Jump to content

New Bad Issue - Hijack not able to run Malwarebytes


Heavus
 Share

Recommended Posts

Here is my HiJackThis scan. No Malwarebytes, will not run in safe mode or normal even renamed.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:53:55 PM, on 2/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Mark\Application Data\U3\43236116A24100A6\285E6953-BF3C-4445-9376-3FE5D7F645B2\Exec\bin\SignupShield.exe

C:\Documents and Settings\Mark\Application Data\U3\43236116A24100A6\LaunchPad.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Mark\Desktop\Mark.exe

C:\DOCUME~1\Mark\LOCALS~1\Temp\is-I6FDB.tmp\Mark.tmp

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)

O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/286a644bb2b950...ip/RdxIE601.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201991127919

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 9043 bytes

This may be from the following web site and the following program. Not sure, first time I have seen this, please post your comments. Program: MightyRegistry_Setup.exe

Domain name: updates-easy.com

Administrative Contact:

Whois Privacy Protection Service, Inc.

Whois Agent (kxktfvrv@whoisprivacyprotect.com)

+1.4252740657

Fax: +1.4256960234

PMB 368, 14150 NE 20th St - F1

C/O updates-easy.com

Bellevue, WA 98007

US

Technical Contact:

Whois Privacy Protection Service, Inc.

Whois Agent (kxktfvrv@whoisprivacyprotect.com)

+1.4252740657

Fax: +1.4256960234

PMB 368, 14150 NE 20th St - F1

C/O updates-easy.com

Bellevue, WA 98007

US

Link to post
Share on other sites

Here is the Combfix. I was able to run after reloading the msvbvm60.dll in c:\windows\system32 per the instruction from Rubber Ducky in a old post.

ComboFix 09-02-08.02 - Mark 2009-02-09 22:09:44.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.268 [GMT -8:00]

Running from: c:\documents and settings\Mark\Desktop\aaaads.exe

Command switches used :: c:\documents and settings\Mark\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: Norton Internet Security *On-access scanning disabled* (Outdated)

FW: Norton Internet Security *enabled*

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Internet Explorer.lnk

c:\program files\Dynamic Toolbar

c:\program files\Dynamic Toolbar\REALBAR\Cache\bubble.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\bubble16.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\celebs.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\gotb.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\highlight.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\hotstuff.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\hotstuffsm.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\movies.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\music.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\news.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\ngames.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\radio.bmp

c:\program files\Dynamic Toolbar\REALBAR\Cache\REALBARTB0115.cfg

c:\program files\Dynamic Toolbar\REALBAR\Cache\REALBARTB1115.cfg

c:\program files\Dynamic Toolbar\REALBAR\Cache\sports.bmp

c:\program files\newdotnet

c:\program files\newdotnet\readme.txt

c:\windows\smdat32a.sys

c:\windows\smdat32m.sys

c:\windows\system32\digeste.dll

c:\windows\system32\drivers\TDSSmhxt.sys

c:\windows\system32\iehelper.dll

c:\windows\system32\TDSScfum.dll

c:\windows\system32\TDSSfxwp.dll

c:\windows\system32\TDSSnmxh.log

c:\windows\system32\TDSSnrsr.dll

c:\windows\system32\TDSSofxh.dll

c:\windows\system32\TDSSosvd.dat

c:\windows\system32\TDSSrhym.log

c:\windows\system32\TDSSriqp.dll

c:\windows\system32\TDSSsbhc.dll

c:\windows\system32\TDSStkdv.log

c:\windows\system32\wpv671233854729.cpx

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_TDSSserv.sys

-------\Legacy_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))

.

