Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Baseline


  • This topic is locked This topic is locked
116 replies to this topic

#31 jim1097

jim1097

    Authentic Member

  • Authentic Member
  • PipPip
  • 80 posts

Posted 13 June 2008 - 12:41 PM

Fouth threat: ================================== File svchost.exe received on 06.13.2008 20:40:33 (CET)Antivirus Version Last Update Result AhnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.13 - Authentium 5.1.0.4 2008.06.12 - Avast 4.8.1195.0 2008.06.13 Win32:Patched-CK AVG 7.5.0.516 2008.06.13 Win32/PEPatch.AO BitDefender 7.2 2008.06.13 Trojan.Patched.U CAT-QuickHeal 9.50 2008.06.13 Trojan.Patched.AA ClamAV 0.92.1 2008.06.13 Trojan.Agent-5069 DrWeb 4.44.0.09170 2008.06.13 Trojan.Starter.384 eSafe 7.0.15.0 2008.06.12 - eTrust-Vet 31.6.5871 2008.06.13 - Ewido 4.0 2008.06.13 - F-Prot 4.4.4.56 2008.06.12 W32/Patched.D.gen!Eldorado F-Secure 6.70.13260.0 2008.06.13 W32/Patched.A Fortinet 3.14.0.0 2008.06.13 - GData 2.0.7306.1023 2008.06.13 Trojan.Win32.Patched.aa Ikarus T3.1.1.26.0 2008.06.13 Trojan.Win32.Patched.aa Kaspersky 7.0.0.125 2008.06.13 Trojan.Win32.Patched.aa McAfee 5317 2008.06.13 W32/PEPatcher.c Microsoft None 2008.06.13 - NOD32v2 3185 2008.06.13 Win32/TrojanProxy.Agent.NCI Norman 5.80.02 2008.06.13 W32/Smalltroj.CPXE Panda 9.0.0.4 2008.06.12 W32/Patchlog.D Prevx1 V2 2008.06.13 - Rising 20.48.42.00 2008.06.13 Trojan.Win32.Patched.aa Sophos 4.30.0 2008.06.13 W32/Liger-A Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.13 - TheHacker 6.2.92.346 2008.06.12 - VBA32 3.12.6.7 2008.06.12 - VirusBuster 4.3.26:9 2008.06.12 Win32.Agent.IMP Webwasher-Gateway 6.6.2 2008.06.13 Virus.Win32.FileInfector.gen (suspicious) Additional information File size: 17408 bytes MD5...: 016e99a00bf65380352ad1ba8ee5f151 SHA1..: 7ff3ad3778e86d8ba7082673b828701898ecd373 SHA256: 21ff53b15b213073fd61a94b37b11c396ff002e6b8047eee0babe4671c84945a SHA512: e53c2f5a0696b9770b85e6e7fd89be931b28394718f8727c4644e66e3e9c8cbe<BR>2003f08793cd15372ee45bb382d959a1692dbaaaed1be4ccfec3072b92dbf2f7 PEiD..: - PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1006000<BR>timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822<BR>.data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522<BR>.rsrc 0x5000 0x2000 0x1200 1.55 34052428467d233b0cf1d764cd62716e<BR><BR>( 4 imports ) <BR>&gt; ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW<BR>&gt; KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook<BR>&gt; ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid<BR>&gt; RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening<BR><BR>( 0 exports ) <BR> Antivirus;Version;Last Update;Result AhnLab-V3;2008.6.13.1;2008.06.13;- AntiVir;7.8.0.55;2008.06.13;- Authentium;5.1.0.4;2008.06.12;- Avast;4.8.1195.0;2008.06.13;Win32:Patched-CK AVG;7.5.0.516;2008.06.13;Win32/PEPatch.AO BitDefender;7.2;2008.06.13;Trojan.Patched.U CAT-QuickHeal;9.50;2008.06.13;Trojan.Patched.AA ClamAV;0.92.1;2008.06.13;Trojan.Agent-5069 DrWeb;4.44.0.09170;2008.06.13;Trojan.Starter.384 eSafe;7.0.15.0;2008.06.12;- eTrust-Vet;31.6.5871;2008.06.13;- Ewido;4.0;2008.06.13;- F-Prot;4.4.4.56;2008.06.12;W32/Patched.D.gen!Eldorado F-Secure;6.70.13260.0;2008.06.13;W32/Patched.A Fortinet;3.14.0.0;2008.06.13;- GData;2.0.7306.1023;2008.06.13;Trojan.Win32.Patched.aa Ikarus;T3.1.1.26.0;2008.06.13;Trojan.Win32.Patched.aa Kaspersky;7.0.0.125;2008.06.13;Trojan.Win32.Patched.aa McAfee;5317;2008.06.13;W32/PEPatcher.c Microsoft;None;2008.06.13;- NOD32v2;3185;2008.06.13;Win32/TrojanProxy.Agent.NCI Norman;5.80.02;2008.06.13;W32/Smalltroj.CPXE Panda;9.0.0.4;2008.06.12;W32/Patchlog.D Prevx1;V2;2008.06.13;- Rising;20.48.42.00;2008.06.13;Trojan.Win32.Patched.aa Sophos;4.30.0;2008.06.13;W32/Liger-A Sunbelt;3.0.1145.1;2008.06.05;- Symantec;10;2008.06.13;- TheHacker;6.2.92.346;2008.06.12;- VBA32;3.12.6.7;2008.06.12;- VirusBuster;4.3.26:9;2008.06.12;Win32.Agent.IMP Webwasher-Gateway;6.6.2;2008.06.13;Virus.Win32.FileInfector.gen (suspicious) Additional information File size: 17408 bytes MD5...: 016e99a00bf65380352ad1ba8ee5f151 SHA1..: 7ff3ad3778e86d8ba7082673b828701898ecd373 SHA256: 21ff53b15b213073fd61a94b37b11c396ff002e6b8047eee0babe4671c84945a SHA512: e53c2f5a0696b9770b85e6e7fd89be931b28394718f8727c4644e66e3e9c8cbe<BR>2003f08793cd15372ee45bb382d959a1692dbaaaed1be4ccfec3072b92dbf2f7 PEiD..: - PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1006000<BR>timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822<BR>.data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522<BR>.rsrc 0x5000 0x2000 0x1200 1.55 34052428467d233b0cf1d764cd62716e<BR><BR>( 4 imports ) <BR>&gt; ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW<BR>&gt; KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook<BR>&gt; ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid<BR>&gt; RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening<BR><BR>( 0 exports ) <BR>

