Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Kid downloads - slowed pc


  • Please log in to reply
24 replies to this topic

#1 bluerapala

bluerapala

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 21 May 2008 - 06:59 AM

The kids have downloaded video type stuff and we are in trouble.. Here is the latest log. Please help
I run adaware - ca anti virus

Logfile of HijackThis v1.99.1
Scan saved at 7:56:48 AM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\drivers\ldlcserv.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SoniqCast\SoniqSync\SsSvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\Updater.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\PROGRA~1\CA\ETRUST~1\realmon.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\matt\LOCALS~1\Temp\stdcons.exe/r
O4 - HKLM\..\Run: [90b6170a] rundll32.exe "C:\WINDOWS\system32\opronmek.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comca..... Controls.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: ServiceVolume - {7fc3d8a4-f86a-4be4-9b0f-610b2184a8fd} - C:\WINDOWS\Resources\ServiceVolume.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoniqSync Service - Unknown owner - C:\Program Files\SoniqCast\SoniqSync\SsSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)
O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\System32\drivers\trcboot.exe

    Advertisements

Register to Remove


#2 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 23 May 2008 - 05:34 AM

hi bluerapala,

we will start with one download to use and maybe get another one also;

Download combofix from one of these links and save it to your Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.blee...Bs/ComboFix.exe

double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log in reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
How Can I Reduce My Risk?

#3 bluerapala

bluerapala

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 23 May 2008 - 06:43 AM

this message from my work pc... It seems really messed up now. I try to run hijackthis it runs but can't save the log file. Also our home page in IE displays but can't get to any other pages. I tired to get to the combofix but no luck yet. I will try again in a day or 2. Thanks very much Is there a way to run the cobox fix from start run(command) over the internet?

#4 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 23 May 2008 - 05:38 PM

hi,

Is there a way to run the cobox fix from start run(command) over the internet?

no it has to be downloaded and run from your desktop.
you can download it from another computer to a usb flash drive then transfer it to the computer in question to use it, if you have the means to do that.

I try to run hijackthis it runs but can't save the log file


you already posted a hjt log which is ok for now.

if you cant get it installed we can try something else, like manually deleting some files etc in safe mode
How Can I Reduce My Risk?

#5 bluerapala

bluerapala

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 26 May 2008 - 03:58 PM

I was able to run combo fix here is the log. I was also able to run hijak again that is after the combofix log
thanks much

ComboFix 08-05-25.5 - cindy 2008-05-26 16:20:18.1 - NTFSx86
Running from: C:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\inetget2
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\gnowmebk.dll
C:\WINDOWS\pxgdslro.dll
C:\WINDOWS\system32\awtTJbBu.dll
C:\WINDOWS\SYSTEM32\bxmhagps.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Cache\buts.bin
C:\WINDOWS\system32\Cache\casino.bmp
C:\WINDOWS\system32\Cache\date.bmp
C:\WINDOWS\system32\Cache\figures.bmp
C:\WINDOWS\system32\Cache\microsoft access12.bmp
C:\WINDOWS\system32\Cache\msg.bin
C:\WINDOWS\system32\Cache\peoples 11.bmp
C:\WINDOWS\system32\Cache\search find.bmp
C:\WINDOWS\system32\cmnocfg.xml
C:\WINDOWS\system32\drivers\ubK66.sys
C:\WINDOWS\system32\ekfoxwcp.ini
C:\WINDOWS\system32\gagrpkgd.ini
C:\WINDOWS\system32\kemnorpo.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\qitjmeoo.ini
C:\WINDOWS\system32\qviexio3.dat
C:\WINDOWS\SYSTEM32\rhfdwbeq.ini
C:\WINDOWS\system32\spgahmxb.dll
C:\WINDOWS\system32\ssqOGvtU.dll
C:\WINDOWS\SYSTEM32\UtvGOqss.ini
C:\WINDOWS\SYSTEM32\UtvGOqss.ini2
C:\WINDOWS\SYSTEM32\wgopgndj.ini
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\SYSTEM32\WxGfefii.ini
C:\WINDOWS\SYSTEM32\WxGfefii.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UBK66
-------\Service_ubK66