2009-02-09 21:52 . 2004-08-04 00:56 1,392,671 --a------ c:\windows\system32\msvbvm60.dll

2009-02-09 21:46 . 2009-02-09 21:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2009-02-09 21:46 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-09 21:46 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-09 21:31 . 2009-02-09 21:32 <DIR> d-------- c:\documents and settings\Mark\Application Data\U3

2009-02-09 21:31 . 2009-02-09 21:31 54,156 --ah----- c:\windows\QTFont.qfn

2009-02-09 21:31 . 2009-02-09 21:31 1,409 --a------ c:\windows\QTFont.for

2009-02-09 20:20 . 2009-02-09 20:20 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache

2009-02-09 20:07 . 2009-01-18 13:35 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d-------- c:\program files\Trend Micro

2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d--h-c--- c:\documents and settings\All Users.WINDOWS\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-09 19:46 . 2009-01-18 13:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-02-09 19:45 . 2009-02-09 19:45 <DIR> d-------- c:\program files\Lavasoft

2009-02-09 19:45 . 2009-02-09 19:45 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft

2009-02-09 16:49 . 2009-02-09 21:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\PrivacIE

2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IETldCache

2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IECompatCache

2009-02-09 16:44 . 2009-02-09 16:44 <DIR> d-------- c:\windows\ie8updates

2009-02-09 16:43 . 2009-02-09 16:43 1,355 --a------ c:\windows\imsins.BAK

2009-02-09 16:42 . 2009-02-09 16:43 <DIR> d--h-c--- c:\windows\ie8

2009-02-09 16:40 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll

2009-02-09 16:30 . 2009-02-09 16:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-09 16:30 . 2009-02-09 16:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-02-09 16:05 . 2009-02-09 16:22 <DIR> d-------- c:\program files\Yahoo!

2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\program files\CCleaner

2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\documents and settings\Mark\Application Data\Yahoo!

2009-02-09 15:14 . 2009-02-09 16:47 <DIR> d-------- c:\documents and settings\Mark

2009-02-09 15:00 . 2009-02-09 15:00 <DIR> d-------- c:\documents and settings\Administrator

2009-02-07 15:39 . 2009-02-07 15:39 362,504 --a------ c:\windows\sysguard.exe

2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui

2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui

2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui

2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-10 06:08 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-09 23:56 --------- d-----w c:\program files\Google

2009-02-09 23:55 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec

2009-02-09 23:54 --------- d-----w c:\program files\Symantec

2009-02-09 23:52 --------- d-----w c:\program files\Norton Internet Security

2009-02-09 23:09 --------- d-----w c:\program files\Common Files\Adobe

2009-01-30 03:49 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help

2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll

2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll

2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll

2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll

2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll

2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll

2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll

2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll

2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe

2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-07-01 16:51 47,936 ----a-w c:\documents and settings\James.SIGLOXXI\Application Data\GDIPFONTCACHEV1.DAT

2007-08-29 02:19 60,968 -c--a-w c:\documents and settings\James.SIGLOXXI\GoToAssistDownloadHelper.exe

2004-06-23 06:25 2,592,044 -c----w c:\documents and settings\GameSpot DLX Secure Delivery\trillian-v0.74f.exe

2007-03-02 23:05 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll

2007-03-02 23:05 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896]

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-01-13 771704]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-26 389120]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Norton GoBack.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Norton GoBack.lnk

backup=c:\windows\pss\Norton GoBack.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Event Reminder.lnk]

path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Event Reminder.lnk

backup=c:\windows\pss\Event Reminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^HotSync Manager.lnk]

path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\HotSync Manager.lnk

backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Trillian.lnk]

path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Trillian.lnk

backup=c:\windows\pss\Trillian.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

--a------ 2007-01-09 21:59 115816 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-03 23:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

--a--c--- 2006-10-30 15:27 715888 c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2004-03-24 09:04 3309568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a--c--- 2004-03-24 09:04 46080 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a--c--- 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2007-01-11 15:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

--a--c--- 2004-11-10 20:15 111816 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]

--a--c--- 2002-10-15 18:00 1818624 c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a--c--- 2004-03-24 09:04 782336 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-09 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-24 109616]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c960721-f6ff-11dd-9bce-0002e315c848}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:34]

.

