| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 114719 | 2010-12-14 21:37:00 | SLIzone page hijacking Firefox on boot up | linzi (13473) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1161698 | 2010-12-15 02:18:00 | Ok.Try this.... Download Combofix and place it on your desktop from Bleepingcomputer (download.bleepingcomputer.com) or Geekstogo (subs.geekstogo.com) * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start. You can get help on disabling your protection programs here : www.bleepingcomputer.com Please include the C:\ComboFix.txt in your next reply for further review. [color=red] Caution..... Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper |
Pancake (6359) | ||
| 1161699 | 2010-12-15 02:58:00 | TY for your help btw . much appreciated Ok THIS time when Combofix rebooted it was IE that auto started [ ??? default browser changed??] Combofix gave the following report ComboFix 10-12-14 . 01 - Pamc 15/12/2010 15:32:48 . 1 . 2 - x86 Microsoft Windows XP Home Edition 5 . 1 . 2600 . 2 . 1252 . 1 . 1033 . 18 . 1022 . 424 [GMT 13:00] Running from: c:\documents and settings\Pamc\Desktop\ComboFix . exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Thumbs . db c:\windows\a3kebook . ini c:\windows\akebook . ini c:\windows\ANS2000 . INI c:\windows\desktop c:\windows\desktop\Oamaru Convention\Oz 06 . exe c:\windows\system32\paqbonus . exe c:\windows\system32\vnrqscnt . ini c:\windows\system32\vwasbcvh . ini c:\windows\system32\winping . exe . ((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 ))))))))))))))))))))))))))))))) . 2010-12-14 22:07 . 2010-12-14 22:07 -------- d-----w- c:\documents and settings\Pamc\Application Data\Malwarebytes 2010-12-14 22:07 . 2010-11-29 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy . sys 2010-12-14 22:07 . 2010-12-14 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-12-14 22:07 . 2010-12-14 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-14 22:07 . 2010-11-29 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam . sys 2010-12-13 22:47 . 2010-12-13 22:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{FC88D84C-9AAA-4DCA-B544-2F808B2C6FE6} 2010-12-13 20:24 . 2010-12-13 20:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{F03307B7-E779-4F5E-A32E-9A73D8D6E0F2} 2010-12-13 02:58 . 2010-12-13 02:58 1409 ----a-w- c:\windows\QTFont . for 2010-12-12 22:09 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete . exe 2010-12-12 21:55 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd . sys 2010-12-12 21:55 . 2010-12-12 21:55 98392 ----a-w- c:\windows\system32\drivers\SBREDrv . sys 2010-12-12 21:52 . 2010-12-12 21:52 -------- d-----w- c:\documents and settings\Pamc\Local Settings\Application Data\Sunbelt Software 2010-12-12 21:52 . 2010-12-12 21:52 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620} 2010-12-12 21:51 . 2010-12-12 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-12-12 21:51 . 2010-12-12 21:52 -------- d-----w- c:\program files\Ad-Aware 2010-12-01 23:22 . 2010-12-01 23:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{13795121-80CF-4D45-9175-8FD79D18EF7E} 2010-11-21 22:23 . 2010-11-21 22:26 -------- d-----w- c:\documents and settings\Pamc\Application Data\KompoZer 2010-11-21 22:23 . 2010-11-21 22:23 -------- d-----w- C:\Komposer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-08-30 23:28 . 2009-08-30 23:28 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec . dll 2009-08-30 23:28 . 2009-08-30 23:28 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext . dll 2009-08-30 23:28 . 