My OS recently got infected with something that installed "Windows Anti-Virus Remover" and another fake anti-virus software. I'm running symantec corporate in the background and it didnt catch it or clean it. I ran malwarebytes and thought I removed it all, but when I came back, although it is no longer popping up in the system tray, I couldnt run exe files, browsers or make any changes to the system settings without the computer restarting. In addition, when attempting to log into safe mode, the computer would reboot and go back to normal start-up.
Through various forums, I found instructions for a regfix that allowed me to run exe files so I ran symantec, malwarebytes, and spybot and removed all entries and deleted all quaranteened files. Beforehand, I was able to run hijack this from a usb drive and I've posted the results below, along with the combofix results.
By going to msconfig - boot.ini, I was able to check the safe mode entry and can now get into safe mode but the restarting still occurs and I can't run an entire scan of malwarebytes without a restart interrupting.
Here are my results. Any help is greatly appreciated!!!
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:52 PM, on 08/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchast.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\bin\jqs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
F:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: ICQSys (IE PlugIn) - {76DC0B63-1533-4ba9-8BE8-D59EB676FA02} - C:\WINDOWS\system32\dddesot.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchast.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\bin\jqs.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 6141 bytes
MALWAREBYTES LOG:
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2
08/22/2009 1:23:35 AM
mbam-log-2009-08-22 (01-23-35).txt
Scan type: Full Scan (C:\|)
Objects scanned: 146962
Time elapsed: 49 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe.vir (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dddesot.dll.vir (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD31ADFC-D69D-4AB6-8879-88D93F78B375}\RP770\A0069821.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD31ADFC-D69D-4AB6-8879-88D93F78B375}\RP770\A0069831.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
Combofix.txt Log:
ComboFix 09-08-21.01 - Administrator 08/22/2009 0:17.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.854 [GMT -7:00]
Running from: F:\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\AWS\WEATHE~1\MINIBU~1.DLL
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe
c:\windows\Installer\16ca82.msi
c:\windows\Installer\16ca89.msi
c:\windows\Installer\16ca90.msi
c:\windows\Installer\46292.msi
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\StartupMonitor.exe
c:\windows\svchast.exe
c:\windows\system32\bennuar.old
c:\windows\system32\config\systemprofile\Desktop\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\dddesot.dll
c:\windows\system32\desot.exe
c:\windows\system32\drivers\SKYNETaryqbqpt.sys
c:\windows\system32\SKYNETietgoouc.dat
c:\windows\system32\SKYNETodbnwrcg.dat
c:\windows\system32\SKYNETvpjnrouk.dll
c:\windows\system32\SKYNETxbdlqwgw.dll
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\Tasks\jirhplnc.job
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETclcnkxxs
-------\Legacy_SKYNETclcnkxxs
-------\Legacy_AntipPro2009_100
-------\Service_AntipPro2009_100
((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.