((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-26 16:13 . 2008-05-26 16:13 1,955,622 --a------ C:\ComboFix.exe
2008-05-26 15:46 . 2008-05-26 15:46 14,336 --a------ C:\WINDOWS\SYSTEM32\WINCTRL32.DL_.0.AVB
2008-05-25 12:24 . 2008-05-25 12:24 27,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\OTX27.SYS.0.AVB
2008-05-25 12:24 . 2008-05-25 12:24 12,288 --a------ C:\WINDOWS\SYSTEM32\WLCTRL32.DLL.2.AVB
2008-05-23 07:04 . 2008-05-23 07:04 27,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\HMR83.SYS.0.AVB
2008-05-23 07:04 . 2008-05-23 07:04 12,288 --a------ C:\WINDOWS\SYSTEM32\WLCTRL32.DLL.1.AVB
2008-05-23 06:45 . 2008-05-23 06:45 27,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SXC38.SYS.0.AVB
2008-05-23 06:45 . 2008-05-23 06:45 12,288 --a------ C:\WINDOWS\SYSTEM32\WLCTRL32.DLL.0.AVB
2008-05-22 13:43 . 2008-05-22 13:43 90,624 --a------ C:\WINDOWS\SYSTEM32\ooemjtiq.dll
2008-05-20 00:45 . 2008-05-21 07:01 <DIR> d-------- C:\Program Files\ColorUtility
2008-05-20 00:28 . 2008-05-20 00:30 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-05-19 22:14 . 2008-05-19 22:14 91,264 --a------ C:\WINDOWS\SYSTEM32\OPRONMEK.DLL.0.AVB
2008-05-19 06:22 . 2008-05-19 06:22 318,336 --a------ C:\WINDOWS\SYSTEM32\IIFEFGXW.DLL.0.AVB
2008-05-17 15:58 . 2008-05-17 06:59 135,168 --a------ C:\WINDOWS\eova.exe
2008-05-17 15:58 . 2008-05-17 06:59 81,920 --a------ C:\WINDOWS\mdtgkswr.exe
2008-05-17 15:57 . 2008-05-17 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
2008-05-13 19:51 . 2008-05-13 20:00 <DIR> d-------- C:\Documents and Settings\matt\Application Data\uTorrent
2008-05-10 23:05 . 2008-05-10 23:05 <DIR> d-------- C:\Program Files\Red Kawa
2008-05-10 23:05 . 2008-05-10 23:06 <DIR> d-------- C:\Program Files\AviSynth 2.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 21:03 --------- d-----w C:\Documents and Settings\cindy\Application Data\COMCASTTOOLBAR
2008-05-23 12:15 --------- d-----w C:\Documents and Settings\steve\Application Data\ComcastToolbar
2008-05-20 05:33 --------- d-----w C:\Program Files\Google
2008-05-17 15:32 --------- d-----w C:\Documents and Settings\joe\Application Data\COMCASTTOOLBAR
2008-05-11 17:38 87,352 ----a-w C:\Documents and Settings\steve\Application Data\GDIPFONTCACHEV1.DAT
2008-04-23 16:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-14 22:55 --------- d-----w C:\Program Files\Free DVD Ripper
2008-04-14 22:47 --------- d-----w C:\Documents and Settings\matt\Application Data\AdobeUM
2008-04-14 22:40 --------- d-----w C:\Documents and Settings\matt\Application Data\AVS4YOU
2008-04-14 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-14 22:39 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-04-14 22:39 --------- d-----w C:\Program Files\AVS4YOU
2008-04-06 16:34 --------- d-----w C:\Documents and Settings\matt\Application Data\COMCASTTOOLBAR
2008-02-09 19:42 86,960 ----a-w C:\Documents and Settings\matt\Application Data\GDIPFONTCACHEV1.DAT
2007-05-24 12:36 79,744 ----a-w C:\Documents and Settings\tommy\Application Data\GDIPFONTCACHEV1.DAT
2007-05-16 03:13 79,744 ----a-w C:\Documents and Settings\joe\Application Data\GDIPFONTCACHEV1.DAT
2007-01-25 01:35 79,744 ----a-w C:\Documents and Settings\cindy\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 20:19 36,963 ------w C:\Program Files\Common Files\SM1updtr.dll
2003-07-27 13:30 952,290 ----a-w C:\Documents and Settings\steve\ayahtzee.zip
1999-03-02 15:17 696,320 ------w C:\Program Files\Common Files\rsMHook.dll
1999-01-05 18:40 20,480 ------w C:\Program Files\Common Files\rsMenu.exe
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

