humbled by trojans
-
Posts
6 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by humbled by trojans
-
-
You were right about the hidden system file, once I showed these files I was able to delete baborefe.exe (I didn't know about the hidden system files option...so thank you!). Everything seems to be fine right now...I haven't had any symptoms for the trojans/viruses. Unless you have any furhter reccomendations I think you fixed the problems! I want to say thank you once more for taking the time to help me...you've been better than I could have hoped!
Hi,For the baborefe.exe file, I guess it's a hidden system file. Most people select to show hidden files and folders, however, they forget to also uncheck hiding for system files..
Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
See the bold part, that's important.
I'm sure you'll be able to find that file afterwards.
Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.
As for the mails... If there are too many mails to go through (more than 1000 as you say), then I would just leave it as it is. After all, it can't do anything as long as you don't open the mail/attachement. Also, it's a generic detection here, so it could also be a false alert.
Too bad Kaspersky doesn't list what exact mail that is. It used to list this in the past though.
-
I went through all of my emails (took forever!) and deleted anything I didn't recognize. I also deleted all of the email archives that I hadmade in the past that were flagged by Kaspersky. I tried to delete C:\WINDOWS\system32\baborefe.exe as you suggested, but I could not find that file in that folder (hidden files were being shown as well). So I went to the command prompt and tried to list all the files in that directory but the file wasn't found. I even tried to type "del baborefe.exe' in that directory but it again wasn't found. I also tried to search for it on my computer but it was found that way either. So I ran the Kaspersky scan again to see if I deleted all the proper emails and if the baborefe.exe would get flagged again. The results are shown below. I have two questions. One - how imperative is it to find the one remaining email that I have infected since I don't know which one it is and there are probably a thousand (or more) to look through? The second question is how can I delete the file baborefe.exe if I can't find it to delete it? Again thank you for all your help...I certainly couldn't have gotten this far without you.
Kapersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, October 11, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 10, 2009 23:52:29
Records in database: 2949969
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 168451
Threats found: 7
Infected objects found: 10
Suspicious objects found: 1
Scan duration: 03:31:45
File name / Threat / Threats count
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900000\4FD3E53D.VBN Infected: Backdoor.Win32.Bredolab.aco 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900001\4FD3E550.VBN Infected: Trojan-Downloader.Win32.Small.anii 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900002\4FD3E5EF.VBN Infected: Packed.Win32.Krap.ad 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900003\4FD3E600.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900004\4FD3E61A.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900005\4FD3E6BF.VBN Infected: Packed.Win32.Krap.ad 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900006\4FD3E6CD.VBN Infected: Packed.Win32.Krap.ad 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A900000\4ADF8A35.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\System Volume Information\_restore{6EB3C077-4EFF-46FA-8304-3103DF1F8FCE}\RP12\A0002117.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
C:\WINDOWS\system32\baborefe.exe Infected: Trojan.Win32.FraudPack.udl 1
Selected area has been scanned.
Hi,What Kaspersky found were files already present in the quarantine folder and older mails (I guess a backup made by you) where it displays some as infected.
This one appears to be OK:
C:\Documents and Settings\Mike.FREEMAN\Desktop\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
I assume you know what this regtools.vbs is which is present on your desktop? If not, delete it.
Then, navigate to and delete the file:
C:\WINDOWS\system32\baborefe.exe
Then, as I see in the following...
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Mike.FREEMAN\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Mike.FREEMAN\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
It looks like there are some infected mails (infected attachements) in your Outlook personal storage Folder(s).
Since Kaspersky doesn't list what exact mails they are, I suggest you go through each mail in your inbox, outbox, sent, deleted items and delete any mail you don't recognise.
Do not open the mails, just delete.
The following appears to mails you have backed up that contains them as well:
C:\Miscellaneous - 2\Archived Emails\email backup2-090204.pst Infected: Email-Worm.Win32.NetSky.d 1
C:\Miscellaneous - 2\Archived Emails\email backup2-090204.pst Infected: Exploit.HTML.CodeBaseExec 1
C:\Miscellaneous - 2\Archived Emails\email backup2-090204.pst Infected: Email-Worm.Win32.Bagle.al 1
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Email-Worm.Win32.NetSky.d 1
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Exploit.HTML.CodeBaseExec 1
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Email-Worm.Win32.Bagle.al 1
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Citifraud.ai 8
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Citifraud.ae 2
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Smitfraud.c 8
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Bankfraud.u 4
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Bankfraud.v 2
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Sunfraud.aj 1
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Bankfraud.w 2
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Wamufraud.bo 4
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Bankfraud.ci 2
C:\Miscellaneous - 2\Email archives\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Email-Worm.Win32.Bagle.ei 1
C:\Miscellaneous - 2\Email archives\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
What I suggest here is to delete those backups and create new ones afterwards.
