Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

machine acting strange

Started by Gator , Nov 05 2008 03:27 PM

  • This topic is locked This topic is locked
209 replies to this topic

#166 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 12 November 2008 - 05:58 PM

That maybe. When we were transferring files using the flashdrive when I placed in the clean computer and ran a norton scan there was a win32 virus detected and cleaned from the drive. I just dont remember the entire name. Now how do we erradicated this pesky devil??

    Advertisements

Register to Remove

#167 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 November 2008 - 06:15 PM

Download & run this file
http://www.techsuppo...Disinfector.exe

Be sure to insert any flash drives or USB devices that you use.


Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. 

File::
C:\WINDOWS\TEMP\winpwuh.exe
C:\WINDOWS\TEMP\lmjb.exe
C:\WINDOWS\TEMP\winogmn.exe
C:\WINDOWS\TEMP\windngm.exe
C:\WINDOWS\TEMP\euwf.exe
C:\WINDOWS\TEMP\winexpld.exe
C:\WINDOWS\TEMP\winarrsbc.exe
C:\WINDOWS\TEMP\winvnejcs.exe
C:\WINDOWS\TEMP\pdwh.exe
C:\WINDOWS\TEMP\windvwe.exe
C:\WINDOWS\TEMP\kqyvc.exe
C:\WINDOWS\TEMP\winmkcj.exe
C:\WINDOWS\TEMP\myai.exe
C:\WINDOWS\TEMP\wineanbk.exe
C:\WINDOWS\TEMP\winfwgc.exe
C:\autorun.inf
C:\WINDOWS\system32\drivers\hhgmrs.sys 

Folder::
C:\Program Files\Viewpoint

Driver::
hhgmrs
abp470n5

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=1
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\TEMP\winpwuh.exe"=-
"C:\WINDOWS\TEMP\lmjb.exe"=- 
"C:\WINDOWS\TEMP\winogmn.exe"=- 
"C:\WINDOWS\TEMP\windngm.exe"=-
"C:\WINDOWS\TEMP\euwf.exe"=- 
"C:\WINDOWS\TEMP\winexpld.exe"=- 
"C:\WINDOWS\TEMP\winarrsbc.exe"=-
"C:\WINDOWS\TEMP\winvnejcs.exe"=-
"C:\WINDOWS\TEMP\pdwh.exe"=-
"C:\WINDOWS\TEMP\windvwe.exe"=-
"C:\WINDOWS\TEMP\kqyvc.exe"=-
"C:\WINDOWS\TEMP\winmkcj.exe"=-
"C:\WINDOWS\TEMP\myai.exe"=-
"C:\WINDOWS\TEMP\wineanbk.exe"=-
"C:\WINDOWS\TEMP\winfwgc.exe"=-

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#168 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 12 November 2008 - 06:36 PM

All instructions followed.

Here are the logs

ComboFix 08-11-11.01 - James 2008-11-12 19:21:54.17 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1493 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\James\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\autorun.inf
c:\windows\system32\drivers\hhgmrs.sys
c:\windows\TEMP\euwf.exe
c:\windows\TEMP\kqyvc.exe
c:\windows\TEMP\lmjb.exe
c:\windows\TEMP\myai.exe
c:\windows\TEMP\pdwh.exe
c:\windows\TEMP\winarrsbc.exe
c:\windows\TEMP\windngm.exe
c:\windows\TEMP\windvwe.exe
c:\windows\TEMP\wineanbk.exe
c:\windows\TEMP\winexpld.exe
c:\windows\TEMP\winfwgc.exe
c:\windows\TEMP\winmkcj.exe
c:\windows\TEMP\winogmn.exe
c:\windows\TEMP\winpwuh.exe
c:\windows\TEMP\winvnejcs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\winfwgc.exe
F:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Legacy_NPF
-------\Service_abp470n5


