Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

machine acting strange

Started by Gator , Nov 05 2008 03:27 PM

  • This topic is locked This topic is locked
209 replies to this topic

#121 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 11 November 2008 - 11:37 AM

Ok here are the two requested logs

ComboFix 08-11-10.01 - James 2008-11-11 12:20:01.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1441 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\James\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5


((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-11 11:16 . 2008-11-11 11:16 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-09 16:31 . 2008-11-09 16:31 <DIR> d---s---- c:\documents and settings\James\UserData
2008-11-09 13:49 . 2004-08-10 06:00 169,984 --a------ c:\windows\system32\dllcache\iisui.dll
2008-11-09 13:49 . 2004-08-10 06:00 94,720 --a------ c:\windows\system32\dllcache\certmap.ocx
2008-11-09 13:49 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll
2008-11-09 13:49 . 2004-08-10 06:00 19,968 --a------ c:\windows\system32\dllcache\inetsloc.dll
2008-11-09 13:49 . 2004-08-10 06:00 14,336 --a------ c:\windows\system32\dllcache\iisreset.exe
2008-11-09 13:49 . 2004-08-10 06:00 7,680 --a------ c:\windows\system32\dllcache\inetmgr.exe
2008-11-09 13:49 . 2004-08-10 06:00 7,168 --a------ c:\windows\system32\dllcache\wamregps.dll
2008-11-09 13:49 . 2004-08-10 06:00 6,144 --a------ c:\windows\system32\dllcache\ftpsapi2.dll
2008-11-09 13:49 . 2004-08-10 06:00 5,632 --a------ c:\windows\system32\dllcache\iisrstap.dll
2008-11-09 11:28 . 2008-11-09 11:28 <DIR> d-------- c:\program files\Sun
2008-11-09 11:27 . 2008-11-09 11:27 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-09 11:27 . 2008-11-09 11:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-09 10:14 . 2008-11-09 10:16 <DIR> d-------- C:\Lop SD
2008-11-07 20:11 . 2008-11-07 20:11 <DIR> d-------- c:\program files\ERUNT
2008-11-07 19:50 . 2008-11-07 19:50 <DIR> d-------- c:\documents and settings\James\Application Data\U3
2008-11-06 18:41 . 2008-11-06 18:41 <DIR> d-------- c:\documents and settings\Earlene\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\documents and settings\James\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-05 15:35 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-16 00:07 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-16 00:07 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-16 00:06 . 2008-08-14 05:11 2,189,184 --a------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 00:06 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 00:06 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 16:27 --------- d-----w c:\program files\Java
2008-10-14 01:11 --------- d-----w c:\program files\LimeWire
2008-10-14 01:11 --------- d-----w c:\documents and settings\Earlene\Application Data\LimeWire
2007-02-04 15:55 0 ----a-w c:\documents and settings\Earlene\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot_2008-11-11_11.33.45.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-09 15:56:59 69,896 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-11 17:21:25 70,012 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-09 15:56:59 409,416 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-11 17:21:25 409,724 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-11 17:22:26 16,384 ----atw c:\windows\temp\Perflib_Perfdata_708.dat
+ 2008-11-11 17:22:33 16,384 ----atw c:\windows\temp\Perflib_Perfdata_a20.dat
+ 2008-11-11 17:25:40 8,192 ----a-w c:\windows\temp\winsnlt.exe
+ 2008-11-11 17:25:32 7,680 ----a-w c:\windows\temp\winxxctvq.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 398864]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1764864]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1470464]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1105920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 831579]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 126976]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 294912]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 155648]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-09 214424]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 283888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-01-23 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2008-01-11 389120]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.speex32"= speex32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\WRAL DESKTOP WEATHER\\TrueWeather.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\system32\\WLTRAY.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\TMAS_OE\\TMAS_OEMon.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\pccmain.exe"=
"c:\\WINDOWS\\TEMP\\winxxctvq.exe"=
"c:\\WINDOWS\\TEMP\\winsnlt.exe"=

S3 w300bus;Sony Ericsson W300 Driver driver (WDM);c:\windows\system32\DRIVERS\w300bus.sys [2006-03-13 60800]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2008-11-08 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - James.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 12:22:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\ehome\ehmsas.exe
c:\windows\temp\winxxctvq.exe
c:\windows\temp\winsnlt.exe
.
**************************************************************************
.
Completion time: 2008-11-11 12:29:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-11 17:29:25
ComboFix2.txt 2008-11-11 16:37:32
ComboFix3.txt 2008-11-09 14:05:57
ComboFix4.txt 2008-11-09 03:50:23
ComboFix5.txt 2008-11-11 17:19:41

