Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91634 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] help please


  • This topic is locked This topic is locked
13 replies to this topic

#1 Bob in Dallas

Bob in Dallas

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 12 June 2008 - 02:39 PM

This laptop has always been plenty fast. Now it is running slow, locking up, etc. I ran Spybot and Norton 2008 and both are showing that any malware has been removed, but something's still not right here. Here is my Highjack This log and my Cobofix log is in the following post. Any help would be appreciated.
Bob

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:01 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\RangeBooster G WNA-2330\acs.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\palmOne\Hotsync.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\USB Sharing\usbshare.exe
C:\Program Files\D-Link\RangeBooster G WNA-2330\wirelesscm.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/UPREBOOT /temp /patched"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Tunebite] C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update Time] wuam.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update Time] wuam.exe (User 'Default user')
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: USB Sharing.lnk = C:\Program Files\USB Sharing\usbshare.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\RangeBooster G WNA-2330\wirelesscm.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{13957F05-B564-4F0C-9840-AEBA2FF300A0}: NameServer = 192.168.3.5,192.168.3.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{13957F05-B564-4F0C-9840-AEBA2FF300A0}: NameServer = 192.168.3.5,192.168.3.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{13957F05-B564-4F0C-9840-AEBA2FF300A0}: NameServer = 192.168.3.5,192.168.3.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Program Files\D-Link\RangeBooster G WNA-2330\acs.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 11392 bytes

Edited by Bob in Dallas, 13 June 2008 - 11:11 AM.

    Advertisements

Register to Remove


#2 Bob in Dallas

Bob in Dallas

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 13 June 2008 - 11:04 AM

My HijackThis and Combofix logs are attached. Please help!
Thanks.

ComboFix 08-06-11.7 - 2008-06-13 10:16:55.1 - NTFSx86
Running from: C:\Documents and Settings\MRM\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-11 14:49 . 2008-06-11 14:49 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-11 14:40 . 2008-06-12 10:11 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-06-11 14:36 . 2008-06-12 09:54 123,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-06-11 14:36 . 2008-06-12 09:54 60,800 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-06-11 14:35 . 2008-06-12 09:54 <DIR> d-------- C:\Program Files\Symantec
2008-06-11 14:35 . 2008-06-12 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-11 12:47 . 2008-06-11 15:06 <DIR> d----c--- C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec
2008-06-11 09:35 . 2008-06-11 09:39 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-10 15:57 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 15:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-12 20:18 --------- d-----w C:\Program Files\Trend Micro
2008-06-12 14:54 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-12 14:54 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-11 15:08 --------- d-----w C:\Program Files\Norton AntiVirus
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-28 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-04-28 02:20 --------- dc----w C:\Documents and Settings\Michael R. Mitchell\Application Data\Tunebite
2008-04-27 15:45 --------- dc----w C:\Documents and Settings\Michael R. Mitchell\Application Data\RTPlayer
2008-04-26 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-26 15:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-21 07:04 659,456 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2008-04-21 07:04 615,936 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2008-04-21 07:04 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2008-04-21 07:04 1,494,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2008-04-18 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-18 17:28 --------- d-----w C:\Program Files\Security Task Manager
2008-04-18 13:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 19:35 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-04-17 19:30 --------- d-----w C:\Program Files\RapidSolution
2008-04-17 19:16 --------- d-----w C:\Program Files\Pearl Harbor - Zero Hour
2008-04-17 19:10 --------- d-----w C:\Program Files\LucasArts
2008-04-17 10:52 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2008-04-14 18:48 10,344 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-04-14 11:01 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2003-03-21 16:38 207,759 -c--a-w C:\Program Files\INSTALL.LOG
1992-03-10 03:10 93,184 -c--a-w C:\Program Files\CARDFILE.EXE
.

(((

Edited by Bob in Dallas, 13 June 2008 - 12:46 PM.


#3 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 15 June 2008 - 06:44 AM

Hello Bob

Welcome to the Whatthetech Malware Removal Forum,

Let me explain about Combofix, its not a general cleaning tool, its just used to go after certain infections and run without supervision it could sometimes bork your entire system, please do not run anymore tools unless directed to do so. You should have disabled the teatimer in Spybot for starters and you also did not post the entire report which does not help me.