((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-12 18:34 . 2008-11-12 18:34 <DIR> d-------- C:\rsit
2008-11-12 17:25 . 2008-11-12 17:41 3,212 --a------ c:\windows\system32\tmp.reg
2008-11-12 16:51 . 2008-11-12 16:51 434 --a------ c:\windows\Shortcut to Shared Documents.lnk
2008-11-12 14:33 . 2008-11-12 17:00 <DIR> d-------- C:\SDFix
2008-11-11 22:04 . 2008-11-11 22:04 118 --a------ c:\windows\system32\MRT.INI
2008-11-11 22:01 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 21:59 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 21:33 . 2008-11-11 21:33 <DIR> d-------- c:\documents and settings\James\DoctorWeb
2008-11-11 11:16 . 2008-11-11 11:16 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-09 13:49 . 2004-08-10 06:00 169,984 --a------ c:\windows\system32\dllcache\iisui.dll
2008-11-09 13:49 . 2004-08-10 06:00 94,720 --a------ c:\windows\system32\dllcache\certmap.ocx
2008-11-09 13:49 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll
2008-11-09 13:49 . 2004-08-10 06:00 19,968 --a------ c:\windows\system32\dllcache\inetsloc.dll
2008-11-09 13:49 . 2004-08-10 06:00 14,336 --a------ c:\windows\system32\dllcache\iisreset.exe
2008-11-09 13:49 . 2004-08-10 06:00 7,680 --a------ c:\windows\system32\dllcache\inetmgr.exe
2008-11-09 13:49 . 2004-08-10 06:00 7,168 --a------ c:\windows\system32\dllcache\wamregps.dll
2008-11-09 13:49 . 2004-08-10 06:00 6,144 --a------ c:\windows\system32\dllcache\ftpsapi2.dll
2008-11-09 13:49 . 2004-08-10 06:00 5,632 --a------ c:\windows\system32\dllcache\iisrstap.dll
2008-11-09 11:28 . 2008-11-09 11:28 <DIR> d-------- c:\program files\Sun
2008-11-09 11:27 . 2008-11-09 11:27 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-09 11:27 . 2008-11-09 11:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-09 10:14 . 2008-11-09 10:16 <DIR> d-------- C:\Lop SD
2008-11-07 20:57 . 2008-11-11 12:29 <DIR> d-a------ c:\program files\Qoobox
2008-11-07 20:11 . 2008-11-07 20:11 <DIR> d-------- c:\program files\ERUNT
2008-11-07 19:50 . 2008-11-07 19:50 <DIR> d-------- c:\documents and settings\James\Application Data\U3
2008-11-06 18:41 . 2008-11-06 18:41 <DIR> d-------- c:\documents and settings\Earlene\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\documents and settings\James\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-05 15:35 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-16 00:07 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-16 00:07 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-16 00:06 . 2008-08-14 05:11 2,189,184 --a------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 00:06 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 00:06 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 17:23 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2008-11-12 14:47 --------- d-----w c:\program files\Kodak
2008-11-12 02:04 --------- d-----w c:\program files\Trend Micro
2008-11-09 16:27 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 01:11 --------- d-----w c:\program files\LimeWire
2008-10-14 01:11 --------- d-----w c:\documents and settings\Earlene\Application Data\LimeWire
2007-02-04 15:55 0 ----a-w c:\documents and settings\Earlene\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-11_17.27.57.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-12 03:02:48 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-04-14 00:12:01 1,306,624 ------w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
- 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
- 2008-04-14 00:12:01 1,104,896 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 17:15:04 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2007-05-08 19:03:04 1,275,392 ----a-w c:\windows\system32\msxml4.dll
+ 2008-09-30 21:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2008-04-14 00:12:01 1,306,624 ------w c:\windows\system32\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 ----a-w c:\windows\system32\msxml6.dll
- 2008-11-11 17:21:25 70,012 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-12 02:38:47 70,530 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-11 17:21:25 409,724 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-12 02:38:48 410,600 ----a-w c:\windows\system32\perfh009.dat
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-11-13 00:25:13 16,384 ----atw c:\windows\temp\Perflib_Perfdata_724.dat
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 398864]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1764864]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1470464]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1105920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 831579]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 126976]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 294912]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 155648]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-09 214424]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 283888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-01-23 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2008-01-11 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.speex32"= speex32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\WRAL DESKTOP WEATHER\\TrueWeather.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\system32\\WLTRAY.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\TMAS_OE\\TMAS_OEMon.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\pccmain.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"=
"c:\\WINDOWS\\TEMP\\wincpik.exe"=
"c:\\WINDOWS\\TEMP\\winmveqbf.exe"=

