Jump to content

Heavus

Honorary Members
  • Posts

    93
  • Joined

  • Last visited

Everything posted by Heavus

  1. I have the Protection Module on but the automatic updates and autoscan are not operational for me. Any ideas? Both items are checked with 1AM and 2Am times selected. Thanks, Heavus
  2. Hello, I have seen this exact error. Turned out to he a bad HD even though the system was able to boot on occasion. Please do a DIAG on the HD and see what the resuults are especially if under warranty. The product I saw was a HP laptop under two years old. I was able to do a files and migration wizard before replacement. Also the failure was detected very quick using builtin diags. Good Luck, MH
  3. [Just remove them. Rescan after the removal. Reboot if prompted. Heavus
  4. Hi, Welcome. Was the machine running in safe mode or normal? I would try it in safe mode first then graduated to nornal mode after the reboot. Heavus
  5. I don't know what else to tell you. I returned his computer to him upon his request, it was working better that when I got it, it had the rootkit still on it but he wanted it back. I gave him the instruction as offered here, he did it, I posted it, that's the last one I recieved from him. I have asked for more but .... It's his computer and his choice. Sorry.
  6. Malwarebytes' Anti-Malware 1.24 Database version: 1012 Windows 5.1.2600 Service Pack 2 1:39:48 PM 8/18/2008 mbam-log-8-18-2008 (13-39-48).txt Scan type: Quick Scan Objects scanned: 52131 Time elapsed: 20 minute(s), 28 second(s) Memory Processes Infected: 4 Memory Modules Infected: 1 Registry Keys Infected: 12 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: C:\WINDOWS\SYSTEM32\AFinding.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\SYSTEM32\WServing.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\SYSTEM32\routing.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\SYSTEM32\perfs.exe (Trojan.Downloader) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\SYSTEM32\Proxy.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFinding (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Routing (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WServing (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afinding (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\afinding (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wserving (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wserving (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfs (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfs (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfs (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\AFinding.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\WServing.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\Proxy.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\routing.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Gary Anderson\Local Settings\Temp\us0105.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  7. Vet, That system is out of my control, waiting for the final logs from the user. I know after the combofix was run he was clean on his Malwarebytes logs. I have asked him to send but he has not. MH
  8. Also, new bios update from Dell from A07 to A09, fresh Intel PRO driver as well. Thanks.