Do this first...Important


Disable the TeaTimer, you can re enable it when were done if you wish

  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect




Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update Time] wuam.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update Time] wuam.exe (User 'Default user')



You need to enable windows to show all files and folders, instructions Here

wuam.exe <--Look for and delete this file, it could be in C:\windows, C:\windows\system32



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#4 Bob in Dallas

Bob in Dallas

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 30 June 2008 - 04:29 PM

Thanks for the help. I ran everything as instructed. The only thing I did not find was the wuam.exe file -- it was not in windows or windows/system 32. I did a search of the whole c drive and did not find that file.

The logs are below.

Thanks.

SDFix: Version 1.199
Run by MRM on Mon 06/30/2008 at 04:28 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 16:48:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE"="C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"="C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 4 Jun 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 9 Aug 2006 409 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti17.tmp"
Wed 8 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Wed 8 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:42 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\RangeBooster G WNA-2330\acs.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\palmOne\Hotsync.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\USB Sharing\usbshare.exe
C:\Program Files\D-Link\RangeBooster G WNA-2330\wirelesscm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/UPREBOOT /temp /patched"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Tunebite] C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: USB Sharing.lnk = C:\Program Files\USB Sharing\usbshare.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\RangeBooster G WNA-2330\wirelesscm.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{13957F05-B564-4F0C-9840-AEBA2FF300A0}: NameServer = 192.168.3.5,192.168.3.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{13957F05-B564-4F0C-9840-AEBA2FF300A0}: NameServer = 192.168.3.5,192.168.3.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{13957F05-B564-4F0C-9840-AEBA2FF300A0}: NameServer = 192.168.3.5,192.168.3.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Program Files\D-Link\RangeBooster G WNA-2330\acs.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 9615 bytes

#5 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 30 June 2008 - 04:58 PM

Hello Bob, Your log looks fine but I would like to see the Combofix log and it can be found here C:\combofix.txt

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#6 Bob in Dallas

Bob in Dallas

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 30 June 2008 - 07:08 PM

Thanks Ken. You want me to run Combofix again, or send the log from the other day? Bob

#7 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 30 June 2008 - 07:31 PM

Let me see the one from the other day and that will decide if we need to run it again.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#8 Bob in Dallas

Bob in Dallas

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 01 July 2008 - 09:15 AM

Here is the ComboFix log from last week.

Thanks.