------- Sigcheck -------

2005-01-27 12:08 657920 a8eac5330876548e9966a7d13025d196 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 15:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-03-10 02:43 657920 c8663b488996e89a84c3d17c1d12b79e C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
2005-09-02 18:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-07-02 21:09 659456 6e533d155b259eb2363d3e04b5be309f C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2005-10-20 22:38 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 22:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 00:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
2007-12-06 19:44 666112 085a7c37f9c6ede1ba870b7dbec06399 C:\WINDOWS\ie7\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2007-06-26 09:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:\WINDOWS\SoftwareDistribution\Download\00f4dcdbcc87699e75212b885cb6bebf\sp2qfe\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\SYSTEM32\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]
C:\Program Files\ColorUtility\ColorUtility.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@={95A27763-F62A-4114-9072-E81D87DE3B68}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@={01CCCC8C-1D50-4b13-B96D-4B922DD3128B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@={5E529433-B50E-4bef-A63B-16A6B71B071A}

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2005-05-09 18:16 192512]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 16:04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 14:05 69632]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 19:22 28672]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01 135264]
"iRiver Updater"="\Updater.exe" [2004-07-01 16:20 212992]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14 504080]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 17:44 679936]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-05-09 16:32 53248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 02:35 185632]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 15:21 198184]
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-02-09 07:04 526272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ServiceVolume"= {7fc3d8a4-f86a-4be4-9b0f-610b2184a8fd} - C:\WINDOWS\Resources\ServiceVolume.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr83.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Otx27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sxc38.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"C:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"=
"C:\\Program Files\\SoniqCast\\SoniqSync\\SoniqSync.exe"=
"C:\\HEGames\\Football2002\\football2002.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Team17\\Worms World Party\\wwp.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 04:48:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-26 08:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
"2008-05-26 08:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 16:37:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\DRIVERS\trcboot.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
C:\WINDOWS\SYSTEM32\cisvc.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\Personal Communications\pcs_agnt.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ldlcserv.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\SoniqCast\SoniqSync\SsSvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Updater.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
.
**************************************************************************
.
Completion time: 2008-05-26 16:51:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 21:51:12

Pre-Run: 1,306,968,064 bytes free
Post-Run: 1,459,494,912 bytes free

244 --- E O F --- 2008-05-16 07:37:59

Logfile of HijackThis v1.99.1
Scan saved at 4:58:10 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\drivers\ldlcserv.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SoniqCast\SoniqSync\SsSvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Updater.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ColorUtility module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\ColorUtility\ColorUtility.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\PROGRA~1\CA\ETRUST~1\realmon.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comca..... Controls.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: ServiceVolume - {7fc3d8a4-f86a-4be4-9b0f-610b2184a8fd} - C:\WINDOWS\Resources\ServiceVolume.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoniqSync Service - Unknown owner - C:\Program Files\SoniqCast\SoniqSync\SsSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)
O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\System32\drivers\trcboot.exe

#6 bluerapala

bluerapala

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 26 May 2008 - 04:19 PM

I forgot to ask if combox fix needs to run under each xp user account? I ran it on one account, and that seemed to be a little better. My account was having issues with IE so I thought I would run it on that account also

#7 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 26 May 2008 - 04:44 PM

hi,

ok good. runnning under one account is good enough. we will use combofix again, then get another download to run.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:


File::
C:\WINDOWS\SYSTEM32\ooemjtiq.dll
C:\WINDOWS\eova.exe
C:\WINDOWS\imsins.BAK


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on the desktop--
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.--

iam leaving some of the items for now. have you recently installed any software on the computer?


after the above download and run sdfix, needs to run in safe mode:

Download SDFix and save it to your Desktop.

http://downloads.and...Tools/SDFix.exe


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt in next reply
How Can I Reduce My Risk?