- - - - ORPHANS REMOVED - - - -

BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll

MSConfigStartUp-bnmpntwd - c:\windows\System32\bnmpntwd.exe

MSConfigStartUp-dbmsrpcn - c:\windows\System32\dbmsrpcn.exe

MSConfigStartUp-kdx - c:\windows\kdx\KHost.exe

MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe

MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.EXE

MSConfigStartUp-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll

MSConfigStartUp-winpack - c:\windows\System32\winpack.exe

MSConfigStartUp-xflogt - c:\windows\System32\xflogt.exe

.

------- Supplementary Scan -------

.

DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/286a644bb2b950c03e06/netzip/RdxIE601.cab

.

.

------- File Associations -------

.

inffile=c:\windows\$NtServicePackUninstall$\notepad.exe %1

inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1

txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-09 22:13:44

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-1177238915-725345543-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2009-02-09 22:16:05

ComboFix-quarantined-files.txt 2009-02-10 06:16:02

Pre-Run: 11,081,216,000 bytes free

Post-Run: 12,938,657,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

261 --- E O F --- 2009-01-30 03:49:50

Link to post
Share on other sites

Malware log

Malwarebytes' Anti-Malware 1.33

Database version: 1742

Windows 5.1.2600 Service Pack 2

2/9/2009 10:52:59 PM

mbam-log-2009-02-09 (22-52-59).txt

Scan type: Quick Scan

Objects scanned: 69399

Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Link to post
Share on other sites

New HIJACK THis Scan

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:09:26 PM, on 2/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/286a644bb2b950...ip/RdxIE601.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201991127919

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 8376 bytes

Link to post
Share on other sites

Ststem now operating and able to access sites I was not able to get ot before. especially Malwarebytes.org and other security site that were shut down.

Have some more clean up to do but I thought I would share this information.

Thanks.

Heavus

Link to post
Share on other sites

  • Root Admin

Sorry for the delay.

Please download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Link to post
Share on other sites

Here is the DRWeb scan. In this case aaads.exe is a renamed combofix.exe.

Thanks.

realbar.dll;c:\program files\common files\real\toolbar;Adware.MegaSearch;Incurable.Deleted.;

aaaads.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Mark\Desktop\aaaads.exe/data002;Program.PsExec.171;;

data002;C:\Documents and Settings\Mark\Desktop;Archive contains infected objects;;

aaaads.exe;C:\Documents and Settings\Mark\Desktop;Container contains infected objects;Moved.;

aim95.exe\data037;C:\Program Files\AIM\aim95.exe;Adware.Aws;;

aim95.exe;C:\Program Files\AIM;Archive contains infected objects;Moved.;

WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;;

A0109165.exe/data004\cd_clint.dll;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629\A0109165.exe/data004;Adware.Cydoor;;

A0109165.exe/data004\cd_htm.dll;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629\A0109165.exe/data004;Adware.Cydoor;;

data004;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629;Archive contains infected objects;;

A0109165.exe;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629;Archive contains infected objects;Moved.;

A0109536.dll;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP630;Adware.MegaSearch;;

A0109538.exe\data037;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP630\A0109538.exe;Adware.Aws;;

A0109538.exe;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP630;Archive contains infected objects;Moved.;

Link to post
Share on other sites

Here is the new HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:06:57 PM, on 2/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SoftwareDistribution\Download\e32e42b86ada41fe0c947743c71f222c\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)

O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/286a644bb2b950...ip/RdxIE601.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201991127919

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 8850 bytes

Link to post
Share on other sites

Big File, not able to post all because of size. I installed SP3 and that is reporting lots of files.

ComboFix 09-02-10.01 - Mark 2009-02-10 20:06:29.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.279 [GMT -8:00]

Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))

.

