Jump to content

awmross

Members
  • Posts

    11
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I've done as you suggested and sure enough the system is working again. I also uploaded the file you suggested. I should mention that I did install lame.exe to do mp3 ripping.
  2. When I boot XP, the desktop background appears but no desktop icons and no taskbar or start menu. I can run other applications through the task manager. But Malware Bytes won't run and either will Avira scan. So I'm guessing I have a virus?? I can boot into safe mode normally. I ran Malware Bytes and Avira virus scan in safe mode. Avira found one .ini file, but that's it. Here is DDS.txt DDS (Ver_09-12-01.01) - NTFSx86 NETWORK Run by Administrator at 6:28:22.21 on Tue 16/02/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.999.701 [GMT 11:00] AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\HPQ\IAM\bin\asghost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Administrator\My Documents\Andreas\dds(2).scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com.au/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start mRun: [sDMSSplash] "c:\program files\hp_sdms\sdmssplash\launcher.exe" "launchdir=c:\program files\hp_sdms\SDMSSplash" mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe mRun: [CognizanceTS] rundll32.exe c:\progra~1\hpq\iam\bin\AsTsVcc.dll,RegisterModule mRun: [Recguard] c:\windows\sminst\Recguard.exe mRun: [Reminder] c:\windows\creator\Remind_XP.exe mRun: [scheduler] c:\windows\sminst\Scheduler.exe mRun: [instantAccess] c:\progra~1\textbr~1.0\bin\INSTAN~1.EXE /h mRun: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: stagingconnections.com\cag DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: IfxWlxEN - IfxWlxEN.dll Notify: igfxcui - igfxdev.dll Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\3o01ybzt.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\3o01ybzt.default\extensions\gwt-dev-plugin@google.com\lib\winnt_x86-msvc\ff35\xpGwtDevPlugin.dll FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-1-3 24656] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-1-3 29776] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-4-7 31104] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-5-8 36608] S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-2 11608] S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-1-3 223312] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-2 108289] S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-2 185089] S2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336] S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-2 56816] S2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2010-1-3 1282248] S2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2010-1-3 3291336] ============== File Associations =============== txtfile="c:\program files\jgsoft\editpadlite\EditPadLite.exe" "%1" =============== Created Last 30 ================ 2010-02-15 19:25:03 0 ----a-w- c:\documents and settings\administrator\defogger_reenable 2010-02-15 16:13:51 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2 2010-02-15 10:23:28 0 d-----w- c:\docume~1\admini~1\applic~1\TortoiseSVN 2010-02-15 10:19:48 0 d-----w- c:\docume~1\admini~1\applic~1\Subversion 2010-02-15 10:18:16 0 d-----w- c:\program files\common files\TortoiseOverlays 2010-02-15 10:18:15 0 d-----w- c:\program files\TortoiseSVN 2010-02-14 22:18:23 274288 ----a-w- c:\windows\system32\mucltui.dll 2010-02-14 22:18:23 215920 ----a-w- c:\windows\system32\muweb.dll 2010-02-14 22:18:23 16736 ----a-w- c:\windows\system32\mucltui.dll.mui 2010-02-14 10:14:32 0 d-----w- c:\program files\Microsoft 2010-02-14 10:14:01 0 d-----w- c:\program files\Windows Live SkyDrive 2010-02-14 10:11:39 0 d-----w- c:\program files\common files\Windows Live 2010-02-14 10:08:14 36 ----a-w- c:\documents and settings\administrator\.org.eclipse.epp.usagedata.recording.userId 2010-02-04 18:18:53 0 d-----w- c:\docume~1\admini~1\applic~1\KompoZer 2010-02-01 08:14:11 0 d-----w- c:\docume~1\admini~1\applic~1\JGoodies 2010-01-28 05:17:22 0 d-----w- c:\docume~1\admini~1\applic~1\UltraVNC 2010-01-19 18:23:25 0 d-----w- c:\docume~1\admini~1\applic~1\OpenOffice.org 2010-01-19 18:15:02 0 d-----w- c:\program files\OpenOffice.org 3 2010-01-19 09:43:11 580096 ----a-w- c:\windows\system32\lame.exe 2010-01-17 06:22:58 0 d-----w- c:\docume~1\admini~1\applic~1\Dropbox ==================== Find3M ==================== 2010-01-07 05:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 05:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-05 13:30:37 