#8 bluerapala

bluerapala

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 27 May 2008 - 05:25 AM

here is the combox fix and a hijack. I will run the SDfix after this post.
My wife did install Internet exploere 7 recently which I think may be part of the problem. No it seems like we have a combination of old IE and new IE? I hijac is after the combo log

ComboFix 08-05-25.5 - cindy 2008-05-27 6:02:55.3 - NTFSx86
Running from: C:\ComboFix.exe
Command switches used :: C:\Documents and Settings\cindy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\eova.exe
C:\WINDOWS\imsins.BAK
C:\WINDOWS\SYSTEM32\ooemjtiq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\eova.exe
C:\WINDOWS\imsins.BAK
C:\WINDOWS\SYSTEM32\ooemjtiq.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 03:01 . 2008-05-27 03:01 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-26 16:13 . 2008-05-26 16:13 1,955,622 --a------ C:\ComboFix.exe
2008-05-26 15:46 . 2008-05-26 15:46 14,336 --a------ C:\WINDOWS\SYSTEM32\WINCTRL32.DL_.0.AVB
2008-05-25 12:24 . 2008-05-25 12:24 27,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\OTX27.SYS.0.AVB
2008-05-25 12:24 . 2008-05-25 12:24 12,288 --a------ C:\WINDOWS\SYSTEM32\WLCTRL32.DLL.2.AVB
2008-05-23 07:04 . 2008-05-23 07:04 27,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\HMR83.SYS.0.AVB
2008-05-23 07:04 . 2008-05-23 07:04 12,288 --a------ C:\WINDOWS\SYSTEM32\WLCTRL32.DLL.1.AVB
2008-05-23 06:45 . 2008-05-23 06:45 27,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SXC38.SYS.0.AVB
2008-05-23 06:45 . 2008-05-23 06:45 12,288 --a------ C:\WINDOWS\SYSTEM32\WLCTRL32.DLL.0.AVB
2008-05-20 00:45 . 2008-05-21 07:01 <DIR> d-------- C:\Program Files\ColorUtility
2008-05-19 22:14 . 2008-05-19 22:14 91,264 --a------ C:\WINDOWS\SYSTEM32\OPRONMEK.DLL.0.AVB
2008-05-19 06:22 . 2008-05-19 06:22 318,336 --a------ C:\WINDOWS\SYSTEM32\IIFEFGXW.DLL.0.AVB
2008-05-17 15:58 . 2008-05-17 06:59 81,920 --a------ C:\WINDOWS\mdtgkswr.exe
2008-05-17 15:57 . 2008-05-17 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
2008-05-13 19:51 . 2008-05-13 20:00 <DIR> d-------- C:\Documents and Settings\matt\Application Data\uTorrent
2008-05-10 23:05 . 2008-05-10 23:05 <DIR> d-------- C:\Program Files\Red Kawa
2008-05-10 23:05 . 2008-05-10 23:06 <DIR> d-------- C:\Program Files\AviSynth 2.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 10:42 --------- d-----w C:\Documents and Settings\cindy\Application Data\COMCASTTOOLBAR
2008-05-27 00:37 --------- d-----w C:\Documents and Settings\steve\Application Data\ComcastToolbar
2008-05-20 05:33 --------- d-----w C:\Program Files\Google
2008-05-17 15:32 --------- d-----w C:\Documents and Settings\joe\Application Data\COMCASTTOOLBAR
2008-05-11 17:38 87,352 ----a-w C:\Documents and Settings\steve\Application Data\GDIPFONTCACHEV1.DAT
2008-04-23 16:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-14 22:55 --------- d-----w C:\Program Files\Free DVD Ripper
2008-04-14 22:47 --------- d-----w C:\Documents and Settings\matt\Application Data\AdobeUM
2008-04-14 22:40 --------- d-----w C:\Documents and Settings\matt\Application Data\AVS4YOU
2008-04-14 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-14 22:39 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-04-14 22:39 --------- d-----w C:\Program Files\AVS4YOU
2008-04-06 16:34 --------- d-----w C:\Documents and Settings\matt\Application Data\COMCASTTOOLBAR
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-02-09 19:42 86,960 ----a-w C:\Documents and Settings\matt\Application Data\GDIPFONTCACHEV1.DAT
2007-05-24 12:36 79,744 ----a-w C:\Documents and Settings\tommy\Application Data\GDIPFONTCACHEV1.DAT
2007-05-16 03:13 79,744 ----a-w C:\Documents and Settings\joe\Application Data\GDIPFONTCACHEV1.DAT
2007-01-25 01:35 79,744 ----a-w C:\Documents and Settings\cindy\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 20:19 36,963 ------w C:\Program Files\Common Files\SM1updtr.dll
2003-07-27 13:30 952,290 ----a-w C:\Documents and Settings\steve\ayahtzee.zip
1999-03-02 15:17 696,320 ------w C:\Program Files\Common Files\rsMHook.dll
1999-01-05 18:40 20,480 ------w C:\Program Files\Common Files\rsMenu.exe
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

