View Full Version : Browser Hi-Jacked
eighteyedspy
2012-05-29, 16:36
Hi. My computer was recently infected with a browser hi-jacker. I get redirected to scour.com most of the time but there are a bunch more. Thank you in advance for any help or relief that you may provide. Here are the DDS logs as requested:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Carol at 9:23:57 on 2012-05-29
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1412 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton Security Suite\Engine\5.2.1.3\ccSvcHst.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton Security Suite\Engine\5.2.1.3\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.2.1.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.2.1.3\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.2.1.3\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
uRun: [Conduit] rundll32.exe "c:\users\carol\appdata\local\google\conduit\xriotabb.dll",DllRegisterServer
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\carol\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.169.1
TCP: Interfaces\{4147206F-2C76-4523-AE42-BD46B9A01393} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{4147206F-2C76-4523-AE42-BD46B9A01393} : DhcpNameServer = 192.168.169.1
TCP: Interfaces\{6E29A7ED-2147-4BA5-94B1-ECA396DD404A} : DhcpNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502010.003\symds.sys [2012-4-24 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502010.003\symefa.sys [2012-4-24 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20120517.001\BHDrvx86.sys [2012-5-23 821880]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20120528.001\IDSvix86.sys [2012-5-29 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502010.003\ironx86.sys [2012-4-24 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0502010.003\symtdiv.sys [2012-4-24 331384]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-1-18 913752]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2011-4-5 401920]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-2-6 13672]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.1.3\ccsvchst.exe [2012-4-24 130008]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-20 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-11 1153368]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-20 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-4-2 106104]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-6-26 66080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
S3 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
.
=============== Created Last 30 ================
.
2012-05-29 12:58:12 127488 ----a-w- c:\programdata\microsoft\windows\drm\13F5.tmp
2012-05-12 09:50:58 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 09:50:57 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-12 09:50:57 2044928 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2012-05-04 19:41:08 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 19:41:08 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 12:39:11 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-20 23:28:50 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-03-01 14:46:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-01 14:46:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 14:08:47 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-29 13:44:50 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-29 13:41:40 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
.
============= FINISH: 9:25:02.38 ===============
Hi,
Download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply. Post fresh dds logs too.
eighteyedspy
2012-06-05, 22:35
Hi Blade, thanks for the help! Here are the logs you requested.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Carol at 15:27:53 on 2012-06-05
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1354 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton Security Suite\Engine\5.2.1.3\ccSvcHst.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norton Security Suite\Engine\5.2.1.3\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Users\Carol\AppData\Roaming\Juniper Networks\Setup Client\JuniperSetupClient.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.2.1.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.2.1.3\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.2.1.3\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
uRun: [Conduit] rundll32.exe "c:\users\carol\appdata\local\google\conduit\xriotabb.dll",DllRegisterServer
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\carol\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4147206F-2C76-4523-AE42-BD46B9A01393} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{4147206F-2C76-4523-AE42-BD46B9A01393} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6E29A7ED-2147-4BA5-94B1-ECA396DD404A} : DhcpNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502010.003\symds.sys [2012-4-24 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502010.003\symefa.sys [2012-4-24 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20120517.001\BHDrvx86.sys [2012-5-23 821880]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20120602.001\IDSvix86.sys [2012-6-5 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502010.003\ironx86.sys [2012-4-24 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0502010.003\symtdiv.sys [2012-4-24 331384]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-1-18 913752]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2011-4-5 401920]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-2-6 13672]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.1.3\ccsvchst.exe [2012-4-24 130008]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-20 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-11 1153368]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-20 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-1 106656]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-6-26 66080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
S3 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
.
=============== Created Last 30 ================
.
2012-06-04 17:30:52 128512 ----a-w- c:\programdata\microsoft\windows\drm\342.tmp
2012-05-29 12:58:12 127488 ----a-w- c:\programdata\microsoft\windows\drm\13F5.tmp
2012-05-12 09:50:58 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 09:50:57 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-12 09:50:57 2044928 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2012-05-04 19:41:08 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 19:41:08 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 12:39:11 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-20 23:28:50 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
.