  9. Had sustantial malware that was removed with malwarebytes 1.24, saved the file on another computer will post soon. No network services running and will not start manually. any thoughts appreciated. Thanks, Heavus Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:47, on 2008-08-18 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-21-2977829087-2574050279-514187110-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- End of file - 4392 bytes
  10. Already flashed the Bios. This computer is not mine and out of my control now. When I sent him to bleepingcomputer he bought the SOPzilla instead of downloading ComboFix. He was eventually successfull getting combofix. Is STOPzilla a damgerous program or spyware? Thanks, I will have this implemented. Heavus
  11. Vet, Here is the Combofix log file. Others to follow. Thanks, MH ComboFix 08-08-06.02 - Jeff 2008-08-06 16:52:19.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.633 [GMT -7:00] Running from: C:\Program Files\ComboFix.exe Command switches used :: C:\Documents and Settings\Jeff\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Mark\Application Data\macromedia\Flash Player\#SharedObjects\NYZ4LRKA\interclick.com C:\Documents and Settings\Mark\Application Data\macromedia\Flash Player\#SharedObjects\NYZ4LRKA\interclick.com\ud.sol C:\Documents and Settings\Mark\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Mark\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\WINDOWS\system32\paradise.dll C:\WINDOWS\system32\WinCtrl32.dl_ C:\WINDOWS\system32\WinCtrl32.dll . ((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 ))))))))))))))))))))))))))))))) . 2008-08-06 17:00 . 2008-08-06 17:00 344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kgpfr2.cfg 2008-08-06 16:45 . 2008-08-06 16:46 2,706,543 --a------ C:\Program Files\ComboFix.exe 2008-08-06 10:23 . 2008-08-06 17:01 3,592 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kgpcpy.cfg 2008-08-06 10:18 . 2008-08-06 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard 2008-08-06 10:17 . 2008-08-06 10:17 <DIR> d-------- C:\Program Files\STOPzilla! 2008-08-06 10:16 . 2008-08-06 10:16 <DIR> d-------- C:\Program Files\Common Files\iS3 2008-08-06 10:16 . 2008-08-06 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla! 2008-08-06 09:54 . 2008-08-06 09:54 292,352 --a------ C:\Program Files\STOPzilla_Setup.exe 2008-08-05 20:35 . 2008-08-05 20:35 34,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\578lsf.exe 2008-08-01 10:07 . 2008-08-01 10:07 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-01 08:08 . 2008-08-01 08:08 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Malwarebytes 2008-08-01 07:37 . 2008-08-01 09:55 <DIR> d-------- C:\Program Files\SpyZooka 2008-08-01 07:21 . 2002-02-17 07:35 <DIR> d-------- C:\Documents and Settings\Mark\WINDOWS 2008-08-01 07:21 . 2002-02-17 07:34 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Symantec 2008-08-01 07:21 . 2008-08-01 07:21 <DIR> d-------- C:\Documents and Settings\Mark 2008-07-31 21:07 . 2008-08-01 09:56 <DIR> d-------- C:\Program Files\Panda Security 2008-07-31 19:02 . 2008-07-31 19:03 11,074 --a------ C:\WINDOWS\SYSTEM32\LexFiles.ulf 2008-07-31 19:01 . 2008-08-04 08:56 <DIR> d-------- C:\Program Files\Dl_cats 2008-07-31 18:55 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\SYSTEM32\wiafbdrv.dll 2008-07-31 18:55 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wiafbdrv.dll 2008-07-31 18:54 . 2008-07-31 19:35 <DIR> d-------- C:\Program Files\Dell Photo AIO Printer 944 2008-07-31 18:53 . 2008-07-31 19:35 <DIR> d-------- C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15} 2008-07-31 18:53 . 2008-07-31 18:53 <DIR> d-------- C:\Temp 2008-07-31 18:22 . 