2009-02-10 19:14 . 2009-02-10 19:14 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser

2009-02-10 18:25 . 2009-02-10 18:26 1,374 --a------ c:\windows\imsins.BAK

2009-02-10 16:46 . 2009-02-10 16:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\LogMeIn

2009-02-10 16:46 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll

2009-02-10 16:46 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll

2009-02-10 16:46 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys

2009-02-10 16:46 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll

2009-02-10 16:46 . 2009-02-10 16:46 1,024 --a------ C:\.rnd

2009-02-10 16:45 . 2009-02-10 16:46 <DIR> d-------- c:\program files\LogMeIn

2009-02-10 16:44 . 2009-02-10 16:44 <DIR> d-------- c:\documents and settings\Mark\.java

2009-02-10 14:03 . 2009-02-10 14:03 <DIR> d-------- c:\windows\system32\scripting

2009-02-10 13:49 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys

2009-02-10 13:49 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys

2009-02-10 13:46 . 2006-12-29 00:31 19,569 --a------ c:\windows\005668_.tmp

2009-02-10 07:06 . 2009-02-10 08:29 <DIR> d-------- c:\documents and settings\Mark\DoctorWeb

2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\program files\Avira

2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avira

2009-02-09 22:24 . 2009-02-09 22:24 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes

2009-02-09 22:00 . 2009-02-09 22:16 <DIR> d-------- C:\aaaads

2009-02-09 21:52 . 2008-04-14 05:42 1,384,479 --a------ c:\windows\system32\msvbvm60.dll

2009-02-09 21:46 . 2009-02-09 21:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2009-02-09 21:46 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-09 21:46 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-09 21:31 . 2009-02-09 21:32 <DIR> d-------- c:\documents and settings\Mark\Application Data\U3

2009-02-09 21:31 . 2009-02-10 12:08 54,156 --ah----- c:\windows\QTFont.qfn

2009-02-09 21:31 . 2009-02-09 21:31 1,409 --a------ c:\windows\QTFont.for

2009-02-09 20:20 . 2009-02-09 20:20 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache

2009-02-09 19:46 . 2009-02-10 16:31 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d-------- c:\program files\Trend Micro

2009-02-09 19:45 . 2009-02-10 16:31 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft

2009-02-09 16:49 . 2009-02-09 22:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\PrivacIE

2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IETldCache

2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IECompatCache

2009-02-09 16:44 . 2009-02-09 16:44 <DIR> d-------- c:\windows\ie8updates

2009-02-09 16:42 . 2009-02-09 16:43 <DIR> d--h-c--- c:\windows\ie8

2009-02-09 16:40 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll

2009-02-09 16:30 . 2009-02-10 16:40 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-02-09 16:05 . 2009-02-09 16:22 <DIR> d-------- c:\program files\Yahoo!

2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\program files\CCleaner

2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\documents and settings\Mark\Application Data\Yahoo!

2009-02-09 15:14 . 2009-02-10 16:47 <DIR> d-------- c:\documents and settings\Mark

2009-02-09 15:00 . 2009-02-09 15:00 <DIR> d-------- c:\documents and settings\Administrator

2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui

2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui

2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui

2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-10 23:13 --------- d-----w c:\program files\Symantec

2009-02-10 23:13 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-10 23:13 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec

2009-02-10 20:09 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help

2009-02-10 16:34 --------- d-----w c:\program files\AIM

2009-02-09 23:56 --------- d-----w c:\program files\Google

2009-02-09 23:09 --------- d-----w c:\program files\Common Files\Adobe

2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll

2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll

2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll

2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll

2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll

2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll

2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll

2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll

2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe

2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-07-01 16:51 47,936 ----a-w c:\documents and settings\James.SIGLOXXI\Application Data\GDIPFONTCACHEV1.DAT

2007-08-29 02:19 60,968 -c--a-w c:\documents and settings\James.SIGLOXXI\GoToAssistDownloadHelper.exe

2004-06-23 06:25 2,592,044 -c----w c:\documents and settings\GameSpot DLX Secure Delivery\trillian-v0.74f.exe