S3 w300bus;Sony Ericsson W300 Driver driver (WDM);c:\windows\system32\DRIVERS\w300bus.sys [2006-03-13 60800]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 19:25:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\ehome\ehmsas.exe
c:\windows\temp\wincpik.exe
c:\windows\temp\winmveqbf.exe
.
**************************************************************************
.
Completion time: 2008-11-12 19:31:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-13 00:31:41
ComboFix2.txt 2008-11-12 19:08:40
ComboFix3.txt 2008-11-12 18:38:10
ComboFix4.txt 2008-11-12 17:24:50
ComboFix5.txt 2008-11-13 00:21:24

Pre-Run: 49,308,037,120 bytes free
Post-Run: 49,272,434,688 bytes free

239 --- E O F --- 2008-10-24 17:55:59


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:32:23, on 2008-11-12
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\wincpik.exe
C:\WINDOWS\TEMP\winmveqbf.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6613 bytes


Still unable to get into the trend interner security. 2 new .exe files in temp folder,

Have to go for tonight up at 3 am for work. Check in tomorrow late afternoon for your next instructions.

Thanks to all for help today.

#169 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 November 2008 - 06:44 AM

The thumb drive shouldn't be ever used again. If it's infected with Salty as well, chances are it can't be cleaned.

I need you to go into IE Tools > Internet Options > Security > Trusted Sites and add *.kaspersky.com.
Also add *.windows.com
Be sure to use the *and .

Next:

Please download HoxtXpert.
  • Unzip HostsXpert.zip
  • Double click on HostsXpert.exe
  • Then click on "Restore Original Hosts" to restore your Hosts file to its default condidtion..
  • Click on Make Hosts Read Only to secure it against further infection.
  • Close program when complete.

If you can run the host fix, just move on.

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#170 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 13 November 2008 - 04:32 PM

Unable to add those sites to trusted list. Got dialog box stating that all sites added must use https:// prefix. Ran HoxtXpert.exe Unable to get to Kaspersky website.

#171 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 November 2008 - 04:35 PM

I need you to go into IE Tools > Internet Options > Security > Trusted Sites and
add https://*.kaspersky.com.
Also add https://*.windows.com
Be sure to use the *and .

Now try it.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#172 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 13 November 2008 - 04:39 PM

Items added ok but still unable to access site.

#173 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 November 2008 - 04:56 PM

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt


Use notepad to open both and Copy / Paste the contents here.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#174 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 13 November 2008 - 04:58 PM

How do I disable script blocking?

#175 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 November 2008 - 04:59 PM

How do I disable script blocking?

I'm sure you're ok to move on.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

#176 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 13 November 2008 - 05:02 PM