    Advertisements

Register to Remove


#32 jim1097

jim1097

    Authentic Member

  • Authentic Member
  • PipPip
  • 80 posts

Posted 13 June 2008 - 12:44 PM

Fifth one. Amazing. ===================================== File explorer.exe received on 06.13.2008 20:44:47 (CET)Antivirus Version Last Update Result AhnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.13 HEUR/Malware Authentium 5.1.0.4 2008.06.12 - Avast 4.8.1195.0 2008.06.13 Win32:Patched-CK AVG 7.5.0.516 2008.06.13 Win32/PEPatch.AO BitDefender 7.2 2008.06.13 Trojan.Patched.U CAT-QuickHeal 9.50 2008.06.13 Trojan.Patched.AA ClamAV 0.92.1 2008.06.13 Trojan.Agent-5069 DrWeb 4.44.0.09170 2008.06.13 Trojan.Starter.384 eSafe 7.0.15.0 2008.06.12 - eTrust-Vet 31.6.5871 2008.06.13 - Ewido 4.0 2008.06.13 - F-Prot 4.4.4.56 2008.06.12 W32/Patched.D.gen!Eldorado F-Secure 6.70.13260.0 2008.06.13 W32/Patched.A Fortinet 3.14.0.0 2008.06.13 - GData 2.0.7306.1023 2008.06.13 Trojan.Win32.Patched.aa Ikarus T3.1.1.26.0 2008.06.13 Virus.Win32.Virut.q Kaspersky 7.0.0.125 2008.06.13 Trojan.Win32.Patched.aa McAfee 5317 2008.06.13 W32/PEPatcher.c Microsoft None 2008.06.13 - NOD32v2 3185 2008.06.13 Win32/TrojanProxy.Agent.NCI Norman 5.80.02 2008.06.13 W32/Patched.A Panda 9.0.0.4 2008.06.12 W32/PatchLog.gen Prevx1 V2 2008.06.13 - Rising 20.48.42.00 2008.06.13 Trojan.Win32.Patched.aa Sophos 4.30.0 2008.06.13 W32/Liger-A Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.13 - TheHacker 6.2.92.346 2008.06.12 - VBA32 3.12.6.7 2008.06.12 - VirusBuster 4.3.26:9 2008.06.12 Win32.Agent.IMP Webwasher-Gateway 6.6.2 2008.06.13 Heuristic.Malware Additional information File size: 1035776 bytes MD5...: 5eb4536b90e8ece755b5d5c90c56e173 SHA1..: 6165f1b86a4966e3d3120a48841c87ab939475cd SHA256: 0c1639f55f60b5bd5516a12779b2c69788d85aca4d38f94e9aaec04cc9bf70fd SHA512: caf3aba3a8d4fbfbf1e1f1b290846c10105c2aafec0e4b9639ffe82cb85d40b0<BR>06bda7681daec2c1713d673422dd500ebbe520acdfff4c0ba04ea0c058f1cef0 PEiD..: - PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x10ff000<BR>timedatestamp.....: 0x466fc588 (Wed Jun 13 10:23:04 2007)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x44ad9 0x44c00 6.36 7de882aa0da62b155286cb91c8f0fbd9<BR>.data 0x46000 0x1db4 0x1800 1.30 25fdde5ea7a06e94390eb8773b825a55<BR>.rsrc 0x48000 0xb2278 0xb2400 6.63 b82ace172bfa53b11b99e63c7ac67c26<BR>.reloc 0xfb000 0x5000 0x4200 6.30 b473d500c6364136a37baf996126dcc4<BR><BR>( 13 imports ) <BR>&gt; ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW<BR>&gt; BROWSEUI.dll: -, -, -, -<BR>&gt; GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, SetTextColor, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, CreateRectRgnIndirect, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode<BR>&gt; KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, RegisterWaitForSingleObject, OpenEventW, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, DelayLoadFailureHook, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, GetFileAttributesExW, MulDiv, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, InitializeCriticalSectionAndSpinCount<BR>&gt; msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf<BR>&gt; ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess<BR>&gt; ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop<BR>&gt; OLEAUT32.dll: -, -<BR>&gt; SHDOCVW.dll: -, -, -<BR>&gt; SHELL32.dll: -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, ShellExecuteExW, -, -, -, -, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, SHGetSpecialFolderLocation, -, -, -, -, SHGetSpecialFolderPathW, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -<BR>&gt; SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, StrCmpNW, -, -<BR>&gt; USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, CopyRect, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, PtInRect, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, ModifyMenuW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW<BR>&gt; UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed<BR><BR>( 0 exports ) <BR> =============================== How could Norton 360 miss this? Jim

