system
December 6, 2008, 3:42pm
1
Someone hijacked the last thread so here is a clean version.
I managed to get rid of two things that are causing me problems, but there still seem to be two more.
Mirar is also still visible in Add & Remove programs. Does anyone have any software that will get rid of it? I tried spyhunter, but spybot freaked when I attempted to install it, so now I’m hesitant to try results I find on google.
I tried a-squared, but it didn’t find anything.
webHancer: [SBI $DB28DDCD] User settings (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0}
webHancer: [SBI $DB28DDCD] User settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0}
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
When I manually delete I get the error “Cannot delete iexplore: Error while deleting key.”
What I have done to date:
hijack this
Avast normal/thorough
Avast bootup
Spybot
Safe mode Spybot
Malware bytes
Safe mode malware bytes
Super Anti-spyware
Safe mode super anti-spyware
Ad-aware
Panda anti-root kit
Sysinternals root kit revealer
Sysinternals regdelnull /s
Combofix.exe
Is there anything else I should try?
ComboFix log:
ComboFix 08-12-05.02 - Neil 2008-12-05 20:48:54.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.748 [GMT -5:00]
Running from: c:\sysi\ComboFix.exe
Command switches used :: c:\sysi\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Neil\Application Data\MCROSO~1.NET
c:\documents and settings\Neil\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common Files\{38C16~1
c:\program files\Common Files\{F8C16~1
c:\program files\Common Files\uninstall information
c:\temp\tn3
c:\windows\system32\bgocoyvv.ini
c:\windows\system32\CMMGR32.EXE
c:\windows\system32\dobe~1
c:\windows\system32\dobe~1\?dobe\
c:\windows\system32\xbadd.bak1
c:\windows\system32\xbadd.ini
----- BITS: Possible infected sites -----
hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_COM+_MESSAGES
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.
2008-12-05 10:13 . 2008-12-05 10:13 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-05 09:44 . 2008-12-05 09:44 <DIR> d-------- C:\New Folder
2008-12-03 00:50 . 2008-12-03 00:50 <DIR> d-------- C:\VundoFix Backups
2008-12-02 01:09 . 2008-12-02 01:09 <DIR> d-------- c:\program files\Trend Micro
2008-12-01 18:18 . 2008-12-01 18:18 192,007 --a------ c:\windows\system32\g25.exe
2008-12-01 18:18 . 2008-12-01 18:18 47,598 --a------ c:\windows\system32\vfdnlmlafinitgcdy.exe
2008-11-25 11:41 . 2008-11-25 11:41 <DIR> d-------- c:\program files\PhotoME
2008-11-25 11:41 . 2008-11-25 11:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\PhotoME
2008-11-17 14:42 . 2008-11-17 14:42 <DIR> d-------- c:\windows\system32\Dell
2008-11-17 14:42 . 2008-11-17 14:42 <DIR> d-------- c:\program files\Dell
2008-11-16 23:51 . 2008-11-20 12:10 <DIR> d-------- c:\program files\processing-0156
2008-11-14 09:50 . 2008-11-14 09:50 <DIR> d-------- c:\windows\system32\QuickTime
2008-11-14 09:50 . 2008-11-14 09:50 <DIR> d-------- c:\program files\Common Files\TechSmith Shared
2008-11-14 09:50 . 2008-11-14 09:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\TechSmith
2008-11-14 09:49 . 2008-11-14 09:50 <DIR> d-------- c:\program files\Camtasia Studio
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 01:54 --------- d-----w c:\program files\PeerGuardian2
2008-12-06 01:53 --------- d-----w c:\documents and settings\Neil\Application Data\WTablet
2008-12-05 14:18 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-05 14:05 --------- d-----w c:\program files\Firefox
2008-12-04 15:40 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2008-12-03 18:35 --------- d-----w c:\documents and settings\Neil\Application Data\TmpRecentIcons
2008-12-03 17:41 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-03 13:10 --------- d-----w c:\program files\Spybot
2008-12-03 09:18 --------- d-----w c:\program files\NNsquad
2008-12-01 15:47 --------- d-----w c:\program files\Trillian
2008-12-01 14:40 --------- d-----w c:\documents and settings\Neil\Application Data\OpenOffice.org2
2008-12-01 03:14 --------- d-----w c:\program files\Thunderbird
2008-11-24 17:37 --------- d-----w c:\program files\Yecho
2008-11-05 03:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-03 17:41 --------- d-----w c:\documents and settings\Neil\Application Data\uTorrent
2008-11-03 04:49 --------- d-----w c:\documents and settings\Neil\Application Data\Autodesk
2008-11-03 04:49 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-11-03 04:39 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-11-03 04:36 --------- d-----w c:\program files\Autodesk
2008-11-03 04:32 --------- d-----w c:\program files\Reference Assemblies
2008-11-03 03:37 --------- d-----w c:\program files\NaturalMotion
2008-11-03 03:23 --------- d-----w c:\program files\7-Zip
2008-10-28 02:11 --------- d-----w c:\program files\Steam
2008-10-27 02:32 --------- d-----w c:\program files\XUL Explorer
2008-10-26 04:15 --------- d-----w c:\documents and settings\Neil\Application Data\XULExplorer
2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-20 11:22 --------- d-----w c:\program files\Apple Software Update
2008-10-20 03:03 --------- d-----w c:\program files\iTunes
2008-10-20 03:03 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-20 03:01 --------- d-----w c:\program files\iPod
2008-10-20 02:57 --------- d-----w c:\program files\Bonjour
2008-10-20 02:55 --------- d-----w c:\program files\QuickTime
2008-10-20 02:54 --------- d-----w c:\program files\Common Files\Apple
2008-10-15 02:18 --------- d-----w c:\program files\Brother
2008-10-15 02:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-15 02:14 --------- d-----w c:\program files\Nuance
2008-10-15 02:14 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-10-15 02:14 --------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft
2008-10-15 02:14 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-10-15 02:13 --------- d-----w c:\program files\ScanSoft
2008-10-15 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Brother
2008-10-12 16:07 --------- d-----w c:\documents and settings\Neil\Application Data\Notepad++
2008-10-12 15:52 --------- d-----w c:\program files\Notepad++
2008-10-12 14:18 --------- d-----w c:\program files\Common Files\AliasWavefront Shared