Here are the logs DDS (Version 1.0) - NTFSx86 Run by James at 18:00:05.23 on 2008-11-13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1524 [GMT -5:00] ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Dell Support Center\bin\sprtsvc.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\NetWaiting\netWaiting.exe C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\TEMP\windumtar.exe C:\WINDOWS\TEMP\winajnjv.exe C:\WINDOWS\TEMP\bklwon.exe C:\Documents and Settings\James\Desktop\dds.scr C:\DOCUME~1\James\LOCALS~1\Temp\RarSFX0\FI.exe ============== Psuedo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070123 BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe" mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dlbcserv.lnk - c:\program files\dell photo printer 720\dlbcserv.exe mPolicies-system: InstallVisualStyle = c:\windows\resources\themes\royale\Royale.msstyles mPolicies-system: InstallTheme = c:\windows\resources\themes\Royale.theme mPolicies-system: EnableLUA = 0 (0x0) dPolicies-system: DisableTaskMgr = 1 (0x1) dPolicies-system: DisableRegistryTools = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office11\MSOXMLMF.DLL Notify: AtiExtEvent -Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\hhgmrs.sys S3 w300bus;Sony Ericsson W300 Driver driver (WDM);c:\windows\system32\drivers\w300bus.sys S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" =============== Created Last 30 ================ 2008-11-12 17:25 3,212 a------- c:\windows\system32\tmp.reg 2008-11-12 16:51 434 a------- c:\windows\Shortcut to Shared Documents.lnk 2008-11-12 14:33 <DIR> --d----- C:\SDFix 2008-11-11 22:04 118 a------- c:\windows\system32\MRT.INI 2008-11-11 22:01 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-11 21:59 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll 2008-11-11 21:33 <DIR> --d----- c:\documents and settings\james\DoctorWeb 2008-11-11 11:16 <DIR> --d-h--- c:\windows\system32\GroupPolicy 2008-11-09 13:49 7,168 a------- c:\windows\system32\dllcache\wamregps.dll 2008-11-09 13:49 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll 2008-11-09 13:49 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll 2008-11-09 13:49 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe 2008-11-09 13:49 169,984 a------- c:\windows\system32\dllcache\iisui.dll 2008-11-09 13:49 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll 2008-11-09 13:49 14,336 a------- c:\windows\system32\dllcache\iisreset.exe 2008-11-09 13:49 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll 2008-11-09 13:49 94,720 a------- c:\windows\system32\dllcache\certmap.ocx 2008-11-09 11:28 <DIR> --d----- c:\program files\Sun 2008-11-09 11:27 410,976 a------- c:\windows\system32\deploytk.dll 2008-11-09 11:27 73,728 a------- c:\windows\system32\javacpl.cpl 2008-11-09 10:14 <DIR> --d----- C:\Lop SD 2008-11-09 08:45 <DIR> a-d----- C:\autorun.inf 2008-11-07 21:00 <DIR> --d----- C:\cmdcons 2008-11-07 20:57 161,792 a------- c:\windows\SWREG.exe 2008-11-07 20:57 98,816 a------- c:\windows\sed.exe 2008-11-07 20:57 <DIR> a-d----- c:\program files\Qoobox 2008-11-05 15:35 <DIR> --d----- c:\docume~1\james\applic~1\Malwarebytes 2008-11-05 15:35 15,504 a------- c:\windows\system32\drivers\mbam.sys 2008-11-05 15:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-05 15:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2008-11-05 15:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2008-10-16 00:07 333,824 -------- c:\windows\system32\dllcache\srv.sys 2008-10-16 00:07 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys 2008-10-16 00:06 2,189,184 a------- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-16 00:06 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-16 00:06 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe ==================== Find3M ==================== 2008-11-12 12:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak 2008-11-12 09:47 <DIR> --d----- c:\program files\Kodak 2008-11-11 21:04 <DIR> --d----- c:\program files\Trend Micro 2008-10-15 11:34 337,408 a------- c:\windows\system32\dllcache\netapi32.dll 2008-10-13 20:11 <DIR> --d----- c:\program files\LimeWire 2008-10-08 12:08 <DIR> --d----- c:\program files\Messenger 2008-10-08 11:41 88,183 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2008-10-08 11:30 <DIR> --d----- c:\program files\Windows NT 2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll 2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys 2008-09-09 20:14 1,307,648 a------- c:\windows\system32\msxml6.dll 2008-09-09 20:14 1,307,648 -------- c:\windows\system32\dllcache\msxml6.dll 2008-09-04 12:15 1,106,944 