ComboFix 08-06-11.7 - Michael R. Mitchell 2008-06-13 10:16:55.1 - NTFSx86
Running from: C:\Documents and Settings\MRM\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-11 14:49 . 2008-06-11 14:49 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-11 14:40 . 2008-06-12 10:11 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-06-11 14:36 . 2008-06-12 09:54 123,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-06-11 14:36 . 2008-06-12 09:54 60,800 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-06-11 14:35 . 2008-06-12 09:54 <DIR> d-------- C:\Program Files\Symantec
2008-06-11 14:35 . 2008-06-12 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-11 12:47 . 2008-06-11 15:06 <DIR> d----c--- C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec
2008-06-11 09:35 . 2008-06-11 09:39 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-10 15:57 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 15:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-12 20:18 --------- d-----w C:\Program Files\Trend Micro
2008-06-12 14:54 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-12 14:54 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-11 15:08 --------- d-----w C:\Program Files\Norton AntiVirus
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-28 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-04-28 02:20 --------- dc----w C:\Documents and Settings\Michael R. Mitchell\Application Data\Tunebite
2008-04-27 15:45 --------- dc----w C:\Documents and Settings\Michael R. Mitchell\Application Data\RTPlayer
2008-04-26 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-26 15:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-21 07:04 659,456 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2008-04-21 07:04 615,936 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2008-04-21 07:04 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2008-04-21 07:04 1,494,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2008-04-18 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-18 17:28 --------- d-----w C:\Program Files\Security Task Manager
2008-04-18 13:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 19:35 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-04-17 19:30 --------- d-----w C:\Program Files\RapidSolution
2008-04-17 19:16 --------- d-----w C:\Program Files\Pearl Harbor - Zero Hour
2008-04-17 19:10 --------- d-----w C:\Program Files\LucasArts
2008-04-17 10:52 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2008-04-14 18:48 10,344 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-04-14 11:01 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2003-03-21 16:38 207,759 -c--a-w C:\Program Files\INSTALL.LOG
1992-03-10 03:10 93,184 -c--a-w C:\Program Files\CARDFILE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 22:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-12 09:51 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"="wuam.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2004-08-10 13:42 2502656]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-09-22 17:43 1003520]
"Tunebite"="C:\Program Files\RapidSolution\Tunebite\Tunebite.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 09:59 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 09:59 126976]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-10-11 13:30 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-10-11 13:29 561152]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 17:47 208560]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 11:18 28672]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 18:29 90112]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 13:28 684032]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2002-10-22 20:39 221184]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-30 18:55 196608]
"Microsoft Update Time"="wuam.exe" []
"D-Link AirPlus Xtreme G"="C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 18:00 2502656]
"ANIWZCSService"="C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 17:12 32768]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-06 20:27 303104]
"YBrowser"="C:\Program Files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 14:51 57344]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 14:30 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45 257088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"CARPService"="carpserv.exe" [2002-10-17 12:54 4608 C:\WINDOWS\SYSTEM32\carpserv.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 23:53 714608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymLnch"="C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" [2007-08-26 19:04 687976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Update Time"="wuam.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"="wuam.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\QUICKENW\BILLMIND.EXE [2006-10-19 09:10:01 36864]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-03-21 11:28:27 24576]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]
Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2006-10-19 09:10:08 36864]
USB Sharing.lnk - C:\Program Files\USB Sharing\usbshare.exe [2003-07-16 11:08:54 106496]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\RangeBooster G WNA-2330\wirelesscm.exe [2007-07-25 10:01:39 2887680]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [1999-08-10 13:51]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys [2003-01-06 22:56]
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys [2003-01-06 22:55]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 16:27]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{582610B8-E496-4813-993C-4B027173FE38}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 20:20:23 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Michael R. Mitchell.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 10:28:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g????V??g????SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????CY????????s????2???????????<???? @???X???X???????????????????Y?????F?Q?????
DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???X???8???@???x???????????????????H???P???? ?w? ?w)??p????????(????????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-13 10:34:10
ComboFix-quarantined-files.txt 2008-06-13 15:33:59

Pre-Run: 6,616,412,160 bytes free
Post-Run: 6,617,051,136 bytes free

158 --- E O F --- 2008-06-11 14:48:23

#9 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 July 2008 - 10:47 AM

Hi,

C:\Program Files\PixiePack Codec Pack <-- What can you tell me about this program, the sites I use to analyze a lot of programs have not made a decision on it as of yet to list it as being Bad or Safe.


Drag your current version of Combofix to the trash as its updated on a regular basis and lets grab a new copy.

Download ComboFix from Here to your Desktop.

Open Notepad ( this will only work in Notepad ), go to Start> All Programs> Assessories> Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\WINDOWS\system32\wuam.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Update Time"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#10 Bob in Dallas

Bob in Dallas

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 01 July 2008 - 12:05 PM

I believe the codec pack was something downloaded to use with a media converter/player program -- trying to use media downloaded on ITunes on non-Apple hardware. I can delete that if it is suspect -- the converter program didn't work.