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys 2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe 2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr 2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll 2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe 2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe 2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll 2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll 2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll 2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll 2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll 2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll 2009-11-27 16:07:35 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll 2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll 2009-11-27 16:07:35 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll 2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll 2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll 2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll 2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll 2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll 2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2009-04-04 02:20:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040420090405\index.dat ============= FINISH: 6:29:09.35 =============== The malwareBytes log: Malwarebytes' Anti-Malware 1.44 Database version: 3741 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 16/02/2010 5:10:13 AM mbam-log-2010-02-16 (05-10-13).txt Scan type: Quick Scan Objects scanned: 97606 Time elapsed: 2 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ========================== Attach.zip
  3. Done. One question. In one of the stages, I ran a program called "defogger.exe" or similar. There was a last step that involved uninstalling / switching off the "defogger" program, but they stressed that should only be done once the system had been fixed. Is that something I have to do now??
  4. I couldn't find a file called chg.exe. I unticked all the 'hide' options in explorer. I also checked from a dos prompt but the file isn't there. I also tried booting into safe mode but still no sign of the file. The surrounding files are chcp.com chkdsk.exe No chg.exe?? The F-Secure results: Scanning Report Friday, January 1, 2010 13:33:01 - 14:15:01 Computer name: SEZHP Scanning type: Scan system for malware, spyware and rootkits Target: C:\ D:\ -------------------------------------------------------------------------------- 15 malware found TrackingCookie.Questionmarket (spyware) System (Disinfected) TrackingCookie.2o7 (spyware) System (Disinfected) TrackingCookie.Advertising (spyware) System (Disinfected) TrackingCookie.Atdmt (spyware) System (Disinfected) TrackingCookie.Adtech (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Revsci (spyware) System (Disinfected) TrackingCookie.Adrevolver (spyware) System (Disinfected) TrackingCookie.Adbrite (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) TrackingCookie.Statcounter (spyware) System (Disinfected) TrackingCookie.Atwola (spyware) System (Disinfected) TrackingCookie.Yieldmanager (spyware) System (Disinfected) Rootkit.TDSS.AJ (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP679\A0054653.SYS (Renamed & Submitted) Gen:Trojan.Heur.Vundo.by4@dSV7Byh (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP679\A0054654.DLL (Renamed & Submitted) -------------------------------------------------------------------------------- Statistics Scanned: Files: 45716 System: 3392 Not scanned: 7 Actions: Disinfected: 13 Renamed: 2 Deleted: 0 Not cleaned: 0 Submitted: 2 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\ETILQS_DGRTZN7BJGR8E5AN2CMJ -------------------------------------------------------------------------------- Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics -------------------------------------------------------------------------------- And the checkup.txt Results of screen317's Security Check version 0.99.1 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! McAfee Security Scan WMIC entry does not exist for antivirus; attempting automatic update. `````````````````````````````` Anti-malware/Other Utilities Check: Sophos Anti-Rootkit 1.5.0 HijackThis 2.0.2 Java 6 Update 14 Java SE Runtime Environment 6 Update 1 Java 6 Update 3 Java 6 Update 5 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 7.0 Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````
  5. Running a Fast Scan in MalwareBytes detects no malicious files. Does this mean it's fixed? If so, I thank you very much for your help.
