Jump to content

Recommended Posts

I tried posting this before but didn't get an answer. So I thought I'd give it another try. If anyone can help I'd greatly appreciate it.

Malware says I have a trojan that will delete on reboot but it never does. I've tried like 10 times.

Thanks!!

Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:17:50 PM, on 7/21/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\system32\hphmon05.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop

O16 - DPF: vzTCPConfig - https://essentialsandextras.verizon.com/wha...vzTCPConfig.CAB

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2B55B5F0-9D95-48CF-96A1-FEAF74CEC150} (portLoader Class) - http://a248.g.akamai.net/7/248/9286/200309...g2/download.cab

O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/Data...6-6D5536C585C9}

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.11/uploader2.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.brothersconcrete.com/Remote/msrdp.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab

O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O24 - Desktop Component 0: (no name) - http://by107fd.bay107.hotmail.msn.com/cgi-...ain=hotmail.com

--

End of file - 14683 bytes

My Malware Log:

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 2

7/21/2009 8:09:04 PM

mbam-log-2009-07-21 (20-09-04).txt

Scan type: Quick Scan

Objects scanned: 100847

Time elapsed: 23 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\el32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\el32.dll (Trojan.FakeAlert) -> Delete on reboot.

Thanks again.

Link to post
Share on other sites

Hi elliegirl18 and Welcome to Malwarebytes!

Download ComboFix from one of these locations:

Link 1

Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

KB310994.gif

Download the file & save it as it's originally named.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.

RC1-4.gif

  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    whatnext.png
  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

I ran the ComboFix and here's my log:

ComboFix 09-07-26.01 - Heather Hayden 07/26/2009 21:03.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.92 [GMT -4:00]

Running from: c:\documents and settings\Heather Hayden\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Heather Hayden\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003

c:\recycler\S-1-5-21-3798042370-78231701-2856801765-1003

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\system32\userini.exe

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected

Restored copy from - c:\system volume information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1251\A0121769.dll

.

((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))

.

2009-07-23 23:27 . 2009-07-27 00:51 14336 ----a-w- c:\windows\system32\el32.dll

2009-07-22 00:17 . 2009-07-22 00:17 -------- d-----w- c:\program files\Trend Micro

2009-07-19 17:36 . 2009-07-19 17:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-07-19 17:35 . 2009-07-19 17:35 -------- d-sh--w- c:\documents and settings\Heather Hayden\IECompatCache

2009-07-19 17:34 . 2009-07-19 17:34 -------- d-sh--w- c:\documents and settings\Heather Hayden\PrivacIE

2009-07-19 17:30 . 2009-07-19 17:30 -------- d-sh--w- c:\documents and settings\Heather Hayden\IETldCache

2009-07-19 17:26 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-07-19 17:26 . 2009-07-19 17:26 -------- d-----w- c:\windows\ie8updates

2009-07-19 17:24 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-07-19 17:24 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-07-19 17:20 . 2009-07-19 17:23 -------- dc-h--w- c:\windows\ie8

2009-07-19 16:58 . 2009-07-19 16:58 -------- d-----w- C:\6d3af5482b6cce0820ae73180c0e

2009-07-18 11:54 . 2009-07-18 11:54 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-10 00:05 . 2009-07-10 00:05 80384 ----a-r- c:\documents and settings\Heather Hayden\Application Data\Microsoft\Installer\{588164FC-552A-4FB0-A9EB-3D193EF72571}\Icon6FDEE4821.exe

2009-07-06 14:11 . 2009-06-02 15:50 77312 ----a-w- c:\windows\DEVCON.EXE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-18 11:55 . 2008-08-11 22:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-13 17:36 . 2008-08-11 22:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 17:36 . 2008-08-11 22:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-05 20:37 . 2009-06-15 17:00 -------- d-----w- c:\program files\Verizon

2009-06-16 14:55 . 2004-08-04 08:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-15 17:20 . 2009-06-15 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive

2009-06-15 17:15 . 2009-06-15 17:15 -------- d-----w- c:\documents and settings\Heather Hayden\Application Data\Motive