How are things now?
-
I successfully uninstalled combofix and ran the kaspersky scan as requested. I forgot to turn off anti-spyware software until about 20% completed...I hope this isn't a problem. Also, symmantec file system auto-protect function turned itself back on at some point during the scan. Here is the kaspersky scan log:
P.S. I will check this forum periodically over the weekend but I will most reliably be able to reply come Monday.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 9, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 09, 2009 19:14:35
Records in database: 2942671
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 168228
Threats found: 20
Infected objects found: 50
Suspicious objects found: 7
Scan duration: 03:52:49
File name / Threat / Threats count
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900000\4FD3E53D.VBN Infected: Backdoor.Win32.Bredolab.aco 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900001\4FD3E550.VBN Infected: Trojan-Downloader.Win32.Small.anii 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900002\4FD3E5EF.VBN Infected: Packed.Win32.Krap.ad 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900003\4FD3E600.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900004\4FD3E61A.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900005\4FD3E6BF.VBN Infected: Packed.Win32.Krap.ad 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900006\4FD3E6CD.VBN Infected: Packed.Win32.Krap.ad 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A900000\4ADF8A35.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Mike.FREEMAN\Desktop\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
C:\Documents and Settings\Mike.FREEMAN\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Mike.FREEMAN\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Miscellaneous - 2\Archived Emails\email backup2-090204.pst Infected: Email-Worm.Win32.NetSky.d 1
C:\Miscellaneous - 2\Archived Emails\email backup2-090204.pst Infected: Exploit.HTML.CodeBaseExec 1
C:\Miscellaneous - 2\Archived Emails\email backup2-090204.pst Infected: Email-Worm.Win32.Bagle.al 1
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Email-Worm.Win32.NetSky.d 1
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Exploit.HTML.CodeBaseExec 1
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Email-Worm.Win32.Bagle.al 1
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Citifraud.ai 8
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Citifraud.ae 2
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Smitfraud.c 8
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Bankfraud.u 4
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Bankfraud.v 2
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Sunfraud.aj 1
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Bankfraud.w 2
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Wamufraud.bo 4
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Trojan-Spy.HTML.Bankfraud.ci 2
C:\Miscellaneous - 2\Email archives\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Miscellaneous - 2\Email archives\archive.pst Infected: Email-Worm.Win32.Bagle.ei 1
C:\Miscellaneous - 2\Email archives\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\WINDOWS\system32\baborefe.exe Infected: Trojan.Win32.FraudPack.udl 1
Selected area has been scanned.
Hi,* Go to start > run and copy and paste next command in the field:
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Then, Please run this online scan to help look for remnants.
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner
Click Accept, when prompted to download and install the program files and database of malware definitions.
- Click Run at the Security prompt.
- The program will then begin downloading and installing and will also update the database.
- Please be patient as this can take several minutes.
- Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Click View scan report at the bottom.
- Click the Save Report As... button.
- Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**
To optimize scanning time and produce a more sensible report for review:
- Close any open programs.
- Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
- Click Run at the Security prompt.
-
Thank you so much for replying. I apologize for not replying sooner...I will be more dilligent in checking replies in the future. I have removed trendmicro as requested. I have also followed your other directions and here is the new combofix log:
ComboFix 09-10-08.04 - Mike 10/09/2009 15:26.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1305 [GMT -4:00]
Running from: c:\documents and settings\Mike.FREEMAN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike.FREEMAN\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FILE ::
"c:\windows\system32\fuwubidu.exe"
"c:\windows\system32\musesiwo.exe"
"c:\windows\system32\vagiluke.exe"
"c:\windows\system32\yapakati.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\fuwubidu.exe
c:\windows\system32\musesiwo.exe
c:\windows\system32\vagiluke.exe
c:\windows\system32\yapakati.exe
.
((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.