2008-07-31 18:22 566,584 --a------ C:\Program Files\4400_A06.EXE 2008-07-31 16:25 . 2001-09-26 23:32 285,088 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys 2008-07-31 16:25 . 2001-09-26 23:32 285,088 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ati2mtaa.sys 2008-07-31 16:20 . 2008-07-31 16:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\Dell 2008-07-31 12:28 . 2008-07-31 12:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting 2008-07-31 12:21 . 2008-04-13 22:58 2,940,928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\wmploc.dll 2008-07-31 12:18 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hdaudbus.sys 2008-07-31 12:18 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys 2008-07-31 12:12 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003214_.tmp 2008-07-31 10:34 . 2008-07-31 10:34 137 --a------ C:\WINDOWS\SYSTEM32\MRT.INI 2008-07-31 10:17 . 2008-04-22 21:16 6,066,176 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll 2008-07-31 10:17 . 2007-04-17 02:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat 2008-07-31 10:17 . 2007-03-07 22:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui 2008-07-31 10:17 . 2008-04-22 21:16 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll 2008-07-31 10:17 . 2008-04-22 21:16 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll 2008-07-31 10:17 . 2008-06-13 04:05 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys 2008-07-31 10:17 . 2008-04-22 21:16 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll 2008-07-31 10:17 . 2008-04-22 21:16 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll 2008-07-31 10:17 . 2008-04-22 21:16 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll 2008-07-31 10:17 . 2008-04-22 00:39 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe 2008-07-31 10:16 . 2008-05-08 07:02 203,136 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys 2008-07-31 02:56 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005920_.tmp 2008-07-31 02:30 . 2008-04-14 05:42 1,119,744 --a------ C:\WINDOWS\SYSTEM32\wmsdmoe2.dll 2008-07-31 02:30 . 2008-04-14 05:42 1,001,472 --a------ C:\WINDOWS\SYSTEM32\wmvdmoe2.dll 2008-07-31 02:30 . 2008-04-14 05:42 897,024 --a------ C:\WINDOWS\SYSTEM32\wmspdmoe.dll 2008-07-31 02:30 . 2008-04-14 05:42 485,376 --a------ C:\WINDOWS\SYSTEM32\wmspdmod.dll 2008-07-31 02:30 . 2008-04-14 05:42 233,472 --a------ C:\WINDOWS\SYSTEM32\wmpdxm.dll 2008-07-31 02:29 . 2008-04-14 05:41 384,512 --a------ C:\WINDOWS\SYSTEM32\mp4sdmod.dll 2008-07-31 02:29 . 2008-04-14 05:41 310,272 --a------ C:\WINDOWS\SYSTEM32\mp43dmod.dll 2008-07-31 02:29 . 2008-04-13 22:53 168,448 --a------ C:\WINDOWS\SYSTEM32\wmerror.dll 2008-07-31 02:29 . 2008-04-14 05:42 151,552 --a------ C:\WINDOWS\SYSTEM32\wmidx.dll 2008-07-31 02:29 . 2008-04-14 05:42 114,688 --a------ C:\WINDOWS\SYSTEM32\wmpasf.dll 2008-07-31 02:29 . 2008-04-14 05:42 52,224 --a------ C:\WINDOWS\SYSTEM32\mspmsnsv.dll 2008-07-31 02:26 . 2008-04-14 05:42 239,616 --a------ C:\WINDOWS\SYSTEM32\wstrenderer.ax 2008-07-31 02:25 . 2008-04-14 05:41 2,061,824 --a------ C:\WINDOWS\SYSTEM32\mstscax.dll 2008-07-31 02:25 . 2008-04-14 05:42 677,888 --a------ C:\WINDOWS\SYSTEM32\mstsc.exe 2008-07-31 02:25 . 2008-04-14 05:42 118,272 --a------ C:\WINDOWS\SYSTEM32\mpeg2data.ax 2008-07-31 02:24 . 2008-04-14 05:42 164,352 --a------ C:\WINDOWS\SYSTEM32\wstpager.ax 2008-07-31 02:23 . 2008-04-14 00:13 9,728 --a------ C:\WINDOWS\SYSTEM32\comsdupd.exe 2008-07-31 02:22 . 2008-04-14 00:13 12,800 --a------ C:\WINDOWS\SYSTEM32\spiisupd.exe 2008-07-31 02:21 . 