rxander46
-
Posts
16 -
Joined
-
Last visited
-
Figured it out. All seems to be good now. Again, thank you for the assistance.
-
I don't have any sound. The only problem I've discovered thus far.
-
I've posted the uninstall list...so far, things seem to be working well. I'm grateful for your help. uninstall_list.txt
-
ComboFix file ComboFix.txt
-
System restore points deleted. New ComboFix and Hijackthis files. ComboFix.txt hijackthis.txt
-
I've attached the DrWeb report and a subsequently run hijackthis log. Awaiting further instructions. DrWeb.txt hijackthis.txt
-
ComboFix ComboFix 10-02-27.04 - Rick 03/01/2010 8:53.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1565 [GMT -7:00] Running from: c:\documents and settings\Rick\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Rick\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Internet Explorer\js.mui c:\program files\Internet Explorer\wmpscfgs.exe c:\windows\_VOIDornsidrtfp c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 ))))))))))))))))))))))))))))))) . 2010-02-28 19:42 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-28 19:42 . 2010-02-28 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-28 19:42 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-01 06:03 . 2009-09-08 12:44 -------- d-----w- c:\program files\Whale Communications 2010-03-01 05:58 . 2006-05-02 01:44 -------- d-----w- c:\program files\Common Files\Intuit 2010-02-28 19:52 . 2006-04-17 20:33 55808 ----a-w- c:\windows\system32\hkcmd.exe 2010-02-27 21:20 . 2009-07-15 01:31 -------- d-----w- c:\documents and settings\Rick\Application Data\U3 2010-01-29 07:00 . 2006-05-21 17:27 -------- d-----w- c:\program files\Common Files\Adobe 2010-01-26 13:30 . 2009-03-27 20:37 -------- d-----w- c:\program files\Glary Utilities 2010-01-12 06:02 . 2010-01-12 06:02 -------- d-----w- c:\program files\Xvid 2010-01-12 06:02 . 2010-01-12 06:02 -------- d-----w- c:\program files\FDRLab 2010-01-05 10:00 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll 2010-01-05 10:00 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-01-05 10:00 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll 2009-12-31 16:50 . 2006-04-17 20:32 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-16 18:43 . 2004-08-11 22:11 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2004-08-11 22:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-08 19:26 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe 2009-12-08 04:55 . 2009-09-07 07:49 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-04 18:22 . 2006-04-17 20:32 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . <pre> c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe c:\program files\Intel\Wireless\Bin\ifrmewrk .exe c:\program files\Intel\Wireless\Bin\zcfgsvc .exe c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-01 55808] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2010-03-01 55808] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2010-03-01 55808] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2010-03-01 55808] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2010-02-28 55808] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-01 55808] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-01 55808] c:\documents and settings\All Users\Start Menu\Programs\Startup\ EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-03-01 16:02 55808 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] 2005-10-08 00:13 176128 ----a-r- c:\program files\Apoint\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] 2006-02-20 17:39 839680 ----a-w- c:\program files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-03-01 16:02 55808 ----a-w- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\googleupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2005-12-14 04:45 118784 ----a-w- c:\windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2005-12-14 04:44 98304 ----a-w- c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1] 2004-08-04 10:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] 2004-08-04 04:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] 2004-08-04 04:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] 2004-08-04 04:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] 2004-08-04 04:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare2.2] 2007-05-04 13:21 198184 ----a-w- c:\program files\Qwest\QuickCare\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] 2005-11-17 02:35 397312 ----a-w- c:\windows\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-07-25 11:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\Windows Live Toolbar\\ComponentManager.exe"= "c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/7/2009 12:49 AM 108289] S2 mrtRate;mrtRate; [x] . Contents of the 'Scheduled Tasks' folder 2010-03-01 c:\windows\Tasks\At1.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At10.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At11.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At12.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At13.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At14.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At15.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At16.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At17.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At18.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At19.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At2.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At20.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At21.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At22.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At23.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At24.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At3.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At4.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At5.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At6.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At7.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At8.