a------- c:\windows\system32\msxml3.dll 2008-08-27 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint 2008-08-23 18:57 <DIR> --d----- c:\docume~1\james\applic~1\alot 2008-08-20 00:30 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll 2008-08-20 00:30 619,520 a------- c:\windows\system32\dllcache\urlmon.dll 2008-08-20 00:30 1,499,136 a------- c:\windows\system32\dllcache\shdocvw.dll 2008-08-20 00:30 666,112 a------- c:\windows\system32\wininet.dll 2008-08-20 00:30 666,112 a------- c:\windows\system32\dllcache\wininet.dll 2008-05-26 12:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Adobe(2) 2008-05-26 12:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec 2008-02-27 14:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell 2008-01-11 19:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell Photo Printer 720 2007-12-28 11:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SupportSoft 2007-08-15 18:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla! 2007-08-14 16:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft 2007-01-23 16:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro 2005-08-16 21:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DIGStream ============= FINISH: 18:00:28.58 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Version 1.0) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 2007-01-31 15:31:25 System Uptime: 2008-11-13 17:19:59 (1 hours ago) Motherboard: Dell Inc. | | 0XD720 Processor: Intel® Core™2 CPU T5600 @ 1.83GHz | Microprocessor | 1828/166mhz BIOS: Phoenix ROM BIOS PLUS Version 1.10 A15 | DELL - 27d70414 | A15 | 2007-04-19 20:00:00 ==== Disk Partitions ========================= C: is FIXED (NTFS) - 68 GiB total, 45.902 GiB free. D: is CDROM () E: is CDROM (CDFS) F: is Removable ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP313: 2008-08-14 21:14:00 - Software Distribution Service 3.0 RP314: 2008-08-16 13:12:19 - System Checkpoint RP315: 2008-08-18 16:18:44 - System Checkpoint RP316: 2008-08-20 10:03:05 - System Checkpoint RP317: 2008-08-23 13:55:16 - System Checkpoint RP318: 2008-08-25 18:30:33 - System Checkpoint RP319: 2008-08-26 18:39:12 - System Checkpoint RP320: 2008-08-27 19:28:45 - System Checkpoint RP321: 2008-08-28 20:12:01 - System Checkpoint RP322: 2008-08-29 20:12:57 - System Checkpoint RP323: 2008-08-30 20:55:31 - System Checkpoint RP324: 2008-08-31 21:13:37 - System Checkpoint RP325: 2008-09-02 11:43:21 - System Checkpoint RP326: 2008-09-03 13:46:41 - System Checkpoint RP327: 2008-09-05 12:28:22 - System Checkpoint RP328: 2008-09-08 18:01:20 - System Checkpoint RP329: 2008-09-09 23:47:06 - Software Distribution Service 3.0 RP330: 2008-09-11 15:51:48 - System Checkpoint RP331: 2008-09-13 12:09:31 - System Checkpoint RP332: 2008-09-15 00:34:08 - System Checkpoint RP333: 2008-09-16 18:10:53 - System Checkpoint RP334: 2008-09-17 19:04:16 - System Checkpoint RP335: 2008-09-18 11:33:29 - Software Distribution Service 3.0 RP336: 2008-09-19 12:18:45 - System Checkpoint RP337: 2008-09-21 00:27:45 - System Checkpoint RP338: 2008-09-22 19:17:21 - Software Distribution Service 3.0 RP339: 2008-09-25 17:18:51 - Restore Operation RP340: 2008-09-26 19:37:02 - System Checkpoint RP341: 2008-09-29 14:00:59 - System Checkpoint RP342: 2008-10-05 11:12:57 - System Checkpoint RP343: 2008-10-08 12:17:33 - Software Distribution Service 3.0 RP344: 2008-10-09 18:14:46 - System Checkpoint RP345: 2008-10-09 19:33:09 - Software Distribution Service 3.0 RP346: 2008-10-10 22:40:54 - System Checkpoint RP347: 2008-10-11 22:47:49 - System Checkpoint RP348: 2008-10-13 18:19:54 - System Checkpoint RP349: 2008-10-15 12:43:32 - System Checkpoint RP350: 2008-10-16 01:37:21 - Software Distribution Service 3.0 RP351: 2008-10-17 12:43:58 - System Checkpoint RP352: 2008-10-18 18:05:38 - System Checkpoint RP353: 2008-10-19 19:09:00 - System Checkpoint RP354: 2008-10-20 20:10:43 - System Checkpoint RP355: 2008-10-22 20:06:25 - System Checkpoint RP356: 2008-10-23 22:20:15 - System Checkpoint RP357: 2008-10-24 13:55:08 - Software Distribution Service 3.0 RP358: 2008-10-25 20:22:01 - System Checkpoint RP359: 2008-10-26 20:25:16 - System Checkpoint RP360: 2008-10-27 21:09:30 - System Checkpoint RP361: 2008-10-28 22:32:58 - System Checkpoint RP362: 2008-10-30 21:08:55 - System Checkpoint RP363: 2008-11-01 14:27:02 - System Checkpoint RP364: 2008-11-02 15:02:52 - System Checkpoint RP365: 2008-11-03 15:09:18 - System Checkpoint RP366: 2008-11-05 14:45:59 - Restore Operation RP367: 2008-11-05 14:49:55 - Restore Operation RP368: 2008-11-05 15:29:47 - Software Distribution Service 3.0 RP369: 2008-11-06 19:13:12 - System