2009-08-30 23:28 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc . dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ . exe" [2006-02-10 2048000] "ctfmon . exe"="c:\windows\system32\ctfmon . exe" [2006-02-28 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp . exe" [2005-05-20 925696] "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ . exe" [2004-11-02 32768] "nwiz"="nwiz . exe" [2006-09-22 1519616] "NvMediaCenter"="NvMCTray . dll" [2006-09-22 86016] "NvCplDaemon"="c:\windows\system32\NvCpl . dll" [2006-09-22 7618560] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp . exe" [2006-10-13 277296] "LGODDFU"="c:\program files\lg_fwupdate\fwupdate . exe" [2009-11-30 557056] "JMB36X Configure"="c:\windows\system32\JMRaidTool . exe" [2006-07-12 352256] "InCD"="c:\program files\Ahead\InCD\InCD . exe" [2006-07-12 1397760] "High Definition Audio Property Page Shortcut"="HDAShCut . exe" [2004-10-27 61952] "QuickTime Task"="c:\program files\QuickTime\qttask . exe" [2008-01-31 385024] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9 . 0\Acrobat\Acrobat_sl . exe" [2010-09-22 38840] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM . exe" [2005-02-16 221184] "ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg . exe" [2007-07-19 328992] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1 . 0\AdobeARM . exe" [2010-09-21 932288] "avast5"="c:\progra~1\Avast5\avastUI . exe" [2010-09-07 2838912] "Quick-Drop"="c:\program files\DVD MovieFactory 7\Corel DVD MovieFactory 7\Quick-Drop . exe" [2008-06-02 389264] "NeroFilterCheck"="c:\windows\system32\NeroCheck . exe" [2001-07-08 155648] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch . exe" [2005-02-16 81920] "Acrobat Assistant 8 . 0"="c:\program files\Adobe\Acrobat 9 . 0\Acrobat\Acrotray . exe" [2010-09-22 640440] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched . exe" [2010-05-13 248552] [HKEY_USERS\ . DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON . EXE"="c:\windows\system32\CTFMON . EXE" [2006-02-28 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20 . exe" [2008-11-03 435096] c:\documents and settings\Pamc\Start Menu\Programs\Startup\ Adobe Gamma . lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader . exe [2005-3-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ EPSON Background Monitor . lnk - c:\program files\EPSON\ESM2\STMS . exe [1999-6-7 233984] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer] "NoSMMyDocs"= 01000000 "NoSMMyPictures"= 01000000 "NoNetworkConnections"= 01000000 [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudora\EuShlExt . dll" [2002-09-30 86016] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Pamc^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher . lnk] backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher . lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPIO] 2005-04-14 06:22 704000 ----a-w- c:\program files\USB_HD\GPIOManager\GPIOManager . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000] 2006-10-13 04:04 707376 ----a-w- c:\windows\vVX3000 . exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-] "Genuine"=rundll32 . exe "c:\windows\system32\hvcbsawv . dll",realset [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr . exe"= "%windir%\\Network Diagnostic\\xpnetdiag . exe"= "c:\\Program Files\\mIRC\\mirc . exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp . exe"= "c:\\Program Files\\CuteFTP\\cutftp32 . exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam . exe"= "c:\\Program Files\\Bonjour\\mDNSResponder . exe"= "c:\\Documents and Settings\\Pamc\\My Documents\\Office12\\ONENOTE . EXE"= "c:\\Program Files\\FotoFusionV4_mine\\collage . exe"= "c:\\Program Files\\Deep Paint 3D\\Deep3D . exe"= "c:\\WINDOWS\\system32\\ntvdm . exe"= "c:\\WINDOWS\\system32\\dpvsetup . exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM . exe"= "c:\\Program Files\\Yahoo\\Messenger\\YahooMessenger . exe"= "c:\\Program Files\\Skype\\Phone\\Skype . exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "59:TCP"= 59:TCP:DCC R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd . sys [13/12/2010 10:55 a . m . 