#33 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 13 June 2008 - 02:56 PM

I didn't need you to scan those, please only stick with the instructions I post.

You have a lot of patched files, so I need you to install the Recovery Console from my previous ComboFix instructions


Do this as well

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Documents and Settings\Sean\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3456080F-D8B5-4233-8E13-7EEC5EC0A20F}
    C:\Documents and Settings\Sean\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A1AF089D-4F8B-4A06-8333-05ACB22B6DB2}
    C:\Documents and Settings\Sean\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D8BD9B03-060A-4B47-AD30-6F98EC831A52}
    C:\Documents and Settings\Sean\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EB503B76-536E-42E1-ACD9-45C9C089FA01}
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



So post a new ComboFix log when you have installed the Recovery Console and the OTMoveIt2 log

#34 jim1097

jim1097

    Authentic Member

  • Authentic Member
  • PipPip
  • 80 posts

Posted 13 June 2008 - 03:37 PM

I have good news and bad news.

1st. - good news. Here is the ComboFix log I ran after installing the file from Windows.
=============================
ComboFix 08-06-11.3 - Administrator 2008-06-13 17:24:52.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1416 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-13 14:20 . 2008-06-13 14:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-06-13 10:12 . 2008-06-13 10:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-13 10:11 . 2008-06-13 10:37 <DIR> d-------- C:\Program Files\Norton 360
2008-06-13 10:09 . 2008-06-13 10:13 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-13 10:09 . 2008-06-13 10:13 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-13 10:09 . 2008-06-13 10:13 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-13 10:09 . 2008-06-13 10:13 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-13 10:08 . 2008-06-13 10:13 <DIR> d-------- C:\Program Files\Symantec
2008-06-13 09:25 . 2008-06-13 10:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-12 23:07 . 2008-06-13 09:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-12 22:52 . 2008-06-12 22:52 14,419 --a------ C:\WINDOWS\DrvmCDB_log
2008-06-12 22:32 . 2008-06-12 22:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2008-06-12 22:12 . 2008-06-13 16:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-12 22:12 . 2008-06-12 22:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-12 22:11 . 2008-06-12 22:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GTek
2008-06-12 18:57 . 2004-08-04 03:56 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-06-12 18:57 . 2004-08-04 03:56 33,280 --a------ C:\WINDOWS\system32\dllcache\rundll32.exe
2008-06-12 18:43 . 2008-06-12 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-06-12 15:04 . 2008-06-12 15:04 <DIR> d-------- C:\_OTMoveIt
2008-06-12 14:07 . 2008-06-12 14:07 <DIR> d-------- C:\Deckard
2008-06-12 12:31 . 2008-06-13 10:06 <DIR> d-------- C:\fixwareout
2008-06-12 00:15 . 2008-06-13 16:53 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-12 00:15 . 2008-06-13 15:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-11 23:14 . 2001-08-18 07:00 31,744 --a------ C:\WINDOWS\system32\RUNDLL32.ol2
2008-06-11 18:34 . 2008-06-11 18:34 <DIR> d-------- C:\Program Files\smitRem
2008-06-11 17:24 . 2008-06-11 17:25 <DIR> d-------- C:\Documents and Settings\Sean\Temp
2008-06-11 17:09 . 2008-06-11 17:09 <DIR> d-------- C:\Documents and Settings\Administrator\Program Files
2008-06-11 17:07 . 2008-06-11 17:07 72,192 --a------ C:\WINDOWS\tasklist.exe
2008-06-11 15:27 . 2008-06-11 15:27 <DIR> d-------- C:\WINDOWS\system32\Dell
2008-06-11 14:55 . 2008-06-11 14:55 <DIR> d-------- C:\Documents and Settings\Sean\New Folder
2008-06-10 13:44 . 2008-06-10 13:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-10 13:44 . 2008-06-10 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-10 13:44 . 2008-06-10 13:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-10 13:44 . 2008-06-09 20:13 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-10 13:44 . 2008-06-09 20:13 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-09 18:12 . 2008-06-10 11:09 200,448 --a------ C:\WINDOWS\system32\drivers\ndisio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 23:00 --------- d-----w C:\Documents and Settings\Sean\Application Data\Registry Booster
2008-06-11 19:27 --------- d-----w C:\Program Files\Dell
2008-06-10 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 18:49 --------- d-----w C:\Program Files\WildTangent
2008-06-10 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 02:10 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
2008-04-30 20:34 --------- d-----w C:\Documents and Settings\Sean\Application Data\TmpRecentIcons
2008-04-29 23:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-16 01:51 --------- d-----w C:\Program Files\Java
2008-04-15 01:23 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-14 23:11 15,772 ----a-w C:\Documents and Settings\Sean\Application Data\wklnhst.dat
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2006-06-25 17:50 1,793 ----a-w C:\WINDOWS\inf\SET2E6.tmp
2006-12-22 03:46 88 --sh--r C:\WINDOWS\system32\F7AEBA1285.sys
2006-12-22 03:46 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\svchost.exe
2008-04-14 21:23 17408 016e99a00bf65380352ad1ba8ee5f151 C:\WINDOWS\system32\svchost.exe