Pre-Run: 50,404,925,440 bytes free
Post-Run: 50,282,569,728 bytes free

199 --- E O F --- 2008-10-24 17:55:59


Logfile of HijackThis v1.99.1
Scan saved at 12:31, on 2008-11-11
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\TEMP\winxxctvq.exe
C:\WINDOWS\TEMP\winsnlt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


Ran combox with CFScript file and after went through the some 50 steps, it rebooted the computer and started the second phase. Then got a dialog box that jusched.exe failed to initalize. Guess some problem now with the new version of Java that was downloaded.

Still unable to access any of the Internet Security program. Task manager still works.

    Advertisements

Register to Remove

#122 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2008 - 12:15 PM

We at least removed that bad driver.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. 

File::
c:\windows\temp\winsnlt.exe
c:\windows\temp\winxxctvq.exe
c:\windows\temp\texgs.exe
c:\windows\temp\winfbpi.exe


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\TEMP\\winxxctvq.exe"=-
"c:\\WINDOWS\\TEMP\\winsnlt.exe"=-
"c:\\windows\\temp\\texgs.exe"=-
"c:\windows\temp\winfbpi.exe"=-

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#123 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 11 November 2008 - 12:48 PM

ok just before got your last post checked temp folder and found two additional .exe files. They are texgs.exe winfbpi.exe Do you want me to include them in the CFScript file before running ComboFix???

#124 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2008 - 07:20 PM

ok just before got your last post checked temp folder and found two additional .exe files. They are

texgs.exe
winfbpi.exe

Do you want me to include them in the CFScript file before running ComboFix???

I made the changes :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#125 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 11 November 2008 - 07:41 PM

While was waiting, checked the temp folder and found that the two new .exe files were missing and that two others were there.

Went to run the cfscript in combofix and it would not run. Deleted the combofix and downloaded another copy. Placed the cfscript on combofix and it ran ok.

Think that the disappearance of the two .exe files and the problem with combofix are related.

here are the two logs

ComboFix 08-11-10.01 - James 2008-11-11 17:26:30.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1496 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\James\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\temp\winsnlt.exe
c:\windows\temp\winxxctvq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\temp\winsnlt.exe
c:\windows\temp\winxxctvq.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-11 11:16 . 2008-11-11 11:16 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-09 16:31 . 2008-11-09 16:31 <DIR> d---s---- c:\documents and settings\James\UserData
2008-11-09 13:49 . 2004-08-10 06:00 169,984 --a------ c:\windows\system32\dllcache\iisui.dll
2008-11-09 13:49 . 2004-08-10 06:00 94,720 --a------ c:\windows\system32\dllcache\certmap.ocx
2008-11-09 13:49 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll
2008-11-09 13:49 . 2004-08-10 06:00 19,968 --a------ c:\windows\system32\dllcache\inetsloc.dll
2008-11-09 13:49 . 2004-08-10 06:00 14,336 --a------ c:\windows\system32\dllcache\iisreset.exe
2008-11-09 13:49 . 2004-08-10 06:00 7,680 --a------ c:\windows\system32\dllcache\inetmgr.exe
2008-11-09 13:49 . 2004-08-10 06:00 7,168 --a------ c:\windows\system32\dllcache\wamregps.dll
2008-11-09 13:49 . 2004-08-10 06:00 6,144 --a------ c:\windows\system32\dllcache\ftpsapi2.dll
2008-11-09 13:49 . 2004-08-10 06:00 5,632 --a------ c:\windows\system32\dllcache\iisrstap.dll
2008-11-09 11:28 . 2008-11-09 11:28 <DIR> d-------- c:\program files\Sun
2008-11-09 11:27 . 2008-11-09 11:27 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-09 11:27 . 2008-11-09 11:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-09 10:14 . 2008-11-09 10:16 <DIR> d-------- C:\Lop SD
2008-11-07 20:57 . 2008-11-11 12:29 <DIR> d-a------ c:\program files\Qoobox
2008-11-07 20:11 . 2008-11-07 20:11 <DIR> d-------- c:\program files\ERUNT
2008-11-07 19:50 . 2008-11-07 19:50 <DIR> d-------- c:\documents and settings\James\Application Data\U3
2008-11-06 18:41 . 2008-11-06 18:41 <DIR> d-------- c:\documents and settings\Earlene\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\documents and settings\James\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-05 15:35 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-16 00:07 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-16 00:07 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-16 00:06 . 2008-08-14 05:11 2,189,184 --a------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 00:06 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 00:06 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 16:27 --------- d-----w c:\program files\Java
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-14 01:11 --------- d-----w c:\program files\LimeWire
2008-10-14 01:11 --------- d-----w c:\documents and settings\Earlene\Application Data\LimeWire
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ----a-w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ----a-w c:\windows\system32\dllcache\shdocvw.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-02-04 15:55 0 ----a-w c:\documents and settings\Earlene\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 398864]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1764864]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1470464]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1105920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 831579]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 126976]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 294912]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 155648]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-09 214424]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 283888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-01-23 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2008-01-11 389120]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.speex32"= speex32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\WRAL DESKTOP WEATHER\\TrueWeather.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\system32\\WLTRAY.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\TMAS_OE\\TMAS_OEMon.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\pccmain.exe"=