64288] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP . sys [3/04/2008 8:58 a . m . 165584] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk . sys [3/04/2008 8:58 a . m . 17744] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Ad-Aware\AAWService . exe [3/12/2010 10:05 p . m . 1389400] R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice . exe [3/01/2008 1:04 p . m . 2560] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng . exe [3/11/2006 8:19 p . m . 13592] . Contents of the 'Scheduled Tasks' folder 2010-12-13 c:\windows\Tasks\Ad-Aware Update (Weekly) . job - c:\program files\Ad-Aware\Ad-AwareAdmin . exe [2010-12-03 09:05] 2010-12-14 c:\windows\Tasks\AppleSoftwareUpdate . job - c:\program files\Apple Software Update\SoftwareUpdate . exe [2008-07-30 00:34] 2010-12-15 c:\windows\Tasks\SyncBackSE Backup Photos . job - c:\program files\SyncBackSE\SyncBackSE . exe [2007-11-15 02:54] 2010-12-15 c:\windows\Tasks\SyncBackSE Pics . job - c:\program files\SyncBackSE\SyncBackSE . exe [2007-11-15 02:54] . . ------- Supplementary Scan ------- . uStart Page = about:blank mStart Page = about:blank mWindow Title = uInternet Settings,ProxyOverride = * . local 127 . 0 . 0 . 1 IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient . dll/AcroIEAppendSelLinks . html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient . dll/AcroIEAppend . html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient . dll/AcroIECaptureSelLinks . html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient . dll/AcroIECapture . html FF - ProfilePath - c:\documents and settings\Pamc\Application Data\Mozilla\Firefox\Profiles\ldwkknq5 . default\ FF - prefs . js: browser . search . selectedEngine - Google FF - prefs . js: browser . startup . homepage - FF - prefs . js: keyword . URL - FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Firebug: firebug@software . joehewitt . com - %profile%\extensions\firebug@software . joehewitt . co m FF - Ext: TinEye Reverse Image Search: tineye@ideeinc . com - %profile%\extensions\tineye@ideeinc . com FF - Ext: Microsoft . NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Java Quick Starter: jqs@sun . com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft . NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft . NET\Framework\v3 . 5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - BHO-{474597C5-AB09-49d6-A4D5-2E8D7341384E} - c:\progra~1\IMESHA~1\MediaBar\Datamngr\IEBHO . dll HKCU-Run-PowerBar - (no file) HKLM-Run-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate . exe Notify-dimsntfy - (no file) Notify-WgaLogon - (no file) MSConfigStartUp-DATAMNGR - c:\progra~1\IMESHA~1\MediaBar\Datamngr\DATAMN~1 . EX E MSConfigStartUp-ICQ - c:\program files\ICQ7 . 2\ICQ . exe AddRemove-iMesh MediaBar - c:\program files\iMesh Applications\MediaBar\uninstall . exe ************************************************** ************************ catchme 0 . 3 . 1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2010-12-15 15:44 Windows 5 . 1 . 2600 Service Pack 2 NTFS scanning hidden processes . . . scanning hidden autostart entries . . . HKCU\Software\Microsoft\Windows\CurrentVersion\Run PowerBar = ????????????l?@?l?@?D??????w???????????????wl?@?l? @????? ???????????g??w???w???????w???wx??????????w??????? ? ??????????????|x???0??????????????????w??????????? ?????<???,???P???????l?@?l?@????????w????t?@?????l?@?8?@ ?l?@?3??s????????????????????8?@?_??s8?@?8?