Here are the logs:
ComboFix 08-06-30.2 - Michael R. Mitchell 2008-07-01 12:27:55.2 - NTFSx86
Running from: C:\Documents and Settings\Michael R. Mitchell\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael R. Mitchell\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\wuam.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\igfxhk.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-30 16:23 . 2008-06-30 16:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-30 16:12 . 2008-06-30 17:07 <DIR> d-------- C:\SDFix
2008-06-30 01:22 . 2008-07-01 11:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-30 01:22 . 2008-06-30 01:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-29 22:45 . 2002-08-29 06:00 10,129,408 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2008-06-29 22:44 . 2002-08-29 06:00 311,359 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\imepadsv.exe
2008-06-29 22:43 . 2002-08-29 06:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-06-29 22:43 . 2002-08-29 06:00 471,102 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\imskdic.dll
2008-06-29 22:43 . 2002-08-29 06:00 315,452 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\imskf.dll
2008-06-29 22:38 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\SYSTEM32\kbdjpn.dll
2008-06-11 14:49 . 2008-06-11 14:49 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-11 14:40 . 2008-06-12 10:11 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-06-11 14:36 . 2008-06-12 09:54 123,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-06-11 14:36 . 2008-06-12 09:54 60,800 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-06-11 14:35 . 2008-06-12 09:54 <DIR> d-------- C:\Program Files\Symantec
2008-06-11 14:35 . 2008-06-30 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-11 12:47 . 2008-06-11 15:06 <DIR> d----c--- C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec
2008-06-10 15:57 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 17:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-01 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 20:18 --------- d-----w C:\Program Files\Trend Micro
2008-06-12 14:54 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-12 14:54 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-11 15:08 --------- d-----w C:\Program Files\Norton AntiVirus
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2003-03-21 16:38 207,759 -c--a-w C:\Program Files\INSTALL.LOG
1992-03-10 03:10 93,184 -c--a-w C:\Program Files\CARDFILE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-06-13_10.33.34.61 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 14:53:05 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-07-01 17:41:27 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\I386\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\I386\bthport.sys
+ 2008-07-01 08:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-30 21:24:13 4,976,640 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-30 21:24:14 274,432 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-01 08:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-30 21:23:59 4,976,640 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-30 21:23:59 274,432 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2002-08-29 03:39:08 175,104 ----a-w C:\WINDOWS\IME\CHSIME\APPLETS\PINTLCSA.DLL
+ 2002-08-29 03:39:08 53,760 ----a-w C:\WINDOWS\IME\CHSIME\APPLETS\PINTLCSD.DLL
+ 2002-08-29 03:39:42 97,792 ----a-w C:\WINDOWS\IME\CHTIME\Applets\CHTMBX.DLL
+ 2002-08-29 03:39:42 56,320 ----a-w C:\WINDOWS\IME\CHTIME\Applets\CHTSKDIC.DLL
+ 2002-08-29 03:39:42 173,568 ----a-w C:\WINDOWS\IME\CHTIME\Applets\CHTSKF.DLL
+ 2002-08-29 11:00:00 10,096,640 ----a-w C:\WINDOWS\IME\CHTIME\Applets\HWXCHT.DLL
+ 2002-08-29 11:00:00 13,463,552 ----a-w C:\WINDOWS\IME\IMJP8_1\APPLETS\hwxjpn.dll
+ 2002-08-29 11:00:00 471,102 ----a-w C:\WINDOWS\IME\IMJP8_1\APPLETS\imskdic.dll
+ 2002-08-29 11:00:00 315,452 ----a-w C:\WINDOWS\IME\IMJP8_1\APPLETS\imskf.dll
+ 2002-08-29 11:00:00 229,439 ----a-w C:\WINDOWS\IME\IMJP8_1\APPLETS\multibox.dll
+ 2002-08-29 11:00:00 143,422 ----a-w C:\WINDOWS\IME\IMJP8_1\APPLETS\softkey.dll
+ 2004-08-04 05:32:34 426,041 ----a-w C:\WINDOWS\IME\IMJP8_1\APPLETS\voicepad.dll
+ 2004-08-04 05:32:35 86,073 ----a-w C:\WINDOWS\IME\IMJP8_1\APPLETS\voicesub.dll
+ 2004-08-04 05:31:38 57,399 ----a-w C:\WINDOWS\IME\IMJP8_1\cplexe.exe
+ 2004-08-04 05:31:50 368,696 ----a-w C:\WINDOWS\IME\IMJP8_1\imjpcic.dll
+ 2004-08-04 05:31:51 716,856 ----a-w C:\WINDOWS\IME\IMJP8_1\imjpcus.dll
+ 2002-08-29 11:00:00 57,398 ----a-w C:\WINDOWS\IME\IMJP8_1\imjpdadm.exe
+ 2004-08-04 05:31:52 81,976 ----a-w C:\WINDOWS\IME\IMJP8_1\imjpdct.dll
+ 2004-08-04 05:31:53 307,257 ----a-w C:\WINDOWS\IME\IMJP8_1\imjpdct.exe
+ 2004-08-04 05:31:54 155,705 ----a-w C:\WINDOWS\IME\IMJP8_1\imjpdsvr.exe