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 05:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\tcpip.sys
2007-10-30 13:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\winlogon.exe
2004-08-10 05:00 506368 694c72f19fbb3c1e8a33f30381fe151e C:\WINDOWS\system32\winlogon.exe

2007-06-13 06:23 1035776 5eb4536b90e8ece755b5d5c90c56e173 C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-10 05:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\explorer.exe

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\services.exe
2004-08-10 05:00 110592 e6dcca66a861ad511eb4b36471621b99 C:\WINDOWS\system32\services.exe

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\lsass.exe
2004-08-10 05:00 14848 ce01c0db9fa81bf4bc082448eaf21124 C:\WINDOWS\system32\lsass.exe
.
((((((((((((((((((((((((((((( snapshot_2008-06-13_10.53.18.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 14:37:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 20:39:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 20:39:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_368.dat
+ 2008-06-13 20:40:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_738.dat
+ 2008-06-13 20:39:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-23 22:08 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-13 10:12 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 18:17 282624 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-19 15:39 1838592]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20 110592]
"DLADiag"="C:\WINDOWS\DLADiag.EXE" [2005-08-25 12:16 57403]
"pdfSaver3"="" []
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\soft602\pdfSaver.exe" [2005-08-31 16:00 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37 936960]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 08:42 36864]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"jtpjhttp"="" []
"hfjtnfbj"="C:\DOCUME~1\Sean\LOCALS~1\Temp\dhnffjppjt.nls WLEntryPoint" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 15:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 10:50 988512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"InetChk"="C:\WINDOWS\TEMP\ms1209582824.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-06 02:11:27 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
C:\Program Files\Citrix\GoToAssist Express Customer\43\g2ax_winlogon.dll 2007-12-15 16:17 45368 C:\Program Files\Citrix\GoToAssist Express Customer\43\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21152:TCP"= 21152:TCP:@xpsp2res.dll,-22005
"14415:TCP"= 14415:TCP:@xpsp2res.dll,-22005
"60154:TCP"= 60154:TCP:@xpsp2res.dll,-22005
"29769:TCP"= 29769:TCP:@xpsp2res.dll,-22005

R1 DLADiagN;DLADiagN;C:\WINDOWS\system32\Drivers\DLADiagN.SYS [2005-08-25 12:16]
R1 DLAPMonN;DLAPMonN;C:\WINDOWS\system32\Drivers\DLAPMonN.SYS [2005-08-25 12:16]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S2 NtmsSvc Service;Removable Storage NtmsSvc Service;C:\DOCUME~1\Sean\LOCALS~1\Temp\38.tmp []
S2 sqlagent$microsoftsmlbiznla;SQLAgent$MICROSOFTSMLBIZ SQLAgent$MICROSOFTSMLBIZNla;C:\DOCUME~1\Sean\LOCALS~1\Temp\22B6.tmp []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 GoToAssist Express Customer;GoToAssist Express Customer;"C:\Program Files\Citrix\GoToAssist Express Customer\43\g2ax_service.exe" Start=service []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\KB910393]
"rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\EasyCDBlock.inf,PerUserInstall"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 17:26:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\NtmsSvc Service]
"ImagePath"="C:\DOCUME~1\Sean\LOCALS~1\Temp\38.tmp srv"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\sqlagent$microsoftsmlbiznla]
"ImagePath"="C:\DOCUME~1\Sean\LOCALS~1\Temp\22B6.tmp srv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Citrix\GoToAssist Express Customer\43\g2ax_winlogon.dll
.
Completion time: 2008-06-13 17:27:37
ComboFix-quarantined-files.txt 2008-06-13 21:27:27
ComboFix2.txt 2008-06-13 16:18:03
ComboFix3.txt 2008-06-13 14:53:49
ComboFix4.txt 2008-06-13 02:17:57

Pre-Run: 49,998,282,752 bytes free
Post-Run: 50,004,074,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

219 --- E O F --- 2008-04-13 07:03:01

============================

The bad news is that while I was waiting for a reply, I got bored and deleted those four files you wanted handled by the OTMoveIt2 app. Here is the resulting log:

============================
Explorer killed successfully
File/Folder C:\Documents and Settings\Sean\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3456080F-D8B5-4233-8E13-7EEC5EC0A20F} not found.
File/Folder C:\Documents and Settings\Sean\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A1AF089D-4F8B-4A06-8333-05ACB22B6DB2} not found.
File/Folder C:\Documents and Settings\Sean\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D8BD9B03-060A-4B47-AD30-6F98EC831A52} not found.
File/Folder C:\Documents and Settings\Sean\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EB503B76-536E-42E1-ACD9-45C9C089FA01} not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06132008_173030