S3 w300bus;Sony Ericsson W300 Driver driver (WDM);c:\windows\system32\DRIVERS\w300bus.sys [2006-03-13 60800]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2008-11-08 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - James.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 17:27:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-11 17:28:41
ComboFix-quarantined-files.txt 2008-11-11 22:28:11
ComboFix2.txt 2008-11-11 17:29:29

Pre-Run: 50,259,730,432 bytes free
Post-Run: 50,216,378,368 bytes free

172 --- E O F --- 2008-10-24 17:55:59

Unable to post hjt log keep getting message from blair that hjt is out of date will get new version and be back with scan posting
.

#126 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2008 - 07:44 PM

Those temp files are gone. Hope they stay that way. Yes we need the latest HJT version

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#127 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 11 November 2008 - 08:10 PM

here is the new hjt version log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04, on 2008-11-11
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\TEMP\ntox.exe
C:\WINDOWS\TEMP\ahhtxu.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\WINMINE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7071 bytes


The two new .exe files in temp folder are now

ahhtxu.exe and ntox.exe

Trend Internet security still not accessable.

#128 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2008 - 08:12 PM

Download Dr.WEB CureIt to your desktop from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Double-click cureit.exe to start the program.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and UN-CHECK Heuristic analysis
  • Choose the Actions tab and make these changes:
    • Next to Infected objects select Report
    • Next to Incurable objects select Report
    • Next to Infected containers select Report
  • At the bottom-left, UN-CHECK Prompt on action, then press OK to close the settings box.
  • Note: These settings changes are IMPORTANT, please ensure you have made them before scanning
  • Then select Complete scan and press the green arrow to start the scan
  • When the scan is complete, click File-> Save report list, save the report to your desktop and close Dr Web CureIt

Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#129 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 11 November 2008 - 08:18 PM

I am unable to access that site from this infected computer. What about getting to it on the other one and using the flash drive to transfer it here.

#130 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2008 - 08:20 PM

I am unable to access that site from this infected computer. What about getting to it on the other one and using the flash drive to transfer it here.

Great idea :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

#131 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 11 November 2008 - 08:48 PM

Ok got cureit.exe and loaded to the desktop. Pressed start and ok the scan ran but did nothing like you said. It did not tell me if anything was found. It did not present me with any options. When the scan was finished it offered me a chance to get the full version for a trial period. I exited and clicked on the cureit.exe again and clicked on start. Was presented with a stop error screen. Had to manually turn the computer off and reboot. Was presented with a dialog box stating that the system had recovered from a fatal error. The icon in the desktop tray showing the wireless connection has a red x on it but the internet connection is indeed working. The .exe files that were in the temp folder before the shutdown are gone and have been replaced by 2 new ones.

#132 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2008 - 09:30 PM

I don't know what you've been infected with. I have posted in our Experts forum to see if anyone else has any ideas. I'll let you know.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#133 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 11 November 2008 - 09:34 PM

ok Since my last post, was prompted to update windows. Did so and it coverred 5 new updates. One of which was to the Malicous Software Removal Tool. Once the updates were installed, it did a scan and the trojan proxy win32/Horst.V was removed. This is good but it did nothing to improve this situation. Thanks for your help and will be check tomorrow to see if you have anything for me.