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\At9.job - c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 16:02] 2010-03-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 21:54] 2010-03-01 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2009-03-27 06:01] 2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246590979-2290972662-2791506926-1005Core.job - c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 16:02] 2010-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246590979-2290972662-2791506926-1005UA.job - c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 16:02] 2010-03-01 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07] . . ------- Supplementary Scan ------- . uStart Page = https://mrwi.mclaneco.com/dana-na/auth/url_...ult/welcome.cgi mStart Page = hxxp://qwest.live.com uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/ uInternet Settings,ProxyOverride = <local> IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\po6meqvz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-01 09:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(648) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll - - - - - - - > 'explorer.exe'(3976) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Microsoft Virtual PC\VPCShExH.DLL c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKeeper.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\windows\System32\SCardSvr.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Wave Systems Corp\Common\DataServer.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-03-01 09:06:47 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-01 16:06 ComboFix2.txt 2010-02-28 20:21 ComboFix3.txt 2010-02-28 19:16 ComboFix4.txt 2010-02-28 18:33 Pre-Run: 18,876,899,328 bytes free Post-Run: 18,851,676,160 bytes free - - End Of File - - 2E5ED8AA6164246680AE31E2080ACC9B =============== HijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:08:29 AM, on 3/1/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Wave Systems Corp\Common\DataServer.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Rick\My Documents\exes\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mrwi.mclaneco.com/dana-na/auth/url_...ult/welcome.cgi R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Qwest Live - {709E9CB1-456D-4D51-BA9F-3A0F475BE4F2} - http://qwest.live.com (file missing) (HKCU) O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing) O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: NTRU Hybrid TSS v2.0.7 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7006 bytes ===================== c4s8eu5s.exe is the random name of the gmer executable I downloaded. I'm keeping the infected machine off the internet as much as possible, but I will run the file at Jotti's if you like.
-
c4s8eu5s.exe is the random name of the gmer executable I downloaded.
-
gmer.txt
-
Loaded gmer as a file. Posting it here kept getting me an error.
-
test post.
-
Files Requested ComboFix ComboFix 10-02-27.04 - Rick 02/28/2010 13:08:33.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1547 [GMT -7:00] Running from: c:\documents and settings\Rick\Desktop\Combo-Fix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Internet Explorer\js.mui c:\program files\Internet Explorer\wmpscfgs.exe c:\windows\system32\drivers\qacrptxm.sys c:\windows\system32\hkcmd .exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_elefgs ((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 ))))))))))))))))))))))))))))))) . 2010-02-28 19:42 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-28 19:42 . 2010-02-28 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-28 19:42 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-28 00:47 . 2010-02-28 00:47 -------- d-----w- c:\windows\_VOIDornsidrtfp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-28 20:17 . 2006-04-17 20:33 55808 ----a-w- c:\windows\system32\hkcmd.exe 2010-02-28 19:52 . 2006-04-17 20:33 55808 ----a-w- c:\windows\system32\hkcmd .exe 2010-02-27 21:20 . 2009-07-15 01:31 -------- d-----w- c:\documents and settings\Rick\Application Data\U3 2010-01-29 07:00 . 2006-05-21 17:27 -------- d-----w- c:\program files\Common Files\Adobe 2010-01-26 13:30 . 2009-03-27 20:37 -------- d-----w- c:\program files\Glary Utilities 2010-01-12 06:02 . 2010-01-12 06:02 -------- d-----w- c:\program files\Xvid 2010-01-12 06:02 . 2010-01-12 06:02 -------- d-----w- c:\program files\FDRLab 2010-01-05 10:00 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll 2010-01-05 10:00 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-01-05 10:00 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll 2009-12-31 16:50 . 2006-04-17 20:32 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-16 18:43 . 2004-08-11 22:11 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2004-08-11 22:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-08 19:26 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe 2009-12-08 04:55 . 2009-09-07 07:49 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-04 18:22 . 2006-04-17 20:32 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . <pre> c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe c:\program files\Intel\Wireless\Bin\ifrmewrk .exe c:\program files\Intel\Wireless\Bin\zcfgsvc .exe c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr .exe c:\windows\system32\hkcmd .