============================

:blush:

Jim

#35 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 13 June 2008 - 04:54 PM

Hello


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

FCOPY::
C:\windows\system32\dllcache\explorer.exe|C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dllcache\lsass.exe|C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\dllcache\services.exe|C:\WINDOWS\system32\services.exe
C:\WINDOWS\System32\dllcache\svchost.exe|C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dllcache\winlogon.exe|C:\WINDOWS\system32\winlogon.exe

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


Reboot and post a new HijackThis log

#36 jim1097

jim1097

    Authentic Member

  • Authentic Member
  • PipPip
  • 80 posts

Posted 13 June 2008 - 05:32 PM

Ran this ComboFix:
===========================


ComboFix 08-06-11.3 - Administrator 2008-06-13 19:01:20.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1521 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScripts.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-13 14:20 . 2008-06-13 14:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-06-13 10:12 . 2008-06-13 10:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-13 10:11 . 2008-06-13 10:37 <DIR> d-------- C:\Program Files\Norton 360
2008-06-13 10:09 . 2008-06-13 10:13 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-13 10:09 . 2008-06-13 10:13 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-13 10:09 . 2008-06-13 10:13 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-13 10:09 . 2008-06-13 10:13 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-13 10:08 . 2008-06-13 10:13 <DIR> d-------- C:\Program Files\Symantec
2008-06-13 09:25 . 2008-06-13 10:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-12 23:07 . 2008-06-13 09:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-12 22:52 . 2008-06-12 22:52 14,419 --a------ C:\WINDOWS\DrvmCDB_log
2008-06-12 22:32 . 2008-06-12 22:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2008-06-12 22:12 . 2008-06-13 16:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-12 22:12 . 2008-06-12 22:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-12 22:11 . 2008-06-12 22:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GTek
2008-06-12 18:57 . 2004-08-04 03:56 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-06-12 18:57 . 2004-08-04 03:56 33,280 --a------ C:\WINDOWS\system32\dllcache\rundll32.exe
2008-06-12 18:43 . 2008-06-12 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-06-12 15:04 . 2008-06-12 15:04 <DIR> d-------- C:\_OTMoveIt
2008-06-12 14:07 . 2008-06-12 14:07 <DIR> d-------- C:\Deckard
2008-06-12 12:31 . 2008-06-13 10:06 <DIR> d-------- C:\fixwareout
2008-06-12 00:15 . 2008-06-13 19:04 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-12 00:15 . 2008-06-13 15:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-11 23:14 . 2001-08-18 07:00 31,744 --a------ C:\WINDOWS\system32\RUNDLL32.ol2
2008-06-11 18:34 . 2008-06-11 18:34 <DIR> d-------- C:\Program Files\smitRem
2008-06-11 17:24 . 2008-06-11 17:25 <DIR> d-------- C:\Documents and Settings\Sean\Temp
2008-06-11 17:09 . 2008-06-11 17:09 <DIR> d-------- C:\Documents and Settings\Administrator\Program Files
2008-06-11 17:07 . 2008-06-11 17:07 72,192 --a------ C:\WINDOWS\tasklist.exe
2008-06-11 15:27 . 2008-06-11 15:27 <DIR> d-------- C:\WINDOWS\system32\Dell
2008-06-11 14:55 . 2008-06-11 14:55 <DIR> d-------- C:\Documents and Settings\Sean\New Folder
2008-06-10 13:44 . 2008-06-10 13:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-10 13:44 . 2008-06-10 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-10 13:44 . 2008-06-10 13:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-10 13:44 . 2008-06-09 20:13 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-10 13:44 . 2008-06-09 20:13 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-09 18:12 . 2008-06-10 11:09 200,448 --a------ C:\WINDOWS\system32\drivers\ndisio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 23:00 --------- d-----w C:\Documents and Settings\Sean\Application Data\Registry Booster
2008-06-11 19:27 --------- d-----w C:\Program Files\Dell
2008-06-10 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 18:49 --------- d-----w C:\Program Files\WildTangent
2008-06-10 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 20:34 --------- d-----w C:\Documents and Settings\Sean\Application Data\TmpRecentIcons
2008-04-29 23:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-16 01:51 --------- d-----w C:\Program Files\Java
2008-04-14 23:11 15,772 ----a-w C:\Documents and Settings\Sean\Application Data\wklnhst.dat
2006-12-22 03:46 88 --sh--r C:\WINDOWS\system32\F7AEBA1285.sys
2006-12-22 03:46 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\svchost.exe
2008-04-14 21:23 17408 016e99a00bf65380352ad1ba8ee5f151 C:\WINDOWS\system32\svchost.exe

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 05:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\tcpip.sys
2007-10-30 13:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\winlogon.exe
2004-08-10 05:00 506368 694c72f19fbb3c1e8a33f30381fe151e C:\WINDOWS\system32\winlogon.exe

2007-06-13 06:23 1035776 5eb4536b90e8ece755b5d5c90c56e173 C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-10 05:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\explorer.exe

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\services.exe
2004-08-10 05:00 110592 e6dcca66a861ad511eb4b36471621b99 C:\WINDOWS\system32\services.exe