+ 2004-08-04 05:31:57 196,665 ----a-w C:\WINDOWS\IME\IMJP8_1\imjpinst.exe
+ 2004-08-04 05:31:59 208,952 ----a-w C:\WINDOWS\IME\IMJP8_1\imjpmig.exe
+ 2004-08-04 05:32:11 233,527 ----a-w C:\WINDOWS\IME\IMJP8_1\imjprw.exe
+ 2002-08-29 11:00:00 45,109 ----a-w C:\WINDOWS\IME\IMJP8_1\imjpuex.exe
+ 2004-08-04 05:32:14 262,200 ----a-w C:\WINDOWS\IME\IMJP8_1\imjputy.exe
+ 2004-08-04 05:32:15 274,489 ----a-w C:\WINDOWS\IME\IMJP8_1\imjputyc.dll
+ 2002-08-29 11:00:00 10,129,408 ----a-w C:\WINDOWS\IME\IMKR6_1\APPLETS\hwxkor.dll
+ 2004-08-04 06:04:32 86,016 ----a-w C:\WINDOWS\IME\IMKR6_1\APPLETS\imekrmbx.dll
+ 2002-08-29 11:00:00 36,864 ----a-w C:\WINDOWS\IME\IMKR6_1\DICTS\hanjadic.dll
+ 2004-08-04 06:04:36 106,496 ----a-w C:\WINDOWS\IME\IMKR6_1\imekrcic.dll
+ 2002-08-29 11:00:00 44,032 ----a-w C:\WINDOWS\IME\IMKR6_1\imekrmig.exe
+ 2002-08-29 11:00:00 59,904 ----a-w C:\WINDOWS\IME\IMKR6_1\imkrinst.exe
+ 2002-08-29 11:00:00 102,463 ----a-w C:\WINDOWS\IME\SHARED\imepadsm.dll
+ 2002-08-29 11:00:00 311,359 ----a-w C:\WINDOWS\IME\SHARED\imepadsv.exe
+ 2002-08-29 03:39:02 102,456 ----a-w C:\WINDOWS\IME\SHARED\imlang.dll
+ 2002-08-29 03:39:46 15,872 ----a-w C:\WINDOWS\IME\SHARED\RES\PADRS404.DLL
+ 2002-08-29 11:00:00 36,927 ----a-w C:\WINDOWS\IME\SHARED\RES\padrs411.dll
+ 2002-08-29 11:00:00 14,336 ----a-w C:\WINDOWS\IME\SHARED\RES\padrs412.dll
+ 2002-08-29 03:39:08 15,360 ----a-w C:\WINDOWS\IME\SHARED\RES\padrs804.dll
+ 2002-08-29 11:00:00 19,456 ----a-w C:\WINDOWS\MSAGENT\INTL\agt0404.dll
+ 2002-08-29 11:00:00 19,456 ----a-w C:\WINDOWS\MSAGENT\INTL\agt0411.dll
+ 2002-08-29 11:00:00 19,456 ----a-w C:\WINDOWS\MSAGENT\INTL\agt0412.dll
+ 2002-08-29 11:00:00 19,456 ----a-w C:\WINDOWS\MSAGENT\INTL\agt0804.dll
- 2000-08-31 13:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 13:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
+ 2002-08-29 11:00:00 218,112 ----a-w C:\WINDOWS\SYSTEM32\c_g18030.dll
+ 2002-08-29 11:00:00 6,656 ----a-w C:\WINDOWS\SYSTEM32\c_is2022.dll
+ 2002-08-29 11:00:00 1,677,824 ----a-w C:\WINDOWS\SYSTEM32\chsbrkr.dll
+ 2002-08-29 11:00:00 838,144 ----a-w C:\WINDOWS\SYSTEM32\chtbrkr.dll
+ 2002-08-29 11:00:00 19,456 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\agt0404.dll
+ 2002-08-29 11:00:00 19,456 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\agt0411.dll
+ 2002-08-29 11:00:00 19,456 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\agt0412.dll
+ 2002-08-29 11:00:00 19,456 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\agt0804.dll
+ 2002-08-29 11:00:00 218,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\c_g18030.dll
+ 2002-08-29 11:00:00 6,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\c_is2022.dll
+ 2002-08-29 11:00:00 1,677,824 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll
+ 2002-08-29 11:00:00 838,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\chtbrkr.dll
+ 2002-08-29 03:39:42 97,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\chtmbx.dll
+ 2002-08-29 03:39:42 56,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\chtskdic.dll
+ 2002-08-29 03:39:42 173,568 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\chtskf.dll
+ 2004-08-04 05:31:52 198,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cintime.dll
+ 2004-08-04 05:31:54 480,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cintsetp.exe
+ 2004-08-04 05:31:38 57,399 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cplexe.exe
+ 2002-08-29 11:00:00 7,168 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\f3ahvoas.dll
+ 2002-08-29 11:00:00 36,864 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\hanjadic.dll
+ 2002-08-29 11:00:00 10,096,640 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
+ 2004-08-04 06:04:36 106,496 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imekrcic.dll
+ 2004-08-04 06:04:32 86,016 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imekrmbx.dll
+ 2002-08-29 11:00:00 44,032 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imekrmig.exe
+ 2002-08-29 11:00:00 102,463 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imepadsm.dll
+ 2004-08-04 05:31:48 811,064 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjp81k.dll
+ 2004-08-04 05:31:50 368,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjpcic.dll
+ 2004-08-04 05:31:51 716,856 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjpcus.dll
+ 2002-08-29 11:00:00 57,398 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjpdadm.exe
+ 2004-08-04 05:31:52 81,976 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjpdct.dll
+ 2004-08-04 05:31:53 307,257 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjpdct.exe
+ 2004-08-04 05:31:54 155,705 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjpdsvr.exe
+ 2004-08-04 05:31:57 196,665 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjpinst.exe