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-28 55808] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2010-02-28 55808] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2010-02-28 55808] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2010-02-28 55808] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2010-02-28 55808] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-02-28 55808] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-02-28 55808] c:\documents and settings\All Users\Start Menu\Programs\Startup\ EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-02-28 20:17 55808 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] 2005-10-08 00:13 176128 ----a-r- c:\program files\Apoint\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] 2006-02-20 17:39 839680 ----a-w- c:\program files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-02-28 20:17 55808 ----a-w- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\googleupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2005-12-14 04:45 118784 ----a-w- c:\windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2005-12-14 04:44 98304 ----a-w- c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1] 2004-08-04 10:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] 2004-08-04 04:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] 2004-08-04 04:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] 2004-08-04 04:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] 2004-08-04 04:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare2.2] 2007-05-04 13:21 198184 ----a-w- c:\program files\Qwest\QuickCare\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] 2005-11-17 02:35 397312 ----a-w- c:\windows\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-07-25 11:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Whale Communications\\Client Components\\3.1.0\\WhlClnt3.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\Windows Live Toolbar\\ComponentManager.exe"= "c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/7/2009 12:49 AM 108289] S2 mrtRate;mrtRate; [x] . Contents of the 'Scheduled Tasks' folder 2010-02-28 c:\windows\Tasks\At1.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At10.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At11.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At12.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At13.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At14.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At15.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At16.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At17.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At18.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At19.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At2.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At20.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At21.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At22.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At23.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At24.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At3.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At4.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At5.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At6.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At7.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At8.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\At9.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 20:17] 2010-02-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 21:54] 2010-02-28 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2009-03-27 06:01] 2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246590979-2290972662-2791506926-1005Core.job - c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 20:17] 2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246590979-2290972662-2791506926-1005UA.job - c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 20:17] 2010-02-28 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07] . . ------- Supplementary Scan ------- . uStart Page = https://mrwi.mclaneco.com/dana-na/auth/url_...ult/welcome.cgi mStart Page = hxxp://qwest.live.com uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/ uInternet Settings,ProxyOverride = <local> IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 LSP: c:\progra~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlLSP.dll FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\po6meqvz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-28 13:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\hkcmd .exe 55808 bytes executable scan completed successfully hidden files: 1 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(1000) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll - - - - - - - > 'explorer.exe'(3444) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Microsoft Virtual PC\VPCShExH.DLL c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKeeper.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\windows\System32\SCardSvr.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Wave Systems Corp\Common\DataServer.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe c:\windows\system32\wscntfy.exe c:\program files\intel\wireless\bin\zcfgsvc .exe c:\program files\intel\wireless\bin\ifrmewrk .exe c:\program files\wave systems corp\services manager\docmgr\bin\docmgr .exe c:\program files\adobe\reader 9.0\reader\reader_sl .exe . ************************************************************************** . Completion time: 2010-02-28 13:21:20 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-28 20:21 ComboFix2.txt 2010-02-28 19:16 ComboFix3.txt 2010-02-28 18:33 Pre-Run: 18,369,159,168 bytes free Post-Run: 18,337,136,640 bytes free - - End Of File - - 0BAEA77B8A2CDB6469535FFAE5939AA5 ==================== HijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:22:12 PM, on 2/28/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Wave Systems Corp\Common\DataServer.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe c:\program files\intel\wireless\bin\zcfgsvc .exe c:\program files\intel\wireless\bin\ifrmewrk .exe C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe c:\program files\wave systems corp\services manager\docmgr\bin\docmgr .exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Rick\My Documents\exes\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mrwi.mclaneco.com/dana-na/auth/url_...ult/welcome.cgi R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Qwest Live - {709E9CB1-456D-4D51-BA9F-3A0F475BE4F2} - http://qwest.live.com (file missing) (HKCU) O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://extranet.mclaneco.com/InternalSite/WhlCompMgr.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing) O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: NTRU Hybrid TSS v2.0.7 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7165 bytes Standing by...