@ scanning hidden files . . . scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-527237240-1060284298-839522115-1004\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{D533C0C2-8944-1FD5-6911-F5AE644EB8B6}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "abnhfpdbdphnbpfijehpjjhgkbikcfmaom"=hex:61,61,00,00 "bbnhfpdbdphnbpfijekpagecdndmjkneaafa"=hex:61,61,00,00 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0A23C81 2-28A4-A3EF-EC599404379BDED8}\{EDDB7AE9-60BA-FC8B-2A36AEA66116E16E}\{30AFDBAC-89B1-0DCB-309A1919CB2D0BED}*] "VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86, f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{580924E 7-4534-80EF-AD4675C17646FF10}\{0EFB2AA0-1A3E-507D-F9B34D5CF29081CD}\{BBABFA65-B0A6-C96D-B621BCAFF6A8D6D6}*] "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,0c,79,41, bb,23,20,82,6c,2c,7f,35,7b,4c,7d,69,0f,7e,58,2a,12 ,49,f3,57,a4,40,25,e6,b4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6D5E293 9-A5DB-D6BD-9F41807AA850BA06}\{A2236650-A135-615F-2FB3B5C141AE354B}\{89F48E34-795A-D0CC-A11D96A744FB88CA}*] "VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86, f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7089373 C-39A3-A5D7-72E0F9B1B1BA828D}\{72DE6895-E215-C85D-4F9099F65ABBB5F8}\{8DFB3C3E-A988-D036-8A13836ED250FFE4}*] "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,0c,79,41, bb,23,20,82,6c,2c,7f,35,7b,4c,7d,69,0f,7e,58,2a,12 ,49,f3,57,a4,40,25,e6,b4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D7D745 F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}*] "VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86, f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil 10h_ActiveX . exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil1 0h_ActiveX . exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C9E2B39 3-56C9-49A0-E9536816E76F722D}\{C3EAC204-1FBE-55E0-B9FAECEF4AC48E44}\{36C3AF1D-C1DF-E2E1-C86849C42C7FDBDC}*] "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,0c,79,41, bb,23,20,82,6c,2c,7f,35,7b,4c,7d,69,0f,7e,58,2a,12 ,49,f3,57,a4,40,25,e6,b4,\ [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1 . 0" [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \B13D8D0B1FD22FA0] "1"=hex:79,08,15,23,9e,4b,ad,44,85,c9,e9,3c,03,fe,d3, 3f,f3,14,12,4f,01,36,44, b9 "2"=hex:6c,c5,5b,f7,b0,9e,32,e3,03,c6,40,3c,f9,93,f0, a3,e0,80,50,c4,b1,40,2f, 48,ec,05,72,d0,e0,27,38,13 "3"=hex:79,08,15,23,9e,4b,ad,44,85,c9,e9,3c,03,fe,d3, 3f,88,0a,70,d8,2f,23,2d, 64,0e,4f,11,7b,2d,48,46,54,f2,60,49,21,f0,9e,bf,bb ,ce,a9,b7,33,0c,9b,44,72 [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \B13D8D0B1FD22FA0\2E23F88730107CE6] "1"=hex:a5,c9,74,ec,b1,20,d6,a1,09,fa,f5,4f,55,50,73, 85 "2"=hex:c2,16,dc,3c,cc,7d,65,bf "3"=hex:7c,e6,56,5f,89,3f,15,74,19,26,ce,dc,3f,35,d9, 63,29,b1,a8,b1,58,a0,73, a3,40,b6,de,fa,b1,85,a1,21,cd,84,2d,4d,79,56,2c,1f ,b6,44,31,6c,59,37,d8,c4,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7, 32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb ,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39, 3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9 ,d4,1a,3d,68,9d,00,32,20 "7"=hex:79,08,15,23,9e,4b,ad,44,85,c9,e9,3c,03,fe,d3, 3f,ce,c8,a9,1f,59,5f,3d, 24,37,04,40,4a,f4,30,65,d4,c0,58,80,e5,16,68,3a,98 ,2e,8c,39,a1,58,3c,47,ff,\ "8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4, c5,0f,4c,cc,a5,de,3d,e8, 28,eb,0d,1f,2f,e8,36,93,88,d5,3a,78,4f,81,66,7d,c8 ,40,7e,de,c3,55,ed,4f,45 "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:07,96,b3,35,9e,5a,1a,0b "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\Swearware\backup\winso ck2] @DACL=(02 0000) @SACL= . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer . exe'(3040) c:\windows\system32\WININET . dll c:\windows\system32\nview . dll c:\windows\system32\nvwddi . dll c:\windows\system32\ieframe . dll c:\windows\system32\WPDShServiceObj . dll c:\windows\system32\PortableDeviceTypes . dll c:\windows\system32\PortableDeviceApi . dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Ahead\InCD\InCDsrv . exe c:\program files\Avast5\AvastSvc . exe c:\program files\EPSON\ESM2\eEBSVC . exe c:\program files\Adobe\Photoshop Elements 6 . 0\PhotoshopElementsFileAgent . exe c:\program files\Bonjour\mDNSResponder . exe c:\program files\Common Files\InterVideo\DeviceService\DevSvc . exe c:\program files\Java\jre6\bin\jqs . exe c:\program files\Common Files\LightScribe\LSSrvc . exe c:\program files\Microsoft LifeCam\MSCamS32 . exe c:\windows\system32\nvsvc32 . exe c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr . exe c:\windows\system32\rundll32 . exe c:\windows\system32\wbem\unsecapp . exe c:\program files\Ad-Aware\AAWTray . exe c:\windows\system32\wscntfy . exe . ************************************************** ************************ . Completion time: 2010-12-15 15:51:52 - machine was rebooted ComboFix-quarantined-files . txt 2010-12-15 02:51 Pre-Run: 17,135,808,512 bytes free Post-Run: 17,056,813,056 bytes free Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 6F14D9B494B3B791A7E4443A071315B2 |
linzi (13473) | ||
| 1161700 | 2010-12-15 05:24:00 | That is ok.I dont see any malware there now....how are things working ? You will need to reset to whatever browser you were using. | Pancake (6359) | ||
| 1161701 | 2010-12-15 09:52:00 | Thank you very much for scanning my various log files, Pancake, Much appreciated . Sadly I now have Firefox back as my default browser, and after IE was doing the auto startup thing to that SLI page NOW it has reverted back to Firefox when I reset the default, so no the problem has not been solved and if you cant see anything malicious in the logs I am at a total loss . I am even mire surprised when I see that it might appear that that SLI page is a technical centre of some kind? The only connection with NVidia I have is that my video drivers are as follows NVIDIA GeForce 7300 GT [Display adapter] HSD HU196D [Monitor] (19 . 1"vis, s/n 612GA0JCA8875, March 2006) seems I have to live with this PAIN every time I boot up then? siiiiiiiiiiggggggggggggghhhhhhhhhhhh :waughh: |
linzi (13473) | ||
| 1161702 | 2010-12-15 11:44:00 | I doubt this is caused by malware since SLI Zone is a legitimate site run by nVidia. I also see you have an nVidia graphics card. It's probably gotten stuck in your startup somehow after a driver update or something. (usually this kind of thing is designed to run once and then delete itself after the next reboot) I would download Autoruns (technet.microsoft.com) and check that a link to that site is not in a startup section somewhere.. if it is, delete it. |
Agent_24 (57) | ||
| 1161703 | 2010-12-15 20:01:00 | Well I don't know how you all did it, but you did... :clap :clap :clap :clap This morning on boot up............. LO and Behold NOTHING :) Well done and a peaceful Christmas to you all Pam |
linzi (13473) | ||
| 1161704 | 2010-12-15 21:13:00 | Ok.Glad its all working again. | Pancake (6359) | ||
| 1161705 | 2010-12-17 21:23:00 | It's BACK :badpc: |
linzi (13473) | ||
| 1161706 | 2010-12-17 21:53:00 | As far as I can find out SLIzone belongs to Nvidia so it looks like some configuration that needs fixing. Try asking at ... NVIDIA SLI Zone - http://www.slizone.com | Pancake (6359) | ||
| 1161707 | 2011-02-08 20:16:00 | Nothing has changed. Still have Firefox opening automatically with the SLIzone page. No reply from www.SLIzone.com Am I stuck with this FOREVER? |
linzi (13473) | ||
| 1 2 3 | |||||