2007-03-02 23:05 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll

2007-03-02 23:05 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-26 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Norton GoBack.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Norton GoBack.lnk

backup=c:\windows\pss\Norton GoBack.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Event Reminder.lnk]

path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Event Reminder.lnk

backup=c:\windows\pss\Event Reminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^HotSync Manager.lnk]

path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\HotSync Manager.lnk

backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Trillian.lnk]

path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Trillian.lnk

backup=c:\windows\pss\Trillian.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

--a--c--- 2006-10-30 15:27 715888 c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2004-03-24 09:04 3309568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a--c--- 2004-03-24 09:04 46080 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a--c--- 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2007-01-11 15:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

--a--c--- 2004-11-10 20:15 111816 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]

--a--c--- 2002-10-15 18:00 1818624 c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a--c--- 2004-03-24 09:04 782336 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-02-10 47640]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c960721-f6ff-11dd-9bce-0002e315c848}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

.

------- File Associations -------

.

inffile=c:\windows\$NtServicePackUninstall$\notepad.exe %1

inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1

txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-10 20:09:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-1177238915-725345543-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

Completion time: 2009-02-10 20:11:20

ComboFix-quarantined-files.txt 2009-02-11 04:11:09

ComboFix2.txt 2009-02-10 06:16:07

Pre-Run: 13,752,733,696 bytes free

Post-Run: 13,811,126,272 bytes free

8758 --- E O F --- 2009-02-10 20:12:12

.

Link to post
Share on other sites

Here is a full log. Thanks.

ComboFix 09-02-10.01 - Mark 2009-02-10 20:33:04.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.240 [GMT -8:00]

Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))

.

2009-02-10 19:14 . 2009-02-10 20:14 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser

2009-02-10 16:46 . 2009-02-10 16:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\LogMeIn

2009-02-10 16:46 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll

2009-02-10 16:46 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll

2009-02-10 16:46 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys

2009-02-10 16:46 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll

2009-02-10 16:46 . 2009-02-10 16:46 1,024 --a------ C:\.rnd

2009-02-10 16:45 . 2009-02-10 16:46 <DIR> d-------- c:\program files\LogMeIn

2009-02-10 16:44 . 2009-02-10 16:44 <DIR> d-------- c:\documents and settings\Mark\.java

2009-02-10 14:03 . 2009-02-10 14:03 <DIR> d-------- c:\windows\system32\scripting

2009-02-10 13:49 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys

2009-02-10 13:49 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys

2009-02-10 13:46 . 2006-12-29 00:31 19,569 --a------ c:\windows\005668_.tmp

2009-02-10 07:06 . 2009-02-10 08:29 <DIR> d-------- c:\documents and settings\Mark\DoctorWeb

2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\program files\Avira

2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avira

2009-02-09 22:24 . 2009-02-09 22:24 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes

2009-02-09 21:52 . 2008-04-14 05:42 1,384,479 --a------ c:\windows\system32\msvbvm60.dll

2009-02-09 21:46 . 2009-02-09 21:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2009-02-09 21:46 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-09 21:46 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-09 21:31 . 2009-02-09 21:32 <DIR> d-------- c:\documents and settings\Mark\Application Data\U3

2009-02-09 21:31 . 2009-02-10 12:08 54,156 --ah----- c:\windows\QTFont.qfn

2009-02-09 21:31 . 2009-02-09 21:31 1,409 --a------ c:\windows\QTFont.for

2009-02-09 20:20 . 2009-02-09 20:20 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache

2009-02-09 19:46 . 2009-02-10 16:31 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d-------- c:\program files\Trend Micro

2009-02-09 19:45 . 2009-02-10 16:31 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft

2009-02-09 16:49 . 2009-02-09 22:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\PrivacIE

2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IETldCache

2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IECompatCache

2009-02-09 16:44 . 2009-02-09 16:44 <DIR> d-------- c:\windows\ie8updates

2009-02-09 16:42 . 2009-02-09 16:43 <DIR> d--h-c--- c:\windows\ie8

2009-02-09 16:40 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll

2009-02-09 16:30 . 2009-02-10 16:40 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-02-09 16:05 . 2009-02-09 16:22 <DIR> d-------- c:\program files\Yahoo!