============= FINISH: 15:28:55.58 ===============
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-05 15:25:04
-----------------------------
15:25:04.464 OS Version: Windows 6.0.6002 Service Pack 2
15:25:04.464 Number of processors: 2 586 0x301
15:25:04.464 ComputerName: CAROL-PC UserName: Carol
15:25:06.352 Initialize success
15:25:10.709 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5
15:25:10.709 Disk 0 Vendor: Hitachi_HTS545025B9A300 PB2OCA0G Size: 238475MB BusType: 3
15:25:10.725 Disk 0 MBR read successfully
15:25:10.725 Disk 0 MBR scan
15:25:10.740 Disk 0 unknown MBR code
15:25:10.740 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 227289 MB offset 2048
15:25:10.787 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11182 MB offset 465489920
15:25:10.818 Disk 0 scanning sectors +488390656
15:25:10.912 Disk 0 scanning C:\Windows\system32\drivers
15:25:23.610 Service scanning
15:25:46.152 Modules scanning
15:26:15.948 Disk 0 trace - called modules:
15:26:15.980 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys ndis.sys nvmfdx32.sys
15:26:15.995 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85697788]
15:26:16.526 3 CLASSPNP.SYS[807a08b3] -> nt!IofCallDriver -> [0x85550218]
15:26:16.541 5 acpi.sys[8060d6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-5[0x8554c5f0]
15:26:16.541 Scan finished successfully
15:26:44.569 Disk 0 MBR has been saved successfully to "C:\Users\Carol\Desktop\Safer Networking\MBR.dat"
15:26:44.584 The log file has been saved successfully to "C:\Users\Carol\Desktop\Safer Networking\aswMBR.txt"
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
eighteyedspy
2012-06-07, 01:03
Here are the ComboFix and the new DDS logs:
ComboFix 12-06-06.02 - Carol 06/06/2012 17:44:50.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1485 [GMT -4:00]
Running from: c:\users\Carol\Desktop\Safer Networking\ComboFix\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Carol\AppData\Local\Google\Conduit\xriotabb.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-06 to 2012-06-06 )))))))))))))))))))))))))))))))
.
.
2012-06-06 21:53 . 2012-06-06 21:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-04 17:30 . 2012-06-04 17:30 128512 ----a-w- c:\programdata\Microsoft\Windows\DRM\342.tmp
2012-05-29 13:22 . 2012-05-29 13:22 -------- d-----w- c:\program files\ERUNT
2012-05-29 12:58 . 2012-05-29 12:58 127488 ----a-w- c:\programdata\Microsoft\Windows\DRM\13F5.tmp
2012-05-12 09:50 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 09:50 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-12 09:50 . 2012-04-02 13:36 2044928 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 19:41 . 2012-04-02 17:44 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 19:41 . 2011-06-17 09:46 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-21 13:40 . 2012-04-21 13:40 125440 ----a-w- c:\programdata\Microsoft\Windows\DRM\E9B3.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2012-03-06 574296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\users\Carol\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\windows\pss\WDSmartWare.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Carol^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Carol\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 5]
2012-03-06 22:39 574296 ----a-w- c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-10-23 16:31 326144 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2008-09-30 23:56 972080 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 17:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-04-17 18:05 1049896 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-10-07 03:42 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04 257696]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [2012-03-14 913752]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 19:41]
.
2012-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 17:41]
.
2012-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 17:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4147206F-2C76-4523-AE42-BD46B9A01393}: NameServer = 8.8.8.8,8.8.4.4
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
HKCU-Run-Conduit - c:\users\Carol\AppData\Local\Google\Conduit\xriotabb.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-06 17:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.2.1.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.2.1.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DbgagD\1*]
"value"="?\03\00\0b\13*\17t"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-06-06 17:58:16
ComboFix-quarantined-files.txt 2012-06-06 21:58
.
Pre-Run: 153,573,347,328 bytes free
Post-Run: 153,484,697,600 bytes free
.
- - End Of File - - 43343FB6C7DDA127D9A197B099709A4A
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Carol at 17:59:53 on 2012-06-06
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1338 [GMT -4:00]
.
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton Security Suite\Engine\5.2.1.3\ccSvcHst.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norton Security Suite\Engine\5.2.1.3\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.2.1.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.2.1.3\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.2.1.3\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\carol\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4147206F-2C76-4523-AE42-BD46B9A01393} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{4147206F-2C76-4523-AE42-BD46B9A01393} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6E29A7ED-2147-4BA5-94B1-ECA396DD404A} : DhcpNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502010.003\symds.sys [2012-4-24 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502010.003\symefa.sys [2012-4-24 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20120531.001\BHDrvx86.sys [2012-6-5 821880]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20120605.001\IDSvix86.sys [2012-6-5 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502010.003\ironx86.sys [2012-4-24 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0502010.003\symtdiv.sys [2012-4-24 331384]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-1-18 913752]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2011-4-5 401920]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-2-6 13672]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.1.3\ccsvchst.exe [2012-4-24 130008]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-20 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-11 1153368]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-20 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-1 106656]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-6-26 66080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
S3 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
.
=============== Created Last 30 ================
.
2012-06-06 21:58:24 -------- d-sh--w- C:\$RECYCLE.BIN
2012-06-06 21:41:56 98816 ----a-w- c:\windows\sed.exe
2012-06-06 21:41:56 518144 ----a-w- c:\windows\SWREG.exe
2012-06-06 21:41:56 256000 ----a-w- c:\windows\PEV.exe
2012-06-06 21:41:56 208896 ----a-w- c:\windows\MBR.exe
2012-06-06 21:41:44 -------- d-----w- C:\ComboFix
2012-06-04 17:30:52 128512 ----a-w- c:\programdata\microsoft\windows\drm\342.tmp
2012-05-29 12:58:12 127488 ----a-w- c:\programdata\microsoft\windows\drm\13F5.tmp
2012-05-12 09:50:58 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 09:50:57 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-12 09:50:57 2044928 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2012-05-04 19:41:08 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 19:41:08 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 12:39:11 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-20 23:28:50 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
.