2008-10-12 14:15 --------- d--h--w c:\program files\Zero G Registry
2008-10-12 13:41 --------- d-----w c:\program files\backburner 2
2007-01-16 17:47 87,608 ----a-w c:\documents and settings\Neil\Application Data\ezpinst.exe
2007-01-16 17:47 47,360 ----a-w c:\documents and settings\Neil\Application Data\pcouffin.sys
2008-08-28 11:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
system
December 6, 2008, 3:44pm
2
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006-12-06 1294336]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"SpybotSD TeaTimer"="c:\program files\Spybot\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Versato"="c:\program files\MagicKey\MagicKey.exe" [2001-05-03 135168]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"NNma"="c:\program files\NNsquad\nnma.exe" [2008-05-26 999479]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 c:\windows\system32\nvmctray.dll]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-09-15 29290496]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-09-28 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2006-10-19 09:12 258048 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"VIDC.VQS4"= vqs4dec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RaySat_3dsmax7Server"=2 (0x2)
"mi-raysat_3dsmax8"=2 (0x2)
"maya70docserver"=2 (0x2)
"AWHelpServer"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VirtualCanada\\VirtualCanadaVirtuel.exe"=
"c:\\Program Files\\Crazybump\\CrazyBump.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Firefox\\firefox.exe"=
"c:\\Program Files\\NNsquad\\nnma.exe"=
"c:\\Program Files\\Brother\\Brmfl08g\\FAXRX.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6551:UDP"= 6551:UDP:SmartCheck
"67:UDP"= 67:UDP:DHCP Discovery Service
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-02 78416]
R1 hwinterface;hwinterface;c:\windows\system32\Drivers\hwinterface.sys [2006-01-08 3026]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2006-09-19 29184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-02 20560]
R2 SSIPDDP;SSIPDDP Parallel port device driver;\??\c:\windows\System32\DRIVERS\SSIPDDP.SYS [2005-09-09 55296]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2007-11-11 1373480]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys [2008-09-15 57344]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2008-09-15 57408]
S2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;"c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe" [2008-03-10 65536]
S3 DCamVQ110;VQ110 Digital Video Camera;c:\windows\system32\DRIVERS\VQ110.sys [2007-01-08 130224]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2003-01-30 18864]
S3 ezfa;EZF Advance Cable Driver N;c:\windows\system32\drivers\ezfa.sys [2004-12-25 25596]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\jswpsapi.exe [2008-09-15 356434]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
S4 RaySat_3dsmax7Server;RaySat_3dsmax7 Server;c:\3dsmax7\mentalray\satellite\raysat_3dsmax7server.exe [2005-04-08 65536]
*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder
2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
system
December 6, 2008, 3:46pm
3
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - c:\windows\System32\mscoree.DLL
TCP: {7FAF96FE-4362-4BF3-891B-1DC3A1147511} = 204.101.251.1,204.101.251.2
c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.beta.instantaction.com/download/iaplayer.cab
c:\windows\Downloaded Program Files\cab.inf
FireFox -: Profile - c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\default.6w0\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Firefox\plugins\npnul32.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Firefox\plugins\npVizible Player.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\TGEBrowser\np3DPlugin.dll
FF -: plugin - c:\program files\Yecho\np3DYecho.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 20:53:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\TEMP\_av_proI.tm~a02152\setup.lok 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1292)
c:\windows\WlanGINA\Version\1.0.4.0\WlanGINA.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\sessmgr.exe
c:\program files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\MagicKey\V3D.exe
c:\program files\MagicKey\Osd.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-05 21:00:11 - machine was rebooted [Neil]
ComboFix-quarantined-files.txt 2008-12-06 02:00:07
Pre-Run: 5,974,093,824 bytes free
Post-Run: 5,832,970,240 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
298 --- E O F --- 2008-08-28 03:04:52
Hijack this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:00 AM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\MagicKey\MagicKey.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\MagicKey\OSD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
C:\Program Files\a-squared\a2service.exe
C:\Program Files\Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [Versato] C:\Program Files\MagicKey\MagicKey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
system
December 6, 2008, 3:46pm
4
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://members.harmonyremote.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191768637703
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.beta.instantaction.com/download/iaplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FAF96FE-4362-4BF3-891B-1DC3A1147511}: NameServer = 204.101.251.1,204.101.251.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\jswpsapi.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
--
End of file - 9307 bytes
I’m not a ComboFix expert, but this file looks suspicious- you could check it out:
c:\windows\system32\vfdnlmlafinitgcdy.exe
Please disable ‘Hide protected operating system files’ ‘View Hidden Files and Folders’ VirusTotal
With the number of spyware scans you’ve done, I suspect the WebHancer and Mirar entries may be residual and inactive.
system
December 6, 2008, 4:37pm
6
Okay, I’ll do those. I ran PCTools Spyware Doctor and while it found a few false positives (text files), it did get rid of the webhancer registry entries. I have since run spybot again and it now says that it’s clean. Mirar is still in add/remove programs and I’m hesitant to click the change/remove button because last time I did it started a browser popup session.