2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\program files\CCleaner

2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\documents and settings\Mark\Application Data\Yahoo!

2009-02-09 15:14 . 2009-02-10 20:26 <DIR> d-------- c:\documents and settings\Mark

2009-02-09 15:00 . 2009-02-09 15:00 <DIR> d-------- c:\documents and settings\Administrator

2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui

2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui

2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui

2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-10 23:13 --------- d-----w c:\program files\Symantec

2009-02-10 23:13 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-10 23:13 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec

2009-02-10 20:09 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help

2009-02-10 16:34 --------- d-----w c:\program files\AIM

2009-02-09 23:56 --------- d-----w c:\program files\Google

2009-02-09 23:09 --------- d-----w c:\program files\Common Files\Adobe

2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll

2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll

2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll

2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll

2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll

2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll

2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll

2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll

2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe

2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-07-01 16:51 47,936 ----a-w c:\documents and settings\James.SIGLOXXI\Application Data\GDIPFONTCACHEV1.DAT

2007-08-29 02:19 60,968 -c--a-w c:\documents and settings\James.SIGLOXXI\GoToAssistDownloadHelper.exe

2004-06-23 06:25 2,592,044 -c----w c:\documents and settings\GameSpot DLX Secure Delivery\trillian-v0.74f.exe

2007-03-02 23:05 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll

2007-03-02 23:05 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-26 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Norton GoBack.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Norton GoBack.lnk

backup=c:\windows\pss\Norton GoBack.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Event Reminder.lnk]

path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Event Reminder.lnk

backup=c:\windows\pss\Event Reminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^HotSync Manager.lnk]

path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\HotSync Manager.lnk

backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Trillian.lnk]

path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Trillian.lnk

backup=c:\windows\pss\Trillian.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

--a--c--- 2006-10-30 15:27 715888 c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2004-03-24 09:04 3309568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a--c--- 2004-03-24 09:04 46080 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a--c--- 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2007-01-11 15:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

--a--c--- 2004-11-10 20:15 111816 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]

--a--c--- 2002-10-15 18:00 1818624 c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a--c--- 2004-03-24 09:04 782336 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-02-10 47640]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

.

.

------- File Associations -------

.

inffile=c:\windows\$NtServicePackUninstall$\notepad.exe %1

inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1

txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-10 20:34:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-1177238915-725345543-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

Completion time: 2009-02-10 20:36:49

ComboFix-quarantined-files.txt 2009-02-11 04:36:46

ComboFix2.txt 2009-02-11 04:11:22

ComboFix3.txt 2009-02-10 06:16:07

Pre-Run: 13,820,166,144 bytes free

Post-Run: 13,805,916,160 bytes free

204 --- E O F --- 2009-02-10 20:12:12

Link to post
Share on other sites

  • Root Admin

Okay, let's try this. Maybe I'm just missing it but don't see the parent process there in CF.

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Then run this

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Then try to run this tool - burn from another system if you have to.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file.

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post
here
if you're unable to view the entire screen of Avira.
Link to post
Share on other sites

All suggested actions were performed.

Here is the results of the Avira scan from the boot CD.

70884 scanned files, there was 0 Suspect Files but three alerts.

The Alerts were:

[ADSPY/Wildtangent.A]/mnt.hda1/windows/wt/webdriver/wtmulti.dll<<contains detection pattern of the AD- or Spyware ADSPY/wildtangent.A

[sPR/Wildtangent.B]/mnt/hda1/windows/wt/wtupdates/wtwebdriver/files/3.3.1.001/npwthost.dll<<contains detection pattern of the SPR/wildtangent.B program

[ADSPY/wildtangent.A]/mnt/hda1/windows/wt/wtupdates/wtwebdriver/files/3.3.1.001/wtmulti.dll<<Contains detection pattern of teh AD- or spyware ADSPY/wildtangent.A

Thanks,

Heavus

Link to post
Share on other sites

  • Root Admin

Great - glad to hear it.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.