============= FINISH: 18:00:38.34 ===============
Hi again,
Adobe Acrobat 4.0 is not supported anymore and thus should be removed.
Uninstall your current Adobe shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 7 Update 4 (http://www.oracle.com/technetwork/java/javase/downloads/index.html).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u4-windows-i586.exe to install the newest version.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.
Post back its report & a fresh dds.txt log. Does the hijacking still occur?
eighteyedspy
2012-06-08, 03:14
I removed and updated the software indicated. Here are the most recent scans. So far the redirecting issue seems to be resolved.
C:\Program Files\Yontoo\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\ProgramData\Microsoft\Windows\DRM\13F5.tmp a variant of Win32/Kryptik.AGNZ trojan
C:\ProgramData\Microsoft\Windows\DRM\342.tmp a variant of Win32/Kryptik.AGNZ trojan
C:\ProgramData\Microsoft\Windows\DRM\E9B3.tmp Win32/Olmarik.AYD trojan
C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\Users\Carol\AppData\Local\Google\Conduit\xriotabb.dll.vir Win32/BHO.OEI trojan
C:\Users\All Users\Microsoft\Windows\DRM\13F5.tmp a variant of Win32/Kryptik.AGNZ trojan
C:\Users\All Users\Microsoft\Windows\DRM\342.tmp a variant of Win32/Kryptik.AGNZ trojan
C:\Users\All Users\Microsoft\Windows\DRM\E9B3.tmp Win32/Olmarik.AYD trojan
C:\Users\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.0
Run by Carol at 20:08:50 on 2012-06-07
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1610 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\Explorer.EXE
C:\Program Files\Norton Security Suite\Engine\5.2.1.3\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Norton Security Suite\Engine\5.2.1.3\ccSvcHst.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.2.1.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.2.1.3\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.2.1.3\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\carol\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4147206F-2C76-4523-AE42-BD46B9A01393} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{4147206F-2C76-4523-AE42-BD46B9A01393} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6E29A7ED-2147-4BA5-94B1-ECA396DD404A} : DhcpNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502010.003\symds.sys [2012-4-24 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502010.003\symefa.sys [2012-4-24 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20120531.001\BHDrvx86.sys [2012-6-5 821880]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20120606.001\IDSvix86.sys [2012-6-7 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502010.003\ironx86.sys [2012-4-24 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0502010.003\symtdiv.sys [2012-4-24 331384]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-1-18 913752]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2011-4-5 401920]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-2-6 13672]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.1.3\ccsvchst.exe [2012-4-24 130008]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-20 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-11 1153368]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-20 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-1 106656]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-6-26 66080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
S3 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
.
=============== Created Last 30 ================
.
2012-06-07 22:12:03 -------- d-----w- c:\program files\ESET
2012-06-07 21:43:15 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-06 21:58:24 -------- d-sh--w- C:\$RECYCLE.BIN
2012-06-06 21:41:56 98816 ----a-w- c:\windows\sed.exe
2012-06-06 21:41:56 518144 ----a-w- c:\windows\SWREG.exe
2012-06-06 21:41:56 256000 ----a-w- c:\windows\PEV.exe
2012-06-06 21:41:56 208896 ----a-w- c:\windows\MBR.exe
2012-06-06 21:41:44 -------- d-----w- C:\ComboFix
2012-06-04 17:30:52 128512 ----a-w- c:\programdata\microsoft\windows\drm\342.tmp
2012-05-29 12:58:12 127488 ----a-w- c:\programdata\microsoft\windows\drm\13F5.tmp
2012-05-12 09:50:58 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 09:50:57 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-12 09:50:57 2044928 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2012-06-07 21:41:57 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-30 12:39:11 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-20 23:28:50 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
.
============= FINISH: 20:10:07.37 ===============
Hi,
Show hidden files
-----------------
1. Open Folder Options by clicking the Start button, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
2. Click the View tab.
3. Under Advanced settings, click Show hidden files and folders, and then click OK.
Go to C:\ProgramData\Microsoft\Windows\DRM folder and delete these files if found:
13F5.tmp
342.tmp
E9B3.tmp
Then go to C:\Users\All Users\Microsoft\Windows\DRM folder and delete these files if found:
13F5.tmp
342.tmp
E9B3.tmp
eighteyedspy
2012-06-08, 16:57
Files located and deleted. Still no redirects. So far so good. I really do appreciate the help.
Hi,
Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
A To disable the System Restore feature:
1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.
B. Reboot.
C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
eighteyedspy
2012-06-09, 21:30
Blade, Downloaded PSI, reset restore, and updated. No more redirects. Thank you so much for the help. It is greatly appreciated.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.