#134 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 November 2008 - 06:28 AM

Can you run a new Combofix scan and post it?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#135 Gator

Gator

    Authentic Member

  • Authentic Member
  • PipPip
  • 121 posts

Posted 12 November 2008 - 07:19 AM

Here is the requested log

ComboFix 08-11-11.01 - James 2008-11-12 8:10:36.13 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1518 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-11 22:04 . 2008-11-11 22:04 118 --a------ c:\windows\system32\MRT.INI
2008-11-11 22:01 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 21:59 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 21:33 . 2008-11-11 21:33 <DIR> d-------- c:\documents and settings\James\DoctorWeb
2008-11-11 11:16 . 2008-11-11 11:16 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-09 16:31 . 2008-11-09 16:31 <DIR> d---s---- c:\documents and settings\James\UserData
2008-11-09 13:49 . 2004-08-10 06:00 169,984 --a------ c:\windows\system32\dllcache\iisui.dll
2008-11-09 13:49 . 2004-08-10 06:00 94,720 --a------ c:\windows\system32\dllcache\certmap.ocx
2008-11-09 13:49 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll
2008-11-09 13:49 . 2004-08-10 06:00 19,968 --a------ c:\windows\system32\dllcache\inetsloc.dll
2008-11-09 13:49 . 2004-08-10 06:00 14,336 --a------ c:\windows\system32\dllcache\iisreset.exe
2008-11-09 13:49 . 2004-08-10 06:00 7,680 --a------ c:\windows\system32\dllcache\inetmgr.exe
2008-11-09 13:49 . 2004-08-10 06:00 7,168 --a------ c:\windows\system32\dllcache\wamregps.dll
2008-11-09 13:49 . 2004-08-10 06:00 6,144 --a------ c:\windows\system32\dllcache\ftpsapi2.dll
2008-11-09 13:49 . 2004-08-10 06:00 5,632 --a------ c:\windows\system32\dllcache\iisrstap.dll
2008-11-09 11:28 . 2008-11-09 11:28 <DIR> d-------- c:\program files\Sun
2008-11-09 11:27 . 2008-11-09 11:27 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-09 11:27 . 2008-11-09 11:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-09 10:14 . 2008-11-09 10:16 <DIR> d-------- C:\Lop SD
2008-11-07 20:57 . 2008-11-11 12:29 <DIR> d-a------ c:\program files\Qoobox
2008-11-07 20:11 . 2008-11-07 20:11 <DIR> d-------- c:\program files\ERUNT
2008-11-07 19:50 . 2008-11-07 19:50 <DIR> d-------- c:\documents and settings\James\Application Data\U3
2008-11-06 18:41 . 2008-11-06 18:41 <DIR> d-------- c:\documents and settings\Earlene\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\documents and settings\James\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-11-05 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-05 15:35 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-05 15:35 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-16 00:07 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-16 00:07 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-16 00:06 . 2008-08-14 05:11 2,189,184 --a------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 00:06 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 00:06 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 02:04 --------- d-----w c:\program files\Trend Micro
2008-11-09 16:27 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-14 01:11 --------- d-----w c:\program files\LimeWire
2008-10-14 01:11 --------- d-----w c:\documents and settings\Earlene\Application Data\LimeWire
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ----a-w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ----a-w c:\windows\system32\dllcache\shdocvw.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-02-04 15:55 0 ----a-w c:\documents and settings\Earlene\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-11_17.27.57.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-12 03:02:48 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
- 2008-11-11 17:21:25 70,012 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-12 02:38:47 70,530 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-11 17:21:25 409,724 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-12 02:38:48 410,600 ----a-w c:\windows\system32\perfh009.dat
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-11-12 13:06:05 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6f0.dat
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 398864]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1764864]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1470464]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1105920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 831579]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 126976]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 294912]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 155648]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-09 214424]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 283888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-01-23 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2008-01-11 389120]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.speex32"= speex32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\WRAL DESKTOP WEATHER\\TrueWeather.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\system32\\WLTRAY.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\TMAS_OE\\TMAS_OEMon.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\pccmain.exe"=

R3 abp470n5;abp470n5;c:\windows\system32\drivers\hhgmrs.sys [ ]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);c:\windows\system32\DRIVERS\w300bus.sys [2006-03-13 60800]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\6isqf98n.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 08:13:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-12 8:16:53
ComboFix-quarantined-files.txt 2008-11-12 13:16:50
ComboFix2.txt 2008-11-11 22:28:42
ComboFix3.txt 2008-11-11 17:29:29

Pre-Run: 49,618,165,760 bytes free
Post-Run: 49,651,924,992 bytes free

193 --- E O F --- 2008-10-24 17:55:59

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·