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\lsass.exe
2004-08-10 05:00 14848 ce01c0db9fa81bf4bc082448eaf21124 C:\WINDOWS\system32\lsass.exe
.
((((((((((((((((((((((((((((( snapshot_2008-06-13_10.53.18.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 14:37:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 23:03:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 23:04:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5fc.dat
+ 2008-06-13 23:03:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_788.dat
+ 2008-06-13 23:04:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-23 22:08 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-13 10:12 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 18:17 282624 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-19 15:39 1838592]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20 110592]
"DLADiag"="C:\WINDOWS\DLADiag.EXE" [2005-08-25 12:16 57403]
"pdfSaver3"="" []
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\soft602\pdfSaver.exe" [2005-08-31 16:00 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37 936960]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 08:42 36864]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"jtpjhttp"="" []
"hfjtnfbj"="C:\DOCUME~1\Sean\LOCALS~1\Temp\dhnffjppjt.nls WLEntryPoint" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 15:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 10:50 988512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"InetChk"="C:\WINDOWS\TEMP\ms1209582824.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-06 02:11:27 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
C:\Program Files\Citrix\GoToAssist Express Customer\43\g2ax_winlogon.dll 2007-12-15 16:17 45368 C:\Program Files\Citrix\GoToAssist Express Customer\43\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21152:TCP"= 21152:TCP:@xpsp2res.dll,-22005
"14415:TCP"= 14415:TCP:@xpsp2res.dll,-22005
"60154:TCP"= 60154:TCP:@xpsp2res.dll,-22005
"29769:TCP"= 29769:TCP:@xpsp2res.dll,-22005

R1 DLADiagN;DLADiagN;C:\WINDOWS\system32\Drivers\DLADiagN.SYS [2005-08-25 12:16]
R1 DLAPMonN;DLAPMonN;C:\WINDOWS\system32\Drivers\DLAPMonN.SYS [2005-08-25 12:16]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S2 NtmsSvc Service;Removable Storage NtmsSvc Service;C:\DOCUME~1\Sean\LOCALS~1\Temp\38.tmp []
S2 sqlagent$microsoftsmlbiznla;SQLAgent$MICROSOFTSMLBIZ SQLAgent$MICROSOFTSMLBIZNla;C:\DOCUME~1\Sean\LOCALS~1\Temp\22B6.tmp []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 GoToAssist Express Customer;GoToAssist Express Customer;"C:\Program Files\Citrix\GoToAssist Express Customer\43\g2ax_service.exe" Start=service []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\KB910393]
"rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\EasyCDBlock.inf,PerUserInstall"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 19:10:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtmsSvc Service]
"ImagePath"="C:\DOCUME~1\Sean\LOCALS~1\Temp\38.tmp srv"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sqlagent$microsoftsmlbiznla]
"ImagePath"="C:\DOCUME~1\Sean\LOCALS~1\Temp\22B6.tmp srv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Citrix\GoToAssist Express Customer\43\g2ax_winlogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-13 19:14:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-13 23:13:55
ComboFix2.txt 2008-06-13 21:28:02
ComboFix3.txt 2008-06-13 16:18:03
ComboFix4.txt 2008-06-13 14:53:49
ComboFix5.txt 2008-06-13 02:17:57

Pre-Run: 49,993,052,160 bytes free
Post-Run: 49,985,667,072 bytes free

227 --- E O F --- 2008-04-13 07:03:01

======================================

Then downloaded and ran Express Scan on Dr. Web. Worried that the infected files were removed -

explorer.exe
lsass.exe
services.exe
svchost.exe
winlogon.exe

...and there was no CD available to replace them. I assume you will show me how to restore these files from the item we downloaded from Windows???

DrWeb.cvs contained:
===================================
explorer.exe;c:\windows;Trojan.Starter.384;Cured.;
lsass.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
services.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
svchost.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
winlogon.exe;c:\windows\system32;Trojan.Starter.384;Cured.;

===================================


Dr. Web is doing a complete scan now.

Jim

#37 jim1097

jim1097

    Authentic Member

  • Authentic Member
  • PipPip
  • 80 posts

Posted 13 June 2008 - 05:33 PM

OK, I see it. I'm supposed to reboot. CU Jim

#38 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 13 June 2008 - 05:42 PM

Post a new HijackThis log and tell me how your PC is running

#39 jim1097

jim1097

    Authentic Member

  • Authentic Member
  • PipPip
  • 80 posts

Posted 13 June 2008 - 06:18 PM

That "complete scan" has been running for 50 minutes now, and it's only half done. Can't reboot until it's done. If you're around at 9:30 EDT (2130), check it out. Thanks again. Jim