2008-04-14 05:42 32,768 --a------ C:\WINDOWS\SYSTEM32\asr_pfu.exe 2008-07-31 02:19 . 2008-04-14 05:42 53,248 --a------ C:\WINDOWS\SYSTEM32\vbicodec.ax 2008-07-31 02:17 . 2008-04-14 05:42 4,274,816 --a------ C:\WINDOWS\SYSTEM32\nv4_disp.dll 2008-07-31 02:17 . 2008-04-14 05:42 380,416 --a------ C:\WINDOWS\SYSTEM32\irprops.cpl 2008-07-31 02:17 . 2008-04-14 05:41 229,376 --a------ C:\WINDOWS\SYSTEM32\ati2cqag.dll 2008-07-31 02:17 . 2008-04-14 05:42 58,880 --a------ C:\WINDOWS\SYSTEM32\pnrpnsp.dll 2008-07-31 02:17 . 2008-04-14 05:42 15,872 --a------ C:\WINDOWS\SYSTEM32\w3ssl.dll 2008-07-31 02:17 . 2008-04-14 05:42 13,824 --a------ C:\WINDOWS\SYSTEM32\wscntfy.exe 2008-07-31 02:17 . 2008-04-13 22:39 4,096 --a------ C:\WINDOWS\SYSTEM32\dsprpres.dll 2008-07-31 02:15 . 2008-04-14 05:41 755,200 --a------ C:\WINDOWS\SYSTEM32\ir50_32.dll 2008-07-31 02:14 . 2008-04-14 05:42 1,737,856 --a------ C:\WINDOWS\SYSTEM32\mtxparhd.dll 2008-07-31 02:14 . 2008-04-14 05:41 1,689,088 --a------ C:\WINDOWS\SYSTEM32\d3d9.dll 2008-07-31 02:14 . 2008-04-14 05:41 201,728 --a------ C:\WINDOWS\SYSTEM32\ati2dvag.dll 2008-07-31 02:14 . 2008-04-14 05:42 134,656 --a------ C:\WINDOWS\SYSTEM32\mssap.dll 2008-07-31 02:14 . 2008-04-14 05:41 60,416 --a------ C:\WINDOWS\SYSTEM32\fwcfg.dll 2008-07-31 02:14 . 2008-04-14 05:42 8,192 --a------ C:\WINDOWS\SYSTEM32\smbinst.exe 2008-07-31 02:13 . 2008-04-13 22:18 1,647,616 --a------ C:\WINDOWS\SYSTEM32\winbrand.dll 2008-07-31 02:13 . 2008-04-14 05:41 870,784 --a------ C:\WINDOWS\SYSTEM32\ati3d1ag.dll 2008-07-31 02:13 . 2008-04-14 05:42 848,384 --a------ C:\WINDOWS\SYSTEM32\ir41_32.ax 2008-07-31 02:13 . 2008-04-14 05:42 115,712 --a------ C:\WINDOWS\SYSTEM32\p2pnetsh.dll 2008-07-31 02:13 . 2008-04-14 05:42 57,856 --a------ C:\WINDOWS\SYSTEM32\twext.dll 2008-07-31 02:13 . 2008-04-14 05:42 50,176 --a------ C:\WINDOWS\SYSTEM32\xmlprovi.dll 2008-07-31 02:13 . 2008-04-14 05:42 11,264 --a------ C:\WINDOWS\SYSTEM32\spnpinst.exe 2008-07-31 02:13 . 2008-04-14 05:39 6,656 --a------ C:\WINDOWS\SYSTEM32\kbdinmal.dll 2008-07-31 02:13 . 2008-04-14 05:39 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdinbe1.dll 2008-07-31 02:12 . 2008-04-14 05:41 1,888,992 --a------ C:\WINDOWS\SYSTEM32\ati3duag.dll 2008-07-31 02:12 . 2008-04-14 05:42 286,792 --a------ C:\WINDOWS\SYSTEM32\slextspk.dll 2008-07-31 02:12 . 2008-04-14 05:42 193,024 --a------ C:\WINDOWS\SYSTEM32\fsquirt.exe 2008-07-31 02:12 . 2008-04-14 05:42 129,024 --a------ C:\WINDOWS\SYSTEM32\xmlprov.dll 2008-07-31 02:12 . 2008-04-14 05:41 50,688 --a------ C:\WINDOWS\SYSTEM32\btpanui.dll 2008-07-31 02:12 . 2008-04-14 05:42 23,040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe 2008-07-31 02:12 . 2008-04-14 05:41 20,992 --a------ C:\WINDOWS\SYSTEM32\bthci.dll 2008-07-31 02:12 . 2008-04-14 05:41 13,312 --a------ C:\WINDOWS\SYSTEM32\cmsetacl.dll 2008-07-31 02:11 . 2008-04-14 00:07 369,664 --a------ C:\WINDOWS\SYSTEM32\html.iec 2008-07-31 02:11 . 2008-04-14 05:42 354,304 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll 2008-07-31 02:11 . 2008-04-13 23:09 187,392 --a------ C:\WINDOWS\SYSTEM32\xpsp1res.dll 2008-07-31 02:11 . 2008-04-14 05:42 49,152 --a------ C:\WINDOWS\SYSTEM32\powercfg.exe 2008-07-31 02:11 . 2008-04-14 05:41 30,208 --a------ C:\WINDOWS\SYSTEM32\bthserv.dll 2008-07-31 02:11 . 2008-04-14 05:42 17,408 --a------ C:\WINDOWS\SYSTEM32\winshfhc.dll 2008-07-31 02:11 . 2008-04-14 05:39 7,680 --a------ C:\WINDOWS\SYSTEM32\kbdsmsfi.dll 2008-07-31 02:11 . 