------- Sigcheck -------

2005-01-27 12:08 657920 a8eac5330876548e9966a7d13025d196 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 15:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-03-10 02:43 657920 c8663b488996e89a84c3d17c1d12b79e C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
2005-09-02 18:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-07-02 21:09 659456 6e533d155b259eb2363d3e04b5be309f C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2005-10-20 22:38 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 22:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 00:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
2007-12-06 19:44 666112 085a7c37f9c6ede1ba870b7dbec06399 C:\WINDOWS\ie7\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2007-06-26 09:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:\WINDOWS\SoftwareDistribution\Download\00f4dcdbcc87699e75212b885cb6bebf\sp2qfe\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\SYSTEM32\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-26_16.50.54.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-26 21:35:28 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-27 01:04:46 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]
C:\Program Files\ColorUtility\ColorUtility.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@={95A27763-F62A-4114-9072-E81D87DE3B68}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@={01CCCC8C-1D50-4b13-B96D-4B922DD3128B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@={5E529433-B50E-4bef-A63B-16A6B71B071A}

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-02-09 07:04 509376 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2005-05-09 18:16 192512]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 16:04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 14:05 69632]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 19:22 28672]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01 135264]
"iRiver Updater"="\Updater.exe" [2004-07-01 16:20 212992]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14 504080]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 17:44 679936]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-05-09 16:32 53248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 02:35 185632]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 15:21 198184]
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-02-09 07:04 526272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ServiceVolume"= {7fc3d8a4-f86a-4be4-9b0f-610b2184a8fd} - C:\WINDOWS\Resources\ServiceVolume.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr83.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Otx27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sxc38.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"C:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"=
"C:\\Program Files\\SoniqCast\\SoniqSync\\SoniqSync.exe"=
"C:\\HEGames\\Football2002\\football2002.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Team17\\Worms World Party\\wwp.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 04:48:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-27 08:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
"2008-05-27 08:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 06:06:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-27 6:13:08
ComboFix-quarantined-files.txt 2008-05-27 11:12:45
ComboFix2.txt 2008-05-26 22:24:46
ComboFix3.txt 2008-05-26 21:51:34

Pre-Run: 1,415,155,712 bytes free
Post-Run: 1,400,623,104 bytes free

201 --- E O F --- 2008-05-27 08:01:56


Logfile of HijackThis v1.99.1
Scan saved at 6:23:49 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\drivers\ldlcserv.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SoniqCast\SoniqSync\SsSvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Updater.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ColorUtility module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\ColorUtility\ColorUtility.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\PROGRA~1\CA\ETRUST~1\realmon.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comca..... Controls.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: ServiceVolume - {7fc3d8a4-f86a-4be4-9b0f-610b2184a8fd} - C:\WINDOWS\Resources\ServiceVolume.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoniqSync Service - Unknown owner - C:\Program Files\SoniqCast\SoniqSync\SsSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)
O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\System32\drivers\trcboot.exe