Checkpoint RP370: 2008-11-07 20:57:40 - ComboFix created restore point RP371: 2008-11-07 21:44:27 - ComboFix created restore point RP372: 2008-11-07 22:08:08 - ComboFix created restore point RP373: 2008-11-08 19:09:06 - ComboFix created restore point RP374: 2008-11-08 22:41:21 - ComboFix created restore point RP375: 2008-11-09 11:27:10 - Installed Java™ 6 Update 10 RP376: 2008-11-09 11:28:00 - Installed OpenOffice.org Installer 1.0 RP377: 2008-11-09 16:33:56 - Software Distribution Service 3.0 RP378: 2008-11-11 08:48:29 - System Checkpoint RP379: 2008-11-11 11:31:13 - ComboFix created restore point RP380: 2008-11-11 12:19:48 - ComboFix created restore point RP381: 2008-11-11 17:26:17 - ComboFix created restore point RP382: 2008-11-11 22:02:04 - Software Distribution Service 3.0 RP383: 2008-11-12 08:10:11 - ComboFix created restore point RP384: 2008-11-12 13:28:56 - ComboFix created restore point RP385: 2008-11-12 13:58:54 - ComboFix created restore point RP386: 2008-11-12 19:21:34 - ComboFix created restore point ==== Installed Programs ====================== 32 Bit HP CIO Components Installer Acrobat.com Ad-Aware 2007 Adobe AIR Adobe Flash Player ActiveX Adobe Media Player Adobe Reader 9 AIO_Scan ALOT Toolbar America Online (Choose which version to remove) AOL Coach Version 1.0(Build:20040229.1 en) AOL Connectivity Services AOLIcon ATI Catalyst Control Center ATI Display Driver Broadcom Management Programs Conexant HDA D110 MDC V.92 Modem Dell Photo Printer 720 Dell Photo Printer 720 Logger Dell Support 3.2.1 Dell Support Center (Support Software) Dell Wireless WLAN Card Digital Content Portal Digital Line Detect Disc2Phone Documentation & Support Launcher EarthLink Setup Files EducateU ERUNT 1.1j ESPNMotion Games, Music, & Photos Launcher GemMaster Mystic Get High Speed Internet! High Definition Audio Driver Package - KB835221 HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) HP Photosmart All-In-One Software 9.0 HP Photosmart Essential Internet Service Offers Launcher Jasc Paint Shop Photo Album Jasc Paint Shop Pro 8 Dell Edition Java™ 6 Update 10 Learn2 Player (Uninstall Only) Liberty Court Player 5.0 (build 181) LimeWire 4.14.10 Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Office Small Business Edition 2003 Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Works Modem Helper Mozilla Firefox (3.0.3) MSN MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) NetWaiting NetZeroInstallers OpenOffice.org Installer 1.0 Otto PowerDVD 5.7 PS_AIO_Software_min QuickSet QuickTime RealPlayer Scan SearchAssist Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950759) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Sonic DLA Sonic Encoders Sonic MyDVD LE Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager Synaptics Pointing Device Driver Toolbox Trend Micro PC-cillin Internet Security 14 Update for Windows Media Player 10 (KB910393) Update for Windows Media Player 10 (KB913800) Update for Windows Media Player 10 (KB926251) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update Rollup 2 for Windows XP Media Center Edition 2005 URL Assistant Viewpoint Manager (Remove Only) Viewpoint Media Player WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Installer 3.1 (KB893803) Windows Media Format 11 runtime Windows Media Player 10 Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information] Windows Media Player 11 Windows XP Media Center Edition 2005 KB908246 Windows XP Media Center Edition 2005 KB925766 Windows XP Service Pack 3 WRAL DESKTOP WEATHER ==== Event Viewer Messages =================== 2008-11-08 07:04:40, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: szkg 2008-11-08 07:04:37, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the path specified. 2008-11-07 22:20:46, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 b0a29b26, parameter3 ae2c1ba4, parameter4 00000000. 2008-11-07 22:00:00, error: Schedule [7901] - The At47.job command failed to start due to the following error: General access denied error 2008-11-07 22:00:00, error: Schedule [7901] - The At23.job command failed to start due to the following error: General access denied error 2008-11-07 21:44:42, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s). 2008-11-07 20:00:00, error: Schedule [7901] - The At45.job command failed to start due to the following error: General access denied error 2008-11-07 20:00:00, error: Schedule [7901] - The At21.job command failed to start due to the following error: General access denied error 2008-11-07 19:00:00, error: Schedule [7901] - The At44.job command failed to start due to the following error: General access denied error 2008-11-07 19:00:00, error: Schedule [7901] - The At20.job command failed to start due to the following error: General access denied error 2008-11-07 18:57:31, error: System Error [1003] - Error code 10000050, parameter1 fffffff0, parameter2 00000000, parameter3 80526441, parameter4 00000000. 