2008-04-14 05:41 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx3.dll 2008-07-31 02:10 . 2008-04-14 05:41 86,016 --a------ C:\WINDOWS\SYSTEM32\mdmxsdk.dll 2008-07-31 02:10 . 2008-04-14 05:42 80,896 --a------ C:\WINDOWS\SYSTEM32\wscsvc.dll 2008-07-31 02:10 . 2008-04-14 05:42 28,672 --a------ C:\WINDOWS\SYSTEM32\vidcap.ax 2008-07-31 02:10 . 2008-04-14 05:42 23,040 --a------ C:\WINDOWS\SYSTEM32\ativmvxx.ax 2008-07-31 02:10 . 2008-04-14 05:42 20,992 --a------ C:\WINDOWS\SYSTEM32\faxpatch.exe 2008-07-31 02:10 . 2008-04-14 05:41 20,480 --a------ C:\WINDOWS\SYSTEM32\encapi.dll 2008-07-31 02:10 . 2008-04-14 05:39 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdmlt48.dll 2008-07-31 02:08 . 2008-04-14 05:42 6,656 --a------ C:\WINDOWS\SYSTEM32\wuauserv.dll 2008-07-31 02:08 . 2008-04-14 05:39 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdinben.dll 2008-07-31 02:08 . 2008-04-14 05:39 5,632 --a------ C:\WINDOWS\SYSTEM32\kbdmaori.dll 2008-07-31 02:06 . 2008-04-13 23:09 2,897,920 --a------ C:\WINDOWS\SYSTEM32\xpsp2res.dll 2008-07-31 02:05 . 2008-04-14 05:41 24,064 --a------ C:\WINDOWS\SYSTEM32\pidgen.dll 2008-07-31 02:04 . 2008-04-14 00:04 163,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nwrdr.sys 2008-07-31 02:04 . 2008-04-14 00:09 92,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mqac.sys 2008-07-31 02:02 . 2008-04-14 05:42 1,200,640 --a------ C:\WINDOWS\SYSTEM32\ntbackup.exe 2008-07-31 01:55 . 2008-03-24 21:50 355,112 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msjetol1.dll 2008-07-31 01:52 . 2008-04-14 05:42 1,033,728 --a------ C:\WINDOWS\explorer.exe 2008-07-31 01:52 . 2008-04-14 05:42 283,648 --a------ C:\WINDOWS\winhlp32.exe 2008-07-31 01:52 . 2008-04-14 05:42 146,432 --a------ C:\WINDOWS\regedit.exe 2008-07-31 01:52 . 2008-04-14 05:42 50,688 --a------ C:\WINDOWS\twain_32.dll 2008-07-31 01:52 . 2008-04-14 05:42 10,752 --a------ C:\WINDOWS\hh.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-06 23:07 --------- d-----w C:\Program Files\Common Files\Webroot Shared 2008-07-31 23:20 --------- d-----w C:\Program Files\Dell 2008-07-31 04:27 --------- d-----w C:\Program Files\Webroot 2008-07-31 04:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-07-31 04:27 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Webroot 2008-07-30 19:02 --------- d-----w C:\Program Files\McAfee 2008-07-30 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com 2008-07-30 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-07-18 00:34 2,456,282 ----a-w C:\Program Files\2008-04_Co_Mtg_Market_Change.pptx 2008-06-23 15:56 66,352 ----a-w C:\Documents and Settings\Jeff\Application Data\GDIPFONTCACHEV1.DAT 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-15 17:01 --------- d-----w C:\Program Files\PhoneTools 2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-24 16:37 41,984 ----a-w C:\Program Files\Minutes for the 2008 Windsor Heights HOA Meeting.doc 2008-05-21 07:10 79,570 ----a-w C:\Program Files\thebradybunch-1972closing.wav 2008-05-21 07:10 73,850 ----a-w C:\Program Files\thebradybunch-1969closing.wav 2008-05-21 07:10 237,006 ----a-w C:\Program Files\Brady_Bunch.mp3 2008-05-21 07:10 163,062 ----a-w C:\Program Files\thebradybunch-pilotepisode.wav 2008-04-23 05:27 137,216 ----a-w C:\Program Files\Cat Pet Care Information Oscar.doc 2008-04-23 05:27 137,216 ----a-w C:\Program Files\Cat Pet Care Information Felix.doc 2008-04-23 05:27 134,656 ----a-w C:\Program Files\Vet Release.doc 2008-04-23 05:27 131,072 ----a-w C:\Program Files\Client Home Location Guide.doc 2008-04-23 05:27 125,952 ----a-w C:\Program Files\Client Information.doc 2008-04-23 05:27 114,688 ----a-w C:\Program Files\Client Emergency Contact Information.doc 2008-04-23 05:27 113,152 ----a-w C:\Program Files\Administrative_Form.doc 2008-04-23 05:27 110,592 ----a-w C:\Program Files\Law Form.doc 2008-04-23 05:25 125,952 ----a-w C:\Program Files\Client Information Rev 1.doc 2008-04-23 05:25 113,664 ----a-w C:\Program Files\Administrative_Form Rev 1.doc 2008-04-23 05:22 133,632 ----a-w C:\Program Files\Cat Pet Care Information Oscar Rev 1 April 08.doc 2008-04-23 05:21 133,632 ----a-w C:\Program Files\Cat Pet Care Information Felix Rev 1 April 08.doc 2008-04-23 05:19 122,880 ----a-w C:\Program Files\Client Information Rev 2 April 08.doc 2007-12-20 03:43 28,868,320 ----a-w C:\Program Files\FileFormatConverters.exe 2007-12-20 03:28 17,145 ----a-w C:\Program Files\Jeff Payne - Invoice for November and December, 2007.docx 2007-07-20 04:09 468,066 ----a-w C:\Program Files\MtOLY-07.jpg 2007-07-20 04:09 468,066 ----a-w C:\Program Files\MtOLY-07(2).jpg 2007-07-20 04:09 1,317,555 ----a-w C:\Program Files\Jenney-July07-2.jpg 2007-07-20 04:07 1,181,891 ----a-w C:\Program Files\Jenney-July07-1.jpg 2007-07-20 04:07 1,181,891 ----a-w C:\Program Files\Jenney-July07-1(2).jpg 2007-06-23 17:33 78,669 ----a-w C:\Program Files\LacyFitzpatrickJune2007.pdf 2007-04-24 18:12 147,507,486 ----a-w C:\Program Files\jdk-6u1-nb-5_5-win-ml.exe 2005-08-01 02:43 21,823,488 ----a-w C:\Program Files\cb550compact.exe 2005-08-01 01:48 10,703,680 ----a-w C:\Program Files\NDP1.1sp1-KB867460-X86.exe 2005-05-02 04:00 5,280,714 ----a-w C:\Program Files\SIE2004-FI.exe 2005-05-02 03:53 3,922,520 ----a-w C:\Program Files\MAS1149ENUS.exe 2004-09-16 03:46 12,652,784 ----a-w C:\Program Files\mp10setup.exe 2004-03-02 02:55 120,564 ----a-w C:\Program Files\cwshredder.zip 2004-02-23 04:10 1,803,464 ----a-w C:\Program Files\winzip81.exe 2002-06-04 00:36 9,208,587 ----a-w C:\Program Files\ioware-w32-x86-311.exe 2002-05-17 20:33 8,981,440 ----a-w C:\Program Files\ar505enu.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401] "DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 14:39 69632] "dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 15:45 430080] "MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" [2005-08-10 10:12 286720] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048] Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50 734872] AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2005-02-10 21:02:12 102455] Camio Viewer 2000.lnk - C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2002-02-17 07:35:46 49152] Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360] Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 16:06:54 24633] WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-02-22 21:10:27 106560] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "SpecifyDefaultButtons"= 1 (0x1) "Btn_Search"= 2 (0x2) "NoBandCustomize"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm "aux1"= ctwdm32.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\old] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winpv85.