I am trying to fix my friends computer. She has the Advanced Virus Remover on the computer. There are pop up warnings about trojans and the search engines redirect to sites like SEARCHCLICK. I ran the latest version of Combofix. I ended the process of AVR.EXE in the taskmanager so I don't know if that will affect the log. Thanks very much for the help!
Dan
Here's the log generated today...
ComboFix 09-11-18.09 - HP_Administrator 11/19/2009 10:39.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.583 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
AV: Norton Internet Security 2006 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\HP_Administrator\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\HP_Administrator\Start Menu\Advanced Virus Remover.lnk
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\AVR.exe
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
.
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.
2009-11-19 15:28 . 2009-11-19 15:35 -------- d-----w- C:\Combo-Fix
2009-11-18 23:11 . 2009-11-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\RegAce
2009-11-18 23:11 . 2009-11-18 23:22 -------- d-----w- c:\program files\RegAce
2009-11-18 19:35 . 2009-11-18 20:13 22528 ----a-w- c:\windows\system32\winhelper86.dll
2009-11-18 01:45 . 2009-11-18 19:33 10752 ----a-w- c:\windows\DCEBoot.exe
2009-11-17 16:49 . 2009-11-17 16:49 24336 ----a-w- c:\windows\system32\winupdate86.exe
2009-11-01 23:51 . 2001-08-17 18:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-11-01 23:51 . 2001-08-17 18:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 15:50 . 2009-11-19 15:50 32786 ----a-w- c:\windows\system32\41.exe
2009-11-19 15:50 . 2009-11-19 15:50 791312 ----a-w- c:\windows\system32\AVR10.exe
2009-11-18 22:03 . 2009-06-22 21:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-18 01:31 . 2009-08-15 13:58 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\StumbleUpon
2009-11-17 16:51 . 2009-06-22 22:53 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-09-11 14:18 . 2008-11-26 21:10 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-11-26 21:10 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2008-11-26 21:10 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-11-26 21:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-11-26 21:10 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-11-26 21:10 247326 ------w- c:\windows\system32\strmdll.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-26 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-26 137752]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-09-24 210216]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 52840]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-11 722256]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"winupdate86.exe"="c:\windows\system32\winupdate86.exe" [2009-11-17 24336]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-10-26 17021440]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 11:15 AM 102448]
R3 HSFHWBS3;HSFHWBS3;c:\windows\system32\drivers\HSFHWBS3.sys [11/26/2008 5:34 PM 207872]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-14 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-09-24 16:13]
2009-11-19 c:\windows\Tasks\User_Feed_Synchronization-{296F67B8-5D49-4A92-B63E-58DAD4FDA838}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
LSP: c:\windows\system32\winhelper86.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 10:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3260)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2009-11-19 10:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 15:52
ComboFix2.txt 2009-11-18 23:47
ComboFix3.txt 2009-11-18 22:39
ComboFix4.txt 2009-11-18 21:56
ComboFix5.txt 2009-11-19 15:38
Pre-Run: 133,345,456,128 bytes free
Post-Run: 133,315,264,512 bytes free
- - End Of File - - E7FFC0D4B6914CD0C8E97F9B2861589F
Edited by CompUserXP2009, 19 November 2009 - 11:22 AM.
Sign In
Create Account