2009-06-15 17:14 . 2009-06-15 17:09 -------- d-----w- c:\program files\Common Files\Motive

2009-06-03 19:27 . 2004-08-04 08:00 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-05-13 05:15 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-07 15:44 . 2004-08-04 08:00 344064 ----a-w- c:\windows\system32\localspl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-23 483328]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]

"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 357376]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-08-16 100056]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-02-28 68768]

"Advanced Tools Check"="c:\progra~1\NORTON~1\AdvTools\ADVCHK.EXE" [2003-08-18 74920]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-01-30 88363]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-07 323584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-3-12 118784]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2004-1-29 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\WINDOWS\\system32\\mshta.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=

R2 NProtectService;Norton Unerase Protection;c:\program files\Norton AntiVirus\AdvTools\NPROTECT.EXE [7/4/2005 2:55 PM 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-06-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-07-18 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job

- c:\progra~1\NORTON~1\Navw32.exe [2003-08-17 22:22]

2009-07-27 c:\windows\Tasks\User_Feed_Synchronization-{F69591BA-E929-488E-B4EC-5558818D6886}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-RecordNow! - (no file)

HKLM-Run-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

HKLM-Run-DXDllRegExe - dxdllreg.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

DPF: vzTCPConfig - hxxps://essentialsandextras.verizon.com/whatsnext/mainweb/js/vzTCPConfig.CAB

DPF: {2B55B5F0-9D95-48CF-96A1-FEAF74CEC150} - hxxp://a248.g.akamai.net/7/248/9286/200309241629/ps.theport.com/xmlplayer/eng2/download.cab

.

**************************************************************************

driver loading error catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-26 21:19

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?0?8?9??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3980)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\program files\Tech\Wheel Mouse\5.0\MOUDL32A.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE

c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Viewpoint\Common\ViewpointService.exe

c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe

c:\program files\Java\jre1.5.0_04\bin\jucheck.exe

c:\program files\Apoint2K\ApntEx.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

**************************************************************************

.

Completion time: 2009-07-27 21:32 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-27 01:32

Pre-Run: 36,605,128,704 bytes free

Post-Run: 37,730,000,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

176 --- E O F --- 2009-07-19 17:27

Thank you very very much for your help!

Link to post
Share on other sites

Hi elliegirl18

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Open Notepad and copy and paste the text in the code box below into it:

File::c:\windows\system32\el32.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Next

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

Combofix.txt

MBAM Report

HijackThis Uninstall List

Link to post
Share on other sites

computer lost power during combofix run. Restarted computer. Only background appears. No icons or startup menu.

With the power lost we need to start over. Did you lose power on your computer or the house as well. This is the easy way to get your computer back to normal.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now Use your arrow keys to move to "Last Known Good Configuration" and press your Enter key. This will enables the system to go back to a date before you had this problem. We might need to download combofix again as before. But just post a HijackThis log for now. And let me know if this worked elliegirl18?

Link to post
Share on other sites

I tried several times and it everytime I get the same result: It loads up but all I can see is the background image. The startup menu never appears and the desktop icons never appear. I think my computer might have died!!

When I press F8 and choose the last known confirguation, it never pulls up another screen where I can pick Windows Recovery Console or Windows XP Home Edition. I tried both, but when I do the recovery option. It pulls up another screen, and I was lost.

Thanks for all your help. Oh and the computer lost power because it appears to have over heated and turned itself off. Its a laptop and almost 5 years old, so I think it might be time to just get a new one.

Link to post
Share on other sites

Thanks for all your help. Oh and the computer lost power because it appears to have over heated and turned itself off. Its a laptop and almost 5 years old, so I think it might be time to just get a new one.

Hi elliegirl18,

Have you checked to see if the fans are working? It sounds like you have a hardware problem with you PC. And we need to have it fixed or replaced before we do anything else.

I would take it to a PC shop and ask them if it's the fan/fans or hard drive is OK and get a price for repair. IMO... anything over 100.00 US for repair. I would buy a new one. There's some great deals on all computers today.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.