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-01-21 18:11] R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-05-13 10:03] R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-01-21 18:12] R2 MBAMDrvService;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-07-30 20:07] R2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-30 20:07] R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-09-26 23:32] R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;C:\WINDOWS\system32\Drivers\hcw88rc5.sys [2004-11-22 10:20] R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;C:\WINDOWS\system32\drivers\hcw88tun.sys [2004-11-18 10:33] R3 hcw88vid;Hauppauge WinTV 88x Video;C:\WINDOWS\system32\drivers\hcw88vid.sys [2004-11-18 10:23] R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;C:\WINDOWS\system32\drivers\HCW88BAR.sys [2004-11-18 10:23] R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2000-10-03 14:18] S0 winpv85;winpv85;C:\WINDOWS\system32\Drivers\Winpv85.sys [] S1 4684e105;4684e105;C:\WINDOWS\system32\drivers\4684e105.sys [2008-07-29 16:49] S1 64fa319b;64fa319b;C:\WINDOWS\system32\drivers\64fa319b.sys [2008-07-29 16:49] S1 67e16171;67e16171;C:\WINDOWS\system32\drivers\67e16171.sys [2008-07-29 17:39] S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 11:48] S3 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe [2001-08-06 12:41] S4 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 16:19] S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 12:52] *Newly Created Service* - MBAMDRVSERVICE . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe HKLM-Explorer_Run-paint.exe - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\h53bgadp.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.msn.com ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-06 17:03:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE C:\WINDOWS\SYSTEM32\NMSSVC.EXE C:\WINDOWS\SYSTEM32\MsPMSPSv.exe C:\WINDOWS\SYSTEM32\fxssvc.exe C:\WINDOWS\SYSTEM32\devldr32.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe C:\Program Files\STOPzilla!\STOPzilla.exe . ************************************************************************** . Completion time: 2008-08-06 17:17:59 - machine was rebooted [Jeff] ComboFix-quarantined-files.txt 2008-08-07 00:17:52 Pre-Run: 3,192,180,736 bytes free Post-Run: 3,252,301,824 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 301 --- E O F --- 2008-08-01 23:26:48
  12. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:08:04 AM, on 8/1/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\System32\NMSSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe C:\Program Files\Dell Photo AIO Printer 944\memcard.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\dlcdcoms.exe C:\Program Files\SpyZooka\spyzooka.exe C:\Program Files\WinTV\Ir.exe C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com/ O1 - Hosts: 127.0.0.0 localhost O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll O23 - Service: Avira AntiVir Personal
  13. The Latest Scan. [ Malwarebytes' Anti-Malware 1.24 Database version: 1014 Windows 5.1.2600 Service Pack 3 9:42:35 AM 8/1/2008 mbam-log-8-1-2008 (09-42-21).txt Scan type: Quick Scan Objects scanned: 42928 Time elapsed: 37 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> No action taken. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\SYSTEM32\WinCtrl32.dl_ (Trojan.Agent) -> No action taken. C:\WINDOWS\SYSTEM32\DRIVERS\Winpv85.sys (Rootkit.Agent) -> No action taken.
  14. Here is my latest scan. I doing OK, have SP2 and SP3 installed. Still some lingering Malware. Malwarebytes' Anti-Malware 1.24 Database version: 1013 Windows 5.1.2600 Service Pack 3 6:28:42 PM 7/31/2008 mbam-log-7-31-2008 (18-28-42).txt Scan type: Quick Scan Objects scanned: 41357 Time elapsed: 8 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\DRIVERS\Winpv85.sys (Rootkit.Agent) -> Delete on reboot.