-
Malwarebytes did not update automatically. I attempted to manually initiate an update and it throws this error: An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team. Error code 732 (2,0) The system cannot find the file specified. I ran with what I have and received only 1 infection notice; Trojan.Agent Malwarebytes log Malwarebytes' Anti-Malware 1.44 Database version: 3510 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 2/28/2010 12:49:27 PM mbam-log-2010-02-28 (12-49-27).txt Scan type: Quick Scan Objects scanned: 125087 Time elapsed: 5 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Rick\Local Settings\temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully. Standing by...
-
Here are the new files. The only thing I want to mention is that after combofix initiated a reboot, it says not to run any programs...meanwhile, my Antivir is starting up. I did disable AntiVir but it did not seem to cause a problem. I was somewhat unclear if I should have disabled it. ComboFix ComboFix 10-02-27.04 - Rick 02/28/2010 12:05:41.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1543 [GMT -7:00] Running from: c:\documents and settings\Rick\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Rick\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FILE :: "c:\program files\4535734.dat" "c:\windows\isRS-000.tmp" "c:\windows\system32\OLD6.tmp" "c:\windows\system32\OLD93D.tmp" "c:\windows\Tasks\At1.job" "c:\windows\Tasks\At10.job" "c:\windows\Tasks\At11.job" "c:\windows\Tasks\At12.job" "c:\windows\Tasks\At13.job" "c:\windows\Tasks\At14.job" "c:\windows\Tasks\At15.job" "c:\windows\Tasks\At16.job" "c:\windows\Tasks\At17.job" "c:\windows\Tasks\At18.job" "c:\windows\Tasks\At19.job" "c:\windows\Tasks\At2.job" "c:\windows\Tasks\At20.job" "c:\windows\Tasks\At21.job" "c:\windows\Tasks\At22.job" "c:\windows\Tasks\At23.job" "c:\windows\Tasks\At24.job" "c:\windows\Tasks\At3.job" "c:\windows\Tasks\At4.job" "c:\windows\Tasks\At5.job" "c:\windows\Tasks\At6.job" "c:\windows\Tasks\At7.job" "c:\windows\Tasks\At8.job" "c:\windows\Tasks\At9.job" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\4535734.dat c:\program files\Internet Explorer\js.mui c:\program files\Internet Explorer\wmpscfgs.exe c:\windows\isRS-000.tmp c:\windows\system32\OLD6.tmp c:\windows\system32\OLD93D.tmp c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NJSTE -------\Service_njste ((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 ))))))))))))))))))))))))))))))) . 2010-02-28 00:47 . 2010-02-28 00:47 -------- d-----w- c:\windows\_VOIDornsidrtfp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-28 19:05 . 2009-10-28 05:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-28 17:26 . 2006-04-17 20:33 55808 ----a-w- c:\windows\system32\hkcmd.exe 2010-02-27 21:20 . 2009-07-15 01:31 -------- d-----w- c:\documents and settings\Rick\Application Data\U3 2010-01-29 07:00 . 2006-05-21 17:27 -------- d-----w- c:\program files\Common Files\Adobe 2010-01-26 13:30 . 2009-03-27 20:37 -------- d-----w- c:\program files\Glary Utilities 2010-01-12 06:02 . 2010-01-12 06:02 -------- d-----w- c:\program files\Xvid 2010-01-12 06:02 . 2010-01-12 06:02 -------- d-----w- c:\program files\FDRLab 2010-01-07 23:07 . 2009-10-28 05:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 23:07 . 2009-10-28 05:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-05 10:00 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll 2010-01-05 10:00 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-01-05 10:00 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll 2009-12-31 16:50 . 2006-04-17 20:32 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-16 18:43 . 2004-08-11 22:11 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2004-08-11 22:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-08 19:26 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe 2009-12-08 04:55 . 2009-09-07 07:49 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-04 18:22 . 2006-04-17 20:32 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . <pre> c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe c:\program files\Intel\Wireless\Bin\ifrmewrk .exe c:\program files\Intel\Wireless\Bin\zcfgsvc .exe c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-28 55808] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2010-02-28 55808] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2010-02-28 55808] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2010-02-28 55808] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2010-02-28 55808] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-02-28 55808] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-02-28 55808] c:\documents and settings\All Users\Start Menu\Programs\Startup\ EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-02-28 19:12 55808 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] 2005-10-08 00:13 176128 ----a-r- c:\program files\Apoint\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] 2006-02-20 17:39 839680 ----a-w- c:\program files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-02-28 19:12 55808 ----a-w- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\googleupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2005-12-14 04:45 118784 ----a-w- c:\windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2005-12-14 04:44 98304 ----a-w- c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1] 2004-08-04 10:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] 2004-08-04 04:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] 2004-08-04 04:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] 2004-08-04 04:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] 2004-08-04 04:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare2.2] 2007-05-04 13:21 198184 ----a-w- c:\program files\Qwest\QuickCare\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] 2005-11-17 02:35 397312 ----a-w- c:\windows\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-07-25 11:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Whale Communications\\Client Components\\3.1.0\\WhlClnt3.