w- c:\users\Charles\AppData\Local\sshmdllmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-05-28 07:25 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-28 07:17 . 2009-02-18 20:36 75832 ----a-w- c:\users\Charles\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-28 07:09 . 2008-10-23 06:28 -------- d-----w- c:\programdata\Microsoft Help
2010-04-15 22:49 . 2010-05-06 18:57 1335048 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe
2010-04-08 20:48 . 2010-05-06 18:57 18184 ----a-w- c:\windows\Help\OEM\scripts\HPHC_BUY_BATTERY.exe
2010-04-08 20:48 . 2010-05-06 18:57 17160 ----a-w- c:\windows\Help\OEM\scripts\HPHCDisableObject.exe
2010-04-06 21:52 . 2010-05-06 18:57 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_Launch.exe
2010-03-11 05:09 . 2010-03-10 19:56 256 ----a-w- c:\windows\system32\pool.bin
2010-03-10 16:37 . 2009-02-19 02:54 230 ----a-w- c:\users\Charles\AppData\Roaming\wklnhst.dat
2008-10-23 05:54 . 2008-10-23 05:42 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-12-11 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2008-09-30 23:56 972080 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):0e,7d,c5,34,ad,35,ca,01
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 EraserUtilDrvI9;EraserUtilDrvI9;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000 .029\SYMEFA.SYS [2009-08-22 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1008000.029 \BHDrvx86.sys [2009-08-22 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1008000.0 29\ccHPx86.sys [2010-02-03 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100520. 001\IDSvix86.sys [2009-10-28 343088]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2009-08-22 117640]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1008000.029 \SYMNDISV.SYS [2009-08-22 48688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:54]
2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:54]
2010-05-28 c:\windows\Tasks\HPCeeScheduleForCharles.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-23 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://espn.go.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario &pf=cnnb
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-05-29 02:06
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N orton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-29 02:11:59
ComboFix-quarantined-files.txt 2010-05-29 06:11
Pre-Run: 77,208,989,696 bytes free
Post-Run: 77,442,498,560 bytes free
- - End Of File - - C68F972040EDC534990DA1B8868DE4DF
-
How is redirection issue?
-
I havent gotten any issues since I have followed the instructions you posted here. So far so good. Thanks again for your help.
-
I'm glad to hear good news, but we need to perform couple more steps to make sure, nothing is hiding.
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
================================================== ===========
1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.
2. Go to Kaspersky website and perform an online antivirus scan.
1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
Post fresh HijackThis log as well.
-
-
yeah I am having a hard time getting the kaspersky to run on this machine, it says it needs to update flash but when I try it fails. I did run the Temp File Cleaner with success.
Full Member