  15. Thanks for the input. Her is what I get. Setup cannot continue because the version of Windows on your computer is newer than the version on the CD. Warning: If you decide to delete the newer version of Windows that is currently installed on your computer, the files and settings cannot be recovered. MH Setup_Error.doc Setup_Error.doc
  16. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:19: VIRUS ALERT!, on 7/30/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\WinTV\Ir.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Jeff\LOCALS~1\Temp\csrssc.exe E:\HiJackThis.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 O1 - Hosts: 127.0.0.0 localhost O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [bM07b47664] Rundll32.exe "C:\WINDOWS\System32\wxbgaqax.dll",s O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [lanmanwrk.exe clean] C:\WINDOWS\System32\lanmanwrk.exe clean O4 - HKCU\..\Run: [wekewfjo983mkefdd] C:\DOCUME~1\Jeff\LOCALS~1\Temp\winlogan.exe O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Jeff\LOCALS~1\Temp\csrssc.exe O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Jeff\cftmon.exe O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" /autorun O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe O4 - Global Startup: Exif Launcher.lnk = ? O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &Download File - C:\Program Files\Winferno\Secure IE\Scripts\AddToTransferQueue.htm O8 - Extra context menu item: &Highlight - C:\Program Files\Winferno\Secure IE\Scripts\highlight.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Zoom &In - C:\Program Files\Winferno\Secure IE\Scripts\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\Program Files\Winferno\Secure IE\Scripts\zoomout.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {B9B19139-C45D-42BA-A011-319970D37EC6} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9B19139-C45D-42BA-A011-319970D37EC6} - (no file) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} - http://38.144.58.87/sex/xxxmovies.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9F85C926-A979-48F2-A147-5A766CE5629B}: NameServer = 68.87.69.146,68.87.85.98,68.87.78.130 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 68.87.69.146 68.87.85.98,68.87.78.130 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 68.87.69.146 68.87.85.98,68.87.78.130 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 68.87.69.146 68.87.85.98,68.87.78.130 O22 - SharedTaskScheduler: werkjdnfi8wnkjmdfdfkefn - {C5AF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\System32\kdfgj83ke.dll O23 - Service: Avira AntiVir Personal
  17. Hi, Here is a problem AntiVirus 2008 item. I ran the tool and found 300 + items on light scan. I then ran the 2nd pass on Full scan and can up with another 50 or so after reboot on the first. I ran these in SAFE Mode. Still there on normal reboot reboot. Also zattached is the Hijackthis log file. Any suggestions would be great. System Information: XP Sp1 expired macafee antivirus (replaced with new) Thanks. mark mbam_log_7_30_2008__11_09_15_.txt mbam_log_7_30_2008__11_54_23__2.txt mbam_log_7_30_2008__11_09_15_.txt mbam_log_7_30_2008__11_54_23__2.txt
  18. So when you tested the RAM it tested OK? Should be a diagnostic partition on your compaq to run from.
  19. Hello, RE: STOP: C000021 Fatal System Error, Terminated unexpectedly with status of. There is more information on this line. Please post. Example: terminated unexpectedly with a status of 0X0000026c or similar. If repair is run using setup disk, may lead to Error Bad_Pool_Caller or Memory_Manager_Error I have seen this before and the problem was BAD RAM. Please test before continuing. Heavus
  20. Thanks for the input. I finally was able to get this item removed. I updated the AntiVirus to the absolute latest, installed SP3 for XP them rescanned using malwarebytes 1.19. Success. Not sure if SP3 has any credit to this but can't hurt. Heavus
  21. Here is the file in question: c:\windows\system32\yaywwWPJ.dll
  22. Hello, One last item that gets removed by ver 1.19 then reappears is the Trojan.Vundo. My anti virus ID's it as TR/Zlog.28800. Any ideas? other than that all removed. Thanks
  23. Dear Bruce, Worked like a champ. Thanks, Heavus
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.