#9 bluerapala

bluerapala

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 27 May 2008 - 06:04 AM

here is SDfix..
thanks much for your help


SDFix: Version 1.186
Run by cindy on Tue 05/27/2008 at 06:42 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\mdtgkswr.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 06:56:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"="C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"="C:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe:*:Enabled:Scrabble Complete"
"C:\\Program Files\\SoniqCast\\SoniqSync\\SoniqSync.exe"="C:\\Program Files\\SoniqCast\\SoniqSync\\SoniqSync.exe:*:Enabled:SoniqSync Application Plug-in"
"C:\\HEGames\\Football2002\\football2002.exe"="C:\\HEGames\\Football2002\\football2002.exe:*:Disabled:sputm90r"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe:*:Enabled:eTrust Antivirus - RPC Server"
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe:*:Enabled:eTrust Antivirus - Local Scanner"
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe:*:Enabled:eTrust Antivirus - Realtime monitor"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\Team17\\Worms World Party\\wwp.exe"="C:\\Program Files\\Team17\\Worms World Party\\wwp.exe:*:Enabled:Worms World Party"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 29 Aug 2002 94,784 ..SH. --- "C:\WINDOWS\TWAIN.DLL"
Wed 4 Aug 2004 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Wed 4 Aug 2004 54,784 A.SH. --- "C:\WINDOWS\SYSTEM32\msvcirt.dll"
Wed 4 Aug 2004 413,696 A.SH. --- "C:\WINDOWS\SYSTEM32\msvcp60.dll"
Tue 4 Dec 2007 550,912 ..SH. --- "C:\WINDOWS\SYSTEM32\oleaut32.dll"
Wed 4 Aug 2004 83,456 A.SH. --- "C:\WINDOWS\SYSTEM32\olepro32.dll"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\WINDOWS\SYSTEM32\regsvr32.exe"
Tue 15 Jun 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 17 Jul 2004 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sat 17 Jul 2004 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sat 17 Jul 2004 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMComReg.exe"
Mon 21 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 14 Jun 2007 4,235,176 A..H. --- "C:\Program Files\Carbonite\Carbonite Backup\data\Carbonite_Backup_1.tmp"
Tue 12 Apr 2005 95,892 ...H. --- "C:\Program Files\Comcast\Comcast PhotoShow 4\data\Comcast PhotoShow Deluxe.exe"
Tue 15 Jun 2004 4,348 ...H. --- "C:\Documents and Settings\joe\My Documents\My Music\License Backup\drmv1key.bak"
Wed 7 Dec 2005 20 A..H. --- "C:\Documents and Settings\joe\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 26 Jul 2005 928 A.SH. --- "C:\Documents and Settings\joe\My Documents\My Music\License Backup\drmv2key.bak"
Fri 29 Dec 2006 4,765 A.SH. --- "C:\Documents and Settings\cindy\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_CD-RW_GCE-8481B__C102_310_DICV018_DRGV20100BC.TMP"
Sat 13 Nov 2004 211 A.SHR --- "C:\Documents and Settings\steve\Application Data\Everest Labs\SpyDefense\Backups\BF5CA.tmp"
Sun 21 May 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 21 May 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sun 21 May 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Sat 20 May 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Mon 6 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"
Sun 12 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch7\lock.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\steve\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\steve\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\steve\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\steve\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

#10 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 27 May 2008 - 03:40 PM

hi bluerapala

ok thanks for the info. i missed one. we will use combofix again just like last time.
EDIT: nevermind, sdfix removed it.


iam trying to account for those files with the .AVB extension in the combofix log.

do this to help show all files;

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

navigate here:
C:\WINDOWS\SYSTEM32\DRIVERS

see if you can find these:
OTX27.SYS
HMR83.SYS
SXC38.SYS

if so go to the website below, browse for the files again on your computer, then upload them one by one. they will be checked out, you can copy/paste the results back here.

http://www.virustotal.com/


look in add/remove programs panel and uninstall:
SpywareBot, if present
How Can I Reduce My Risk?