2009-09-30 23:18 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-30 23:18 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-25 14:15 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-25 14:15 . 2009-08-24 18:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-25 14:15 . 2009-08-19 15:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-25 14:14 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-25 14:14 . 2009-09-25 14:14 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Application Data\PC Tools
2009-09-25 14:14 . 2009-09-25 14:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2009-09-24 22:57 . 2009-09-25 14:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-24 22:57 . 2009-10-03 20:41 -------- d-----w- c:\program files\Spyware Doctor
2009-09-24 22:55 . 2009-10-09 19:24 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-09-24 15:12 . 2009-09-24 15:12 -------- d-----w- c:\documents and settings\Administrator.FREEMAN\Local Settings\Application Data\Symantec
2009-09-24 14:47 . 2009-09-24 14:47 -------- d-----w- C:\VundoFix Backups
2009-09-23 19:56 . 2009-09-23 19:56 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Local Settings\Application Data\Symantec
2009-09-23 19:54 . 2009-09-23 19:55 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-23 19:54 . 2009-09-23 19:55 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-23 19:53 . 2009-09-23 19:55 -------- d-----w- c:\program files\Symantec
2009-09-23 19:52 . 2009-10-09 19:23 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-23 19:52 . 2009-09-23 19:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-09-23 15:18 . 2009-09-24 00:14 -------- d-----w- C:\symantec
2009-09-22 20:59 . 2009-09-22 20:59 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-22 19:20 . 2009-09-22 19:20 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Application Data\Malwarebytes
2009-09-22 18:16 . 2009-09-22 18:16 -------- d-----w- c:\documents and settings\Administrator.FREEMAN\Application Data\Malwarebytes
2009-09-22 18:16 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 18:16 . 2009-09-22 18:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 18:11 . 2009-09-22 18:12 -------- d-----w- c:\documents and settings\Administrator.FREEMAN\Local Settings\Application Data\Microsoft
2009-09-22 18:11 . 2009-09-22 18:12 -------- d-----w- c:\documents and settings\Administrator.FREEMAN
2009-09-22 16:01 . 2009-09-22 16:01 171224 --sha-w- c:\windows\system32\baborefe.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 18:19 . 2008-07-15 15:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2009-10-09 14:16 . 2006-11-15 18:38 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Application Data\EndNote
2009-10-05 16:26 . 2007-12-29 17:00 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Application Data\Creative
2009-09-28 14:40 . 2009-08-28 20:00 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Application Data\HpUpdate
2009-09-23 19:56 . 2006-10-20 20:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-23 19:55 . 2009-09-23 19:54 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-23 19:55 . 2009-09-23 19:54 10671 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-22 18:16 . 2009-09-22 18:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-09-10 18:53 . 2009-09-22 18:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 14:01 . 2009-09-02 14:01 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-09-02 14:00 . 2009-08-04 22:35 -------- d-----w- c:\program files\MSECache
2009-08-28 20:01 . 2007-04-03 15:57 -------- d-----w- c:\program files\HP
2009-08-22 18:40 . 2006-11-11 16:04 62448 -c--a-w- c:\documents and settings\Mike.FREEMAN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 10:58 . 2009-09-25 14:15 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-12 15:38 . 2009-06-18 20:43 -------- d-----w- c:\program files\EndNote X2
2009-08-12 15:38 . 2009-06-18 20:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Thomson.ResearchSoft.Installers
2009-08-05 09:01 . 2004-08-10 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 09:23 . 2008-11-23 20:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-10 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-11-14 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-24 110592]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\bin\\btwdins.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2004\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsGui.exe"=
"c:\\Program Files\\Invitrogen\\Vector NTI Advance 11\\Vector NTI 10.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/25/2009 10:15 AM 206256]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
R2 IQCamPP;IQCamPP;c:\windows\system32\drivers\IQCamPP.sys [8/3/2009 7:57 PM 7548]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/25/2009 10:14 AM 348752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/30/2009 4:01 PM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2008-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
2009-10-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-15 15:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {16DBF460-76EE-441B-8B16-740FA42E5438} = 128.220.2.82
TCP: {2B225793-9D3C-40EF-BDCE-D56094C59634} = 128.220.2.82,128.220.2.7
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 11\Ncbi.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 15:31
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,2a,e9,23,40,41,ee,4f,9d,eb,e4,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,2a,e9,23,40,41,ee,4f,9d,eb,e4,\
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-10-09 15:34
ComboFix-quarantined-files.txt 2009-10-09 19:34
ComboFix2.txt 2009-09-30 23:30
Pre-Run: 7,079,985,152 bytes free
Post-Run: 7,071,457,280 bytes free
197 --- E O F --- 2009-10-07 23:54
Hi,I notice from your log that there's more than 1 Antivirus installed. Symantec and Trendmicro.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.
So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.
Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
-
About a week ago I clicked on a bad link which apparently downloaded a suite of viruses/trojans including Total Security Virus, trojan.fakealert, sdr64.exe, trojan.vundo etc. I spent the next four days trying to eliminate them using programs like malwarebytes (and also some manual removals) and such...all were seemingly removed except for trojan.vundo. Malwarebytes could detect it but it would reappear after reboot. After looking through my hijackthis! log I detected and eliminated what I thought was all of trojan.vundo and from then on malwarebytes could not detect anything. 2-3 days went by and everything seemed fine, but vundo came back with friends again (downloader, antiviruspro, packed.generic.233, etc.) I am not a computer wiz (mildly competent) and I am at my wits end and I need help.
I downloaded and used combofix, and am posting its log file and a subsequent hijackthis! file that was run after combofix. Any help would be much appreciated, thank you in advance.
P.S. Programs such as Vundofix can not remove this thing. I currently have PC-cillin, Symantec Antivirus, and Spyware Doctor. My computer is a E1405 Dell Inspiron running Windows XP Media edition (Home).
P.P.S. I am not familiar with the etiquette of posting for help...I have posted help in one other forum (spybot.forums) and if this is a problem I am sorry...I will remove that post if this is not suppose to occur (since I currently do not have spybot and have been using malwarebytes).
Combofix log:
ComboFix 09-09-30.01 - Mike 09/30/2009 19:13.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1217 [GMT -4:00]
Running from: c:\documents and settings\Mike.FREEMAN\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Mike\Application Data\Microsoft\Word\STARTUP\EN7Cwyw.wll
c:\recycler\S-1-5-21-4021479338-3157050874-223112914-1005
c:\recycler\S-1-5-21-4021479338-3157050874-223112914-500
c:\windows\Installer\23ba236.msp
c:\windows\Installer\23ba24c.msp
c:\windows\Installer\23ba262.msp
c:\windows\Installer\d4631.msi
c:\windows\kb913800.exe
c:\windows\system32\drivers\1028_DELL_XPS_MXC061 .MRK
c:\windows\system32\drivers\DELL_XPS_MXC061 .MRK
c:\windows\system32\paduzebe.dll
c:\windows\system32\ramegige.dll
c:\windows\system32\SySInfo.ocx
c:\windows\system32\zazovera.dll
----- BITS: Possible infected sites -----
hxxp://82.98.231.96
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.
2009-09-30 23:18 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-30 23:18 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-25 14:15 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-25 14:15 . 2009-08-24 18:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-25 14:15 . 2009-08-19 15:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-25 14:14 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-25 14:14 . 2009-09-25 14:14 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Application Data\PC Tools
2009-09-25 14:14 . 2009-09-25 14:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2009-09-24 22:57 . 2009-09-25 14:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-24 22:57 . 2009-09-25 14:16 -------- d-----w- c:\program files\Spyware Doctor
2009-09-24 22:55 . 2009-09-30 22:52 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-09-24 15:12 . 2009-09-24 15:12 -------- d-----w- c:\documents and settings\Administrator.FREEMAN\Local Settings\Application Data\Symantec
2009-09-24 14:47 . 2009-09-24 14:47 -------- d-----w- C:\VundoFix Backups
2009-09-23 19:56 . 2009-09-23 19:56 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Local Settings\Application Data\Symantec
2009-09-23 19:54 . 2009-09-23 19:55 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-23 19:54 . 2009-09-23 19:55 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-23 19:53 . 2009-09-23 19:55 -------- d-----w- c:\program files\Symantec
2009-09-23 19:52 . 2009-09-30 23:21 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-23 19:52 . 2009-09-23 19:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-09-23 15:18 . 2009-09-24 00:14 -------- d-----w- C:\symantec
2009-09-22 20:59 . 2009-09-22 20:59 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-22 19:20 . 2009-09-22 19:20 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Application Data\Malwarebytes
2009-09-22 18:16 . 2009-09-22 18:16 -------- d-----w- c:\documents and settings\Administrator.FREEMAN\Application Data\Malwarebytes
2009-09-22 18:16 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 18:16 . 2009-09-22 18:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 18:11 . 2009-09-22 18:12 -------- d-----w- c:\documents and settings\Administrator.FREEMAN\Local Settings\Application Data\Microsoft
2009-09-22 18:11 . 2009-09-22 18:12 -------- d-----w- c:\documents and settings\Administrator.FREEMAN
2009-09-22 16:01 . 2009-09-22 16:01 171224 --sha-w- c:\windows\system32\baborefe.exe
2009-09-02 14:01 . 2009-09-02 14:01 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 16:30 . 2008-07-15 15:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2009-09-30 14:30 . 2006-11-15 18:38 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Application Data\EndNote
2009-09-28 14:40 . 2009-08-28 20:00 -------- d-----w- c:\documents and settings\Mike.FREEMAN\Application Data\HpUpdate
2009-09-24 14:46 . 2009-06-24 14:46 73216 --sha-w- c:\windows\system32\yapakati.exe