+ 2004-08-04 05:31:59 208,952 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjpmig.exe
+ 2004-08-04 05:32:11 233,527 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjprw.exe
+ 2002-08-29 11:00:00 45,109 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjpuex.exe
+ 2004-08-04 05:32:14 262,200 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjputy.exe
+ 2004-08-04 05:32:15 274,489 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imjputyc.dll
+ 2002-08-29 11:00:00 59,904 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imkrinst.exe
+ 2002-08-29 03:39:02 102,456 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imlang.dll
+ 2002-08-29 03:39:06 59,392 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\imscinst.exe
+ 2002-08-29 11:00:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbd101.dll
+ 2002-08-29 11:00:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbd101a.dll
+ 2001-08-17 19:55:56 6,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbd101b.dll
+ 2001-08-17 19:55:56 6,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbd101c.dll
+ 2001-08-17 19:55:56 5,632 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbd103.dll
+ 2001-08-17 19:55:56 6,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbd106.dll
+ 2002-08-29 11:00:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbd106n.dll
+ 2002-08-29 11:00:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbdax2.dll
+ 2002-08-29 11:00:00 7,168 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbdibm02.dll
+ 2001-08-18 03:36:18 8,704 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbdjpn.dll
+ 2001-08-18 03:36:18 8,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbdkor.dll
+ 2002-08-29 11:00:00 6,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbdlk41a.dll
+ 2002-08-29 11:00:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbdlk41j.dll
+ 2002-08-29 11:00:00 7,168 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbdnec95.dll
+ 2002-08-29 11:00:00 9,216 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbdnecat.dll
+ 2002-08-29 11:00:00 7,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbdnecnt.dll
+ 2002-08-29 11:00:00 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\korwbrkr.dll
+ 2002-08-29 11:00:00 98,304 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.dll
+ 2002-08-29 11:00:00 229,439 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\multibox.dll
+ 2002-08-29 03:39:46 15,872 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs404.dll
+ 2002-08-29 11:00:00 36,927 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs411.dll
+ 2002-08-29 11:00:00 14,336 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs412.dll
+ 2002-08-29 03:39:08 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs804.dll
+ 2002-08-29 03:39:08 175,104 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsa.dll
+ 2002-08-29 03:39:08 53,760 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsd.dll
+ 2002-08-29 03:39:06 70,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
+ 2002-08-29 03:39:08 67,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
+ 2002-08-29 11:00:00 143,422 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\softkey.dll
+ 2002-08-29 03:39:50 44,032 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tintlphr.exe
+ 2002-08-29 03:39:50 455,168 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tintsetp.exe
+ 2002-08-29 03:39:48 10,240 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tmigrate.dll
+ 2004-08-04 06:04:11 76,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\uniime.dll
+ 2004-08-04 05:32:34 426,041 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\voicepad.dll
+ 2004-08-04 05:32:35 86,073 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\voicesub.dll
+ 2002-08-29 11:00:00 7,168 ----a-w C:\WINDOWS\SYSTEM32\f3ahvoas.dll
- 2008-04-14 16:59:16 204,120 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2008-06-30 04:51:44 209,696 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2004-08-04 05:31:52 198,656 ----a-w C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTIME.DLL
+ 2004-08-04 05:31:54 480,256 ----a-w C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTSETP.EXE
+ 2002-08-29 03:39:06 59,392 ----a-w C:\WINDOWS\SYSTEM32\IME\PINTLGNT\IMSCINST.EXE
+ 2002-08-29 03:39:06 70,144 ----a-w C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLPHR.EXE
+ 2002-08-29 03:39:08 67,584 ----a-w C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PMIGRATE.DLL
+ 2002-08-29 03:39:50 44,032 ----a-w C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLPHR.EXE
+ 2002-08-29 03:39:50 455,168 ----a-w C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTSETP.EXE
+ 2002-08-29 03:39:48 10,240 ----a-w C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TMIGRATE.DLL