    Advertisements

Register to Remove


#11 bluerapala

bluerapala

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 27 May 2008 - 07:23 PM

each of those files had an extension of 0.AVB. When I clicked them the realtime antivirus (CA ETRUST) identified a virus in them. I should delete them right?

#12 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 27 May 2008 - 08:13 PM

hi bluerapala,

(CA ETRUST) identified a virus in them.


yes delete them or have CA quarantine them.

you can also do a online scan here:


ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.
How Can I Reduce My Risk?

#13 bluerapala

bluerapala

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 28 May 2008 - 05:28 AM

I get an error on page near the bottom when I click The agree with terms. The start button nover becomes activated. on ESET online scanner: When ever I try to go to another page IE hangs. We also get script errors when I try and do help about in IE7. I thik I will remove IE& and go back to 6.. I found info on that. Just add remove programs in control panal.

#14 bluerapala

bluerapala

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 28 May 2008 - 07:18 AM

I removed IE7 and then rebooted. I'm on the old internet and it seems more stable. Here is the ESET log. When it was running CA detected a couple virus that I manually deleted. I was not watching the entire time.. so there may have been more. I manually deleted .. these COLORUTILITY.DLL.0.AVB (in c:\program files\color utility\) and SERVICEVOLUME.DLL.0.AVB (in windows\resources\ Thanks very much # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3137 (20080527) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=82b53d6ee3369f47ac3646d33f2cc770 # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2008-05-28 01:12:01 # local_time=2008-05-28 08:12:01 (-0600, Central Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=325905 # found=28 # scan_time=5427 C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe Win32/Adware.WinSpywareProtect application (unable to clean - deleted) 00000000000000000000000000000000 C:\Documents and Settings\joe\Shared\heart othello.mp3 WMA/TrojanDownloader.Wimad.N trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\Documents and Settings\joe\Shared\posted in the parking lot.mp3 WMA/TrojanDownloader.Wimad.N trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\Documents and Settings\joe\Shared\shake it bow wow.mp3 WMA/TrojanDownloader.Wimad.N trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\Documents and Settings\joe\Shared\sounds of club mikesh.mp3 WMA/TrojanDownloader.Wimad.N trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\Documents and Settings\matt\Shared\best rapper alive part 2.mp3 WMA/TrojanDownloader.Wimad.N trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\Program Files\CopyPod\CopyPod.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000 C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\ubK66.sys.vir a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1076\A0180406.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1076\A0180423.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1077\A0180445.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1077\A0181420.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1077\A0181436.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1077\A0181450.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1078\A0181534.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1078\A0182733.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1078\A0183084.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1078\A0183096.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1078\A0183149.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0183182.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0183388.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1080\A0183403.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1081\A0183459.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1081\A0183483.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1083\A0183523.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1084\A0183540.sys a variant of Win32/TrojanDownloader.Wigon.O trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1087\A0184100.exe Win32/Adware.WinSpywareProtect application (unable to clean - deleted) 00000000000000000000000000000000 C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1087\A0184103.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000

#15 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 28 May 2008 - 03:19 PM

hi bluerapala,

ok good.

look here:c:\program files
and delete the entire color utility folder

i would repeat the ESET online scan just for good measure. i also would check your resident AV for updates then do a full scan with that also.

CA was able to delete/remove these also?
OTX27.SYS
HMR83.SYS
SXC38.SYS

i see you have ad aware, i suggest a 2nd anti-malware app to use;
malwarebytes, free to update and scan. the real time protection requires a license.

Please download Malwarebytes' Anti-Malware to your desktop:

http://www.besttechi.../mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

also post another hjt log and the malwarebytes log.
How Can I Reduce My Risk?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users