2009-08-22 05:45 . 2009-08-22 05:45 1078 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}\_60c11ac7.exe
2009-08-22 01:59 . 2009-08-22 02:00 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-08-22 01:56 . 2009-08-22 01:56 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-14 06:44 . 2009-08-14 06:44 45344 ----a-w- c:\windows\system32\drivers\ifd10f3.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 01:57 . 2005-07-07 21:14 -------- d-----w- c:\program files\Java
2009-08-14 07:42 . 2008-12-03 03:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 07:42 . 2009-01-30 06:39 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-03 20:36 . 2008-12-03 03:47 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2008-12-03 03:47 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 12:23 . 2009-06-28 01:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-09 14:32 . 2009-03-08 17:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Juniper Networks
2009-06-28 07:19 . 2009-06-28 06:40 -------- d-----w- c:\program files\Roku Radio Snooper
2009-06-28 06:43 . 2009-06-28 06:43 46 ----a-w- c:\windows\system32\DonationCoder_rokusnooper_InstallInfo.dat
2009-06-28 06:42 . 2006-02-12 18:36 -------- d-----w- c:\program files\WinPcap
2009-06-27 23:33 . 2009-06-27 23:33 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2005-09-15 22:26 . 2005-05-18 21:26 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2007-11-10 00:10 . 2007-11-10 00:10 30288 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-11-10 00:10 . 2007-11-10 00:10 79440 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-11-10 00:10 . 2007-11-10 00:10 75344 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-11-10 00:10 . 2007-11-10 00:10 140880 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-11-10 00:10 . 2007-11-10 00:10 42576 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-11-10 00:10 . 2007-11-10 00:10 50768 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-11-10 00:10 . 2007-11-10 00:10 34384 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-11-10 00:11 . 2007-11-10 00:11 685648 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-11-10 00:11 . 2007-11-10 00:11 30288 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2006-03-05 17:22 . 2006-03-05 17:20 80 -csha-r- c:\windows\system32\F5F8EA8429.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-12 68856]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-22 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-11-18 118784]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"SunJavaUpdateSched"="c:\program files\Java\bin\jusched.exe" [2009-07-25 149280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-10-10 25214]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Palo Alto Software Update Manager 8.0.lnk
backup=c:\windows\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TivoBeacon2"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
S0 aylnlfdx;aylnlfdx;c:\windows\system32\drivers\phqghume.sys --> c:\windows\system32\drivers\phqghume.sys [?]
S0 edfiwocl;edfiwocl;c:\windows\system32\drivers\dgszomia.sys --> c:\windows\system32\drivers\dgszomia.sys [?]
S0 ifd10f3;ifd10f3;\SystemRoot\\SystemRoot\System32\drivers\ifd10f3.sys --> \SystemRoot\\SystemRoot\System32\drivers\ifd10f3.sys [?]
S1 977b5406.sys;977b5406.sys;\??\c:\windows\System32\drivers\977b5406.sys --> c:\windows\System32\drivers\977b5406.sys [?]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [10/06/2004 7:39 AM 283904]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [10/04/2004 3:28 AM 43392]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/02/2008 8:47 PM 38160]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2005 2:10 PM 32512]
S4 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [04/29/2005 9:28 AM 844288]
.
Contents of the 'Scheduled Tasks' folder
2009-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-2000478354-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-22 17:21]
2009-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-2000478354-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-22 17:21]
2007-01-17 c:\windows\Tasks\RoxioUpdator.job
- c:\program files\COMMON FILES\ROXIO SHARED\AUTOUPDATER\autoupdater.exe [2004-02-26 10:52]
.
- - - - ORPHANS REMOVED - - - -
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gc6yccxw.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.yahoo.com/
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.
**************************************************************************
disk not found C:\
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-746137067-2000478354-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B3CB8210-4DE5-8E6F-EC81-43E5B4A52E81}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaeiciohphdljlcfnbld"=hex:6a,61,61,6c,63,6d,6f,63,6d,6f,63,70,6e,6d,6e,62,63,
6f,6a,66,00,17
"iaoiailjdajjkeejoh"=hex:6a,61,61,6c,63,6d,6f,63,6d,6f,63,70,6e,6d,6e,62,63,6f,
6a,66,00,17
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-22 0:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 07:27
Pre-Run: 210,035,142,656 bytes free
Post-Run: 210,106,093,568 bytes free
199 --- E O F --- 2007-11-12 04:21
SuperAntiSpyware Log (Relevant parts)
Rogue.Component/Trace
HKLM\SOFTWARE\MICROSOFT\201Bc29B
HKLM\SOFTWARE\MICROSOFT\201Bc29B#201bc29b
HKLM\SOFTWARE\MICROSOFT\201Bc29B#Version
HKLM\SOFTWARE\MICROSOFT\201Bc29B#201b6f1b
HKLM\SOFTWARE\MICROSOFT\201Bc29B#201b6fe