#40 jim1097

jim1097

    Authentic Member

  • Authentic Member
  • PipPip
  • 80 posts

Posted 13 June 2008 - 07:21 PM

Posting the Dr. Web log while the affected computer reboots. =============================== explorer.exe;c:\windows;Trojan.Starter.384;Cured.; lsass.exe;c:\windows\system32;Trojan.Starter.384;Cured.; services.exe;c:\windows\system32;Trojan.Starter.384;Cured.; svchost.exe;c:\windows\system32;Trojan.Starter.384;Cured.; winlogon.exe;c:\windows\system32;Trojan.Starter.384;Cured.; ComboFix.exe\327882R2FWJFW\FIND3M.bat;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Probably SCRIPT.Virus;; ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Program.PsExec.171;; ComboFix.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.; smitRem.exe\smitRem/Process.exe;C:\Documents and Settings\Administrator\Desktop\smitRem.exe;Tool.Prockill;; smitRem.exe\smitRem/pv.exe;C:\Documents and Settings\Administrator\Desktop\smitRem.exe;Program.PrcView.3741;; smitRem.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.; setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131;Probably BACKDOOR.Trojan;; inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;; ocpinst.exe\data529;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe;Probably BACKDOOR.Trojan;; ocpinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Archive contains infected objects;Moved.; mbam.exe;C:\Program Files\Malwarebytes' Anti-Malware;Probably BACKDOOR.Trojan;; Process.exe;C:\Program Files\smitRem\smitRem;Tool.Prockill;; pv.exe;C:\Program Files\smitRem\smitRem;Program.PrcView.3741;; A0039144.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP704;BackDoor.FireOn.6;Deleted.; A0039157.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP706;Trojan.DownLoader.19256;Deleted.; A0039159.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP706;Trojan.DownLoader.56889;Deleted.; A0039168.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP706;Trojan.Packed.431;Deleted.; A0042143.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP706;Win32.HLLW.Socks.5;Deleted.; A0042151.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP708;Trojan.DownLoader.origin;Incurable.Moved.; A0042155.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP708;Trojan.DownLoader.19256;Deleted.; A0042164.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP708;Trojan.Packed.431;Deleted.; A0044183.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP709;Adware.Winfixer.7;; A0044191.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP709;Win32.HLLW.Socks.5;Deleted.; A0044194.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP709;Trojan.DownLoader.origin;Incurable.Moved.; A0044205.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP709;Trojan.LowZones.874;Deleted.; A0046231.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Packed.431;Deleted.; A0046233.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.origin;Incurable.Moved.; A0054228.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.origin;Incurable.Moved.; A0055220.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59069;Deleted.; A0056264.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Win32.HLLW.Socks.5;Deleted.; A0056279.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Win32.HLLW.Socks.5;Deleted.; A0057262.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.50037;Deleted.; A0058257.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058264.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058265.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.61474;Deleted.; A0058269.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;BackDoor.Bulknet.195;Deleted.; A0058272.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.61474;Deleted.; A0058273.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058278.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;BackDoor.Bulknet.195;Deleted.; A0058280.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.61474;Deleted.; A0058281.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058286.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;BackDoor.Bulknet.195;Deleted.; A0058288.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.61474;Deleted.; A0058289.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058295.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.16399;Deleted.; A0058296.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058299.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.LowZones.874;Deleted.; A0058303.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058304.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.16399;Deleted.; A0058309.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.9;Deleted.; A0058312.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.16399;Deleted.; A0058313.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058319.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058320.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.16399;Deleted.; A0058325.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.9;Deleted.; A0058328.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.16399;Deleted.; A0058329.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058335.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058336.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.16399;Deleted.; A0058339.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058340.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.16399;Deleted.; A0058345.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.9;Deleted.; A0058349.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.16399;Deleted.; A0058350.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058354.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.9;Deleted.; A0058364.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.14031;Deleted.; A0058438.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Adware.Spysheriff;; A0058467.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.LowZones.874;Deleted.; A0058473.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Packed.431;Deleted.; A0058475.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.19256;Deleted.; A0058476.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Win32.HLLW.Socks.5;Deleted.; A0058521.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Win32.HLLW.Socks.5;Deleted.; A0058524.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.8347;Deleted.; A0058525.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Packed.431;Deleted.; A0058541.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Proxy.3006;Deleted.; A0058543.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.NtRootKit.239;Deleted.; A0058554.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.PWS.Femail;Deleted.; A0058557.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.MulDrop.16399;Deleted.; A0058558.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058563.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0058565.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0058566.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058570.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0058572.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0058573.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058577.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058578.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0058582.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0058750.DLL;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Adware.Websearch;; A0058751.drv;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Spambot.2543;Deleted.; A0058752.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.58985;Deleted.; A0058753.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Spambot.3155;Deleted.; A0058755.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0058756.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0058761.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0059755.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0059756.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0059760.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0059767.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Adware.Funweb;; A0059769.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Virtumod.based.12;Incurable.Moved.; A0059770.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Virtumod.based.12;Incurable.Moved.; A0059771.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Virtumod.345;Deleted.; A0059773.drv;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Spambot.2543;Deleted.; A0059774.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Spambot.2543;Deleted.; A0059777.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0059778.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0059783.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0059785.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0059786.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0059790.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0059792.drv;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Spambot.2543;Deleted.; A0059793.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Spambot.2543;Deleted.; A0059797.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0059799.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0059803.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0059806.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0059807.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0059811.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0059812.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Starter.384;Cured.; A0059813.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Spambot.2543;Deleted.; A0060806.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0060807.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0060811.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0060813.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0060814.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0060818.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0060820.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0060821.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0060825.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0060832.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0060833.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0060837.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0060841.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Starter.384;Cured.; A0060841.exe:exe.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Spambot.3156;Deleted.; A0060854.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0060855.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0060859.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0060868.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0060869.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0060873.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0060876.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0060877.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0060882.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0060886.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0060891.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0060941.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0060946.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0060957.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0060961.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.63553;Deleted.; A0060962.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.DownLoader.59701;Deleted.; A0060966.sys;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP710;Trojan.Rntm.10;Deleted.; A0061031.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP711;Trojan.DownLoader.59701;Deleted.; A0061107.EXE;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP711;Program.PsExec.170;; A0061153.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP711;Probably SCRIPT.Virus;; A0061589.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP715;Trojan.Proxy.origin;Incurable.Moved.; A0062269.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP716;Probably SCRIPT.Virus;; A0062317.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP717;Probably SCRIPT.Virus;; A0062382.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP718;Probably SCRIPT.Virus;; A0062426.EXE;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719;Program.PsExec.170;; A0062436.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719;Probably SCRIPT.Virus;; A0062487.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719;Trojan.Starter.384;Cured.; A0062488.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719;Trojan.Starter.384;Cured.; A0062489.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719;Trojan.Starter.384;Cured.; A0062490.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719;Trojan.Starter.384;Cured.; A0062491.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719;Trojan.Starter.384;Cured.; A0062492.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719\A0062492.exe;Probably SCRIPT.Virus;; A0062492.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719\A0062492.exe;Program.PsExec.171;; A0062492.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719;Archive contains infected objects;Moved.; A0062493.exe\smitRem/Process.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719\A0062493.exe;Tool.Prockill;; A0062493.exe\smitRem/pv.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719\A0062493.exe;Program.PrcView.3741;; A0062493.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719;Archive contains infected objects;Moved.; A0062494.exe\data529;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719\A0062494.exe;Probably BACKDOOR.Trojan;; A0062494.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP719;Archive contains infected objects;Moved.; ==================================== Jim