+ 2004-08-04 05:31:48 811,064 ----a-w C:\WINDOWS\SYSTEM32\imjp81k.dll
+ 2002-08-29 11:00:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\kbd101.dll
+ 2002-08-29 11:00:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\kbd101a.dll
+ 2001-08-17 19:55:56 6,144 ----a-w C:\WINDOWS\SYSTEM32\kbd101b.dll
+ 2001-08-17 19:55:56 6,144 ----a-w C:\WINDOWS\SYSTEM32\kbd101c.dll
+ 2001-08-17 19:55:56 5,632 ----a-w C:\WINDOWS\SYSTEM32\kbd103.dll
+ 2001-08-17 19:55:56 6,144 ----a-w C:\WINDOWS\SYSTEM32\kbd106.dll
+ 2002-08-29 11:00:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\kbd106n.dll
+ 2002-08-29 11:00:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\kbdax2.dll
+ 2002-08-29 11:00:00 7,168 ----a-w C:\WINDOWS\SYSTEM32\kbdibm02.dll
+ 2001-08-18 03:36:18 8,192 ----a-w C:\WINDOWS\SYSTEM32\kbdkor.dll
+ 2002-08-29 11:00:00 6,656 ----a-w C:\WINDOWS\SYSTEM32\kbdlk41a.dll
+ 2002-08-29 11:00:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\kbdlk41j.dll
+ 2002-08-29 11:00:00 7,168 ----a-w C:\WINDOWS\SYSTEM32\kbdnec95.dll
+ 2002-08-29 11:00:00 9,216 ----a-w C:\WINDOWS\SYSTEM32\kbdnecAT.dll
+ 2002-08-29 11:00:00 7,680 ----a-w C:\WINDOWS\SYSTEM32\kbdnecNT.dll
+ 2002-08-29 11:00:00 70,656 ----a-w C:\WINDOWS\SYSTEM32\korwbrkr.dll
+ 2002-08-29 11:00:00 98,304 ----a-w C:\WINDOWS\SYSTEM32\msir3jp.dll
+ 2004-08-04 06:04:11 76,288 ----a-w C:\WINDOWS\SYSTEM32\uniime.dll
+ 2008-07-01 17:44:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_204.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 22:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-12 09:51 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2004-08-10 13:42 2502656]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-09-22 17:43 1003520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 09:59 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 09:59 126976]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-10-11 13:30 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-10-11 13:29 561152]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 17:47 208560]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 11:18 28672]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 18:29 90112]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 13:28 684032]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2002-10-22 20:39 221184]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-30 18:55 196608]
"D-Link AirPlus Xtreme G"="C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 18:00 2502656]
"ANIWZCSService"="C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 17:12 32768]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-06 20:27 303104]
"YBrowser"="C:\Program Files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 14:51 57344]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 14:30 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45 257088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 23:53 714608]
"CARPService"="carpserv.exe" [2002-10-17 12:54 4608 C:\WINDOWS\SYSTEM32\carpserv.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymLnch"="C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" [2007-08-26 19:04 687976]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\QUICKENW\BILLMIND.EXE [2006-10-19 09:10:01 36864]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-03-21 11:28:27 24576]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]
Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2006-10-19 09:10:08 36864]
USB Sharing.lnk - C:\Program Files\USB Sharing\usbshare.exe [2003-07-16 11:08:54 106496]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\RangeBooster G WNA-2330\wirelesscm.exe [2007-07-25 10:01:39 2887680]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [1999-08-10 13:51]
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys [2003-01-06 22:56]
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys [2003-01-06 22:55]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 16:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{582610B8-E496-4813-993C-4B027173FE38}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 20:20:23 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Michael R. Mitchell.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Tunebite - C:\Program Files\RapidSolution\Tunebite\Tunebite.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 12:42:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\D-Link\RangeBooster G WNA-2330\acs.exe
C:\WINDOWS\SYSTEM32\snmp.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\OfficeScan Client\POP3Trap.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTUpd.exe
.
**************************************************************************
.
Completion time: 2008-07-01 12:59:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 17:59:09
ComboFix2.txt 2008-07-01 15:21:26