2009-09-23 19:56 . 2006-10-20 20:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-23 19:55 . 2009-09-23 19:54 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-23 19:55 . 2009-09-23 19:54 10671 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-23 14:10 . 2009-06-23 14:10 73216 --sha-w- c:\windows\system32\musesiwo.exe
2009-09-22 18:16 . 2009-09-22 18:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-09-22 15:58 . 2009-06-22 15:58 73216 --sha-w- c:\windows\system32\fuwubidu.exe
2009-09-10 18:53 . 2009-09-22 18:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 14:00 . 2009-08-04 22:35 -------- d-----w- c:\program files\MSECache
2009-08-28 20:01 . 2007-04-03 15:57 -------- d-----w- c:\program files\HP
2009-08-22 18:40 . 2006-11-11 16:04 62448 -c--a-w- c:\documents and settings\Mike.FREEMAN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 10:58 . 2009-09-25 14:15 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-12 15:38 . 2009-06-18 20:43 -------- d-----w- c:\program files\EndNote X2
2009-08-12 15:38 . 2009-06-18 20:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Thomson.ResearchSoft.Installers
2009-08-06 20:11 . 2009-08-06 20:11 -------- d-----w- c:\program files\MSBuild
2009-08-06 20:11 . 2009-08-06 20:11 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-10 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:27 . 2006-10-20 20:00 -------- d-----w- c:\program files\Java
2009-08-03 23:57 . 2006-10-20 20:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-03 23:56 . 2009-08-03 23:56 -------- d-----w- c:\program files\Bio-Rad
2009-07-25 09:23 . 2008-11-23 20:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-10 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-22 15:58 . 2009-06-22 15:58 169984 --sha-w- c:\windows\system32\vagiluke.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-23 823362]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-11-14 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-24 110592]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\bin\\btwdins.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2004\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsGui.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/25/2009 10:15 AM 206256]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
R2 IQCamPP;IQCamPP;c:\windows\system32\drivers\IQCamPP.sys [8/3/2009 7:57 PM 7548]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2/18/2005 9:04 PM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/22/2005 11:31 PM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [4/25/2005 7:39 PM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/18/2005 9:04 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [4/25/2005 7:41 PM 262215]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/30/2009 4:01 PM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/25/2009 10:14 AM 348752]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2008-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
2009-09-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-15 15:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {16DBF460-76EE-441B-8B16-740FA42E5438} = 128.220.2.82
TCP: {2B225793-9D3C-40EF-BDCE-D56094C59634} = 128.220.2.82,128.220.2.7
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 11\Ncbi.dll
.
- - - - ORPHANS REMOVED - - - -
Notify-WgaLogon - (no file)
AddRemove-JetAdminV3.02 - c:\windows\system32\DeIsL1.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 19:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,2a,e9,23,40,41,ee,4f,9d,eb,e4,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,2a,e9,23,40,41,ee,4f,9d,eb,e4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4492)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\msdtc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2009-09-30 19:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-30 23:30
Pre-Run: 3,247,124,480 bytes free
Post-Run: 7,082,377,216 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
284 --- E O F --- 2009-09-09 20:48
Hijackthis! log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:59 PM, on 9/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\mqsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\Documents and Settings\Administrator.FREEMAN\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1163530248039
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163705475085
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V020...5033/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16DBF460-76EE-441B-8B16-740FA42E5438}: NameServer = 128.220.2.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B225793-9D3C-40EF-BDCE-D56094C59634}: NameServer = 128.220.2.82,128.220.2.7
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Invitrogen\Vector NTI Advance 11\Ncbi.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 11883 bytes
GRINGO PR - a trojan army has attacked and I amm unable to defend
in Resolved Malware Removal Logs
Posted
Gringo,
I can't find my previous posts...they seemed to be deleted (as well as my password for this forum which I needed to change). I've also noticed this has happed to other people on this site...
We've been having a hell of a time trying to get rid of ntos.exe and other things from my computer as well as google redirect if you don't remember this thread.
We were close to just reformatting my hard drive, but you told me to run maxlook - this did not work as it tried to connect to the internet and failed (both at home and at work).
Any ideas? Is it time to give up and reformat? Please let me know, thanks
humbled