2008-11-06 18:00:00, error: Schedule [7901] - The At43.job command failed to start due to the following error: General access denied error 2008-11-06 18:00:00, error: Schedule [7901] - The At19.job command failed to start due to the following error: General access denied error 2008-11-08 19:44:13, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 2008-11-08 19:44:18, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 2008-11-08 19:44:29, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 2008-11-08 19:44:54, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 2008-11-08 19:44:54, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 2008-11-08 19:44:54, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning. 2008-11-08 19:44:54, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start. 2008-11-08 19:44:54, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 2008-11-08 19:44:54, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss szkg Tcpip tmtdi 2008-11-09 08:47:50, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 2008-11-09 08:47:50, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s). 2008-11-09 08:47:50, error: Service Control Manager [7034] - The Ad-Aware 2007 Service service terminated unexpectedly. It has done this 1 time(s). 2008-11-09 08:47:50, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s). 2008-11-09 08:47:50, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s). 2008-11-09 08:47:50, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s). 2008-11-09 08:47:50, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s). 2008-11-09 08:47:50, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service. 2008-11-09 08:47:50, error: Service Control Manager [7034] - The SupportSoft Sprocket Service (dellsupportcenter) service terminated unexpectedly. It has done this 1 time(s). 2008-11-09 08:47:50, error: Service Control Manager [7034] - The WMI Performance Adapter service terminated unexpectedly. It has done this 1 time(s). 2008-11-09 08:47:50, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s). 2008-11-09 08:47:50, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 2008-11-09 08:47:50, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 2008-11-09 08:49:30, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 2 time(s). 2008-11-09 08:49:30, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 2008-11-09 08:49:30, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 2008-11-09 08:53:52, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 b0e35b26, parameter3 b964fba4, parameter4 00000000. 2008-11-11 20:32:47, error: MRxSmb [8003] - The master browser has received a server announcement from the computer RHONDA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{1DEA4D76-3AD0-4D69. The master browser is stopping or an election is being forced. 2008-11-12 14:31:00, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume. 2008-11-09 13:49:17, information: Windows File Protection [64016] - Windows File Protection file scan was started. 2008-11-09 13:50:39, information: Windows File Protection [64021] - The system file c:\program files\windows media player\mplayer2.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability. 2008-11-09 13:50:45, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is James. 2008-11-09 15:46:09, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\shdocvw.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5659. 2008-11-09 15:58:59, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\shdocvw.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512. ==== End Of File ===========================

#177 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 November 2008 - 05:33 PM

See if you can delete this file.
c:\windows\system32\drivers\hhgmrs.sys

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#178 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 13 November 2008 - 05:36 PM

That file is not found.

#179 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 November 2008 - 05:39 PM

What about this one?
See if you can delete this file.
c:\windows\system32\drivers\abp470n5

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#180 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 13 November 2008 - 05:40 PM

Also not found

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·