Pre-Run: 5,792,468,992 bytes free
Post-Run: 5,784,358,912 bytes free

314 --- E O F --- 2008-06-30 22:41:01

HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:17 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\RangeBooster G WNA-2330\acs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\palmOne\Hotsync.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\USB Sharing\usbshare.exe
C:\Program Files\D-Link\RangeBooster G WNA-2330\wirelesscm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Michael R. Mitchell\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/UPREBOOT /temp /patched"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: USB Sharing.lnk = C:\Program Files\USB Sharing\usbshare.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\RangeBooster G WNA-2330\wirelesscm.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{13957F05-B564-4F0C-9840-AEBA2FF300A0}: NameServer = 192.168.3.5,192.168.3.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{13957F05-B564-4F0C-9840-AEBA2FF300A0}: NameServer = 192.168.3.5,192.168.3.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{13957F05-B564-4F0C-9840-AEBA2FF300A0}: NameServer = 192.168.3.5,192.168.3.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Program Files\D-Link\RangeBooster G WNA-2330\acs.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 9204 bytes

#11 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 July 2008 - 05:41 PM

Hi, As far as those codecs, I don't believe there malicious so its your call if you want to uninstall them or not, any programs that you don't use or don't think you will ever use should be uninstalled to make your system leaner. The rest of the logs look fine :thumbup: How are things running now??

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#12 Bob in Dallas

Bob in Dallas

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 01 July 2008 - 09:38 PM

Ken -- thanks for all the help. The laptop is still pretty slow to boot, but Internet Explorer and other programs are running much faster. When I started having the problems I installed Norton Internet Security 2008 and I really think part of the slowdown is all the AV stuff Norton loads and the scans it runs. But overall the speed is 100% better since I ran the utilities you walked me through. Again, many thanks for your time and help. Bob in Dallas

#13 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 02 July 2008 - 02:19 AM

Bob, You have both Trendmicro and Symantec running, have you tried uninstalling one as this would hamper system performance, it is recommended that you have only one AV program.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#14 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 13 July 2008 - 07:12 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users