  6. The system seems more stable now. I can run in normal mode.... I've attached the files as requested. Cheers ComboFix.txt hijackthislog.txt
  7. I can't get rid of a rootkit. Malwarebytes detects it, but doesn't remove it. "Rootkit.TDSS" I am doing everything in Windows Safe Mode, as the computer locks up if run in normal mode. I have XP. I've attached DDS.txt, ark.txt and the malwareBytes log as instructed. Thanks in advance for your help. Here is the printout of DDS.txt DDS (Ver_09-12-01.01) - NTFSx86 NETWORK Run by Administrator at 21:20:41.10 on Thu 24/12/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.999.721 [GMT 11:00] AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\HPQ\IAM\bin\asghost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Documents and Settings\Administrator\My Documents\Andreas\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com.au/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start mRun: [sDMSSplash] "c:\program files\hp_sdms\sdmssplash\launcher.exe" "launchdir=c:\program files\hp_sdms\SDMSSplash" mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe mRun: [CognizanceTS] rundll32.exe c:\progra~1\hpq\iam\bin\AsTsVcc.dll,RegisterModule mRun: [Recguard] c:\windows\sminst\Recguard.exe mRun: [Reminder] c:\windows\creator\Remind_XP.exe mRun: [scheduler] c:\windows\sminst\Scheduler.exe mRun: [instantAccess] c:\progra~1\textbr~1.0\bin\INSTAN~1.EXE /h mRun: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe" mRunServices: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Trusted Zone: stagingconnections.com\cag DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: IfxWlxEN - IfxWlxEN.dll Notify: igfxcui - igfxdev.dll Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Notification Packages = scecli AsWlnPkg ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\3o01ybzt.default\ FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-24 207792] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-4-7 31104] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-5-8 36608] S0 tvffdr;tvffdr;c:\windows\system32\drivers\raixo.sys --> c:\windows\system32\drivers\raixo.sys [?] S2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336] S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-24 112592] S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-24 359624] S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-24 1141712] =============== Created Last 30 ================ 2009-12-24 10:15:09 0 ----a-w- c:\documents and settings\administrator\defogger_reenable 2009-12-24 09:15:46 883 ----a-w- c:\windows\RegSDImport.xml 2009-12-24 09:15:46 880 ----a-w- c:\windows\RegISSImport.xml 2009-12-24 09:15:46 767952 ----a-w- c:\windows\BDTSupport.dll 2009-12-24 09:15:46 149456 ----a-w- c:\windows\SGDetectionTool.dll 2009-12-24 09:15:46 131 ----a-w- c:\windows\IDB.zip 2009-12-24 09:15:46 1152444 ----a-w- c:\windows\UDB.zip 2009-12-24 09:15:45 165840 ----a-w- c:\windows\PCTBDRes.dll 2009-12-24 09:15:45 1640400 ----a-w- c:\windows\PCTBDCore.dll 2009-12-24 09:12:42 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat 2009-12-24 09:12:42 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-12-24 09:12:38 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-12-24 09:12:38 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat 2009-12-24 09:12:38 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat 2009-12-24 09:12:38 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-12-24 09:12:35 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat 2009-12-24 09:12:35 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-12-24 09:12:30 0 d-----w- c:\program files\Spyware Doctor 2009-12-24 09:12:30 0 d-----w- c:\program files\common files\PC Tools 2009-12-24 09:12:30 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools 2009-12-24 09:12:30 0 d-----w- c:\docume~1\admini~1\applic~1\PC Tools 2009-12-20 19:35:58 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2009-12-20 19:31:09 0 d-----w- c:\documents and settings\administrator\DoctorWeb 2009-12-20 19:14:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-20 19:14:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-20 19:14:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-20 19:14:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-12-19 20:30:12 0 d-----w- c:\program files\trend micro 2009-12-19 19:36:17 657 ----a-w- c:\windows\system32\krl32mainweq.dll 2009-12-19 19:35:12 206 ----a-w- c:\windows\system32\srcr.dat 2009-12-04 01:43:13 0 d-sh--w- c:\documents and settings\administrator\IECompatCache ==================== Find3M ==================== 2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll 2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll 2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys 2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll 2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll 2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll 2009-04-04 02:20:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040420090405\index.dat ============= FINISH: 21:21:15.43 =============== Attach.zip mbam_log_2009_12_24__19_58_30_.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.