    Advertisements

Register to Remove


#41 jim1097

jim1097

    Authentic Member

  • Authentic Member
  • PipPip
  • 80 posts

Posted 13 June 2008 - 08:00 PM

I rebooted after the DrWeb can. I still do not get a desktop (after the background is loaded.

So I Ctl-alt-del to get task manager and the hit "New task" for the Explorer. As soon as I select that, the desktop and icons appear, including the Start Menu and apps tray. I then also get an error (same as always) concerning the rundll32.exe, which is still looking for a file that does not exist. I am including a screen shot so you may recognize the other dialog panels that appear.

HijackThis Log:
===============================
Logfile of HijackThis v1.99.1
Scan saved at 21:50, on 2008-06-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\soft602\pdfSaver.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DLADiag] C:\WINDOWS\DLADiag.EXE
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\soft602\pdfSaver.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [hfjtnfbj] rundll32.exe "C:\DOCUME~1\Sean\LOCALS~1\Temp\dhnffjppjt.nls" WLEntryPoint
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\43\g2ax_winlogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist Express Customer - Unknown owner - C:\Program Files\Citrix\GoToAssist Express Customer\43\g2ax_service.exe" Start=service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Removable Storage NtmsSvc Service (NtmsSvc Service) - Unknown owner - C:\DOCUME~1\Sean\LOCALS~1\Temp\38.tmp.exe (file missing)
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: SQLAgent$MICROSOFTSMLBIZ SQLAgent$MICROSOFTSMLBIZNla (sqlagent$microsoftsmlbiznla) - Unknown owner - C:\DOCUME~1\Sean\LOCALS~1\Temp\22B6.tmp.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

It's 10:00pm here and I don't expect to hear from you until tomorrow, so good night and thank you.

Jim

Attached Thumbnails

  • screenShot002.JPG


#42 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 14 June 2008 - 06:34 AM

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [hfjtnfbj] rundll32.exe "C:\DOCUME~1\Sean\LOCALS~1\Temp\dhnffjppjt.nls" WLEntryPoint


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and do this

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


#43 jim1097

jim1097

    Authentic Member

  • Authentic Member
  • PipPip
  • 80 posts

Posted 14 June 2008 - 06:50 AM

Good morning. Just completed the first part and the computer is rebooting in prep for the Kaspersky scan. Jim

#44 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 14 June 2008 - 06:54 AM

Ok let me know how it all goes, post the logs together please, may need two posts

#45 jim1097

jim1097

    Authentic Member

  • Authentic Member
  • PipPip
  • 80 posts

Posted 14 June 2008 - 08:19 AM

Kaspersky scan completed. Log: =========================== KASPERSKY ONLINE SCANNER 7 REPORT Saturday, June 14, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, June 14, 2008 12:34:22 Records in database: 863449 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\ D:\ E:\ F:\ G:\ H:\ Scan statistics Files scanned 61911 Threat name 4 Infected objects 5 Suspicious objects 0 Duration of the scan 00:57:06 File name Threat name Threats count C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0058750.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1 C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0059767.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1 C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0059769.dll Infected: Trojan.Win32.Monder.gen 1 C:\QooBox\Quarantine\catchme2008-06-12_215554.53.zip Infected: Rootkit.Win32.Agent.aap 2 The selected area was scanned. ========================== Moving on to DSS. Jim

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users