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\Windows Live Toolbar\\ComponentManager.exe"= "c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/7/2009 12:49 AM 108289] S2 mrtRate;mrtRate; [x] . Contents of the 'Scheduled Tasks' folder 2010-02-28 c:\windows\Tasks\At1.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At10.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At11.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At12.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At13.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At14.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At15.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At16.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At17.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At18.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At19.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At2.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At20.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At21.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At22.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At23.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At24.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At3.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At4.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At5.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At6.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At7.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At8.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\At9.job - c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 19:13] 2010-02-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 21:54] 2010-02-28 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2009-03-27 06:01] 2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246590979-2290972662-2791506926-1005Core.job - c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 19:12] 2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246590979-2290972662-2791506926-1005UA.job - c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 19:12] 2010-02-28 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07] . . ------- Supplementary Scan ------- . uStart Page = https://mrwi.mclaneco.com/dana-na/auth/url_...ult/welcome.cgi mStart Page = hxxp://qwest.live.com uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/ uInternet Settings,ProxyOverride = <local> IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 LSP: c:\progra~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlLSP.dll FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\po6meqvz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-28 12:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(644) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll - - - - - - - > 'explorer.exe'(256) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Microsoft Virtual PC\VPCShExH.DLL c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKeeper.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\windows\System32\SCardSvr.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Wave Systems Corp\Common\DataServer.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-02-28 12:16:28 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-28 19:16 ComboFix2.txt 2010-02-28 18:33 Pre-Run: 18,403,676,160 bytes free Post-Run: 18,368,442,368 bytes free - - End Of File - - 0DD0A8A9082A92698D9C3B209C31574A ============ HijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:18:19 PM, on 2/28/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Wave Systems Corp\Common\DataServer.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Rick\My Documents\exes\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mrwi.mclaneco.com/dana-na/auth/url_...ult/welcome.cgi R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Qwest Live - {709E9CB1-456D-4D51-BA9F-3A0F475BE4F2} - http://qwest.live.com (file missing) (HKCU) O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://extranet.mclaneco.com/InternalSite/WhlCompMgr.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing) O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: NTRU Hybrid TSS v2.0.7 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7112 bytes Standing by for further instructions...
-
Thank you for your assistance today. I've followed your instructions and here are the files you've asked for. =============== HijackThis Uninstall List 7-Zip 4.57 Acrobat.com Acrobat.com Ad-Aware 2007 Adobe AIR Adobe AIR Adobe Flash Player 10 Plugin Adobe Flash Player 9 ActiveX Adobe Reader 9.3 ALPS Touch Pad Driver AML Free Registry Cleaner 4.7 Apple Application Support Apple Software Update Atomic Clock Sync Avira AntiVir Personal - Free Antivirus Bluetooth Stack for Windows by Toshiba Broadcom Advanced Control Suite Broadcom TPM Driver Installer CCleaner (remove only) CertBlaster Conexant HDA D110 MDC V.92 Modem Critical Update for Windows Media Player 11 (KB959772) Dell Embassy Trust Suite by Wave Systems Digital Line Detect DivX Codec DivX Converter DivX Player DivX Plus DirectShow Filters DivX Web Player Document Manager Lite EMBASSY Security Center EMBASSY Trust Suite by Wave Systems ETS Launch Pad FileOpen Plug-in for Adobe Acrobat