Jump to content

Hijack Windows Updates


Recommended Posts

I keep getting left with two registry infections. It won't allow me to access Windows Updates. It won't let me turn the service on and when I try, it says access denied. I have read other posts concerning this but the people giving the solutions always warn that the solution given is for THAT PERSON ONLY. So, rather than trying to follow instructions given to someone else, I suppose I should get help from the beginning.

Here is what the log says after I reboot:

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{617559B0-E6E1-4559-8464-307E56286962}\RP64\A0007379.exe (Adware.DoubleD) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\65860e6.sys (Rootkit.Rustock) -> Delete on reboot.

The two Hiijack files stay however. Please help.

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • Click the Empty Selected button.
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • After the automatic "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
  • Re-enable your antivirus and any antimalware programs you disabled before running the scan

Note: If you have trouble completing a full Rootkit/Malware scan with the ARK program then just copy/paste the "Quick scan" results into your reply. Often that alone provides enough information.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as iexplore.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already (Vista users do NOT need to do this):

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your software firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back ARK.txt and C:\Combofix.txt

Rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\newyork.exe"

  • Now, relaunch MBAM by double-clicking newyork.exe in the MBAM folder.
  • Select the Update tab -> Check for Updates
  • After MBAM updates, select the Scanner tab.
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please post C:\ComboFix.txt, your antirootkit log (ARK.txt), and a new MBAM log in your next reply.

Link to post
Share on other sites

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit scan 2009-09-17 13:10:05

Windows 5.1.2600 Service Pack 3

Running: cksfd3mw.exe; Driver: C:\DOCUME~1\trendys\LOCALS~1\Temp\uwkyapob.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\65860e6.sys ZwCreateEvent [0xF0B4E915]

SSDT \SystemRoot\System32\drivers\65860e6.sys ZwCreateKey [0xF0B4C905]

SSDT \SystemRoot\System32\drivers\65860e6.sys ZwOpenKey [0xF0B4C9C5]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + D8 804E2734 4 Bytes JMP 11A717ED

? C:\WINDOWS\System32\drivers\65860e6.sys The system cannot find the file specified.

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 65860e6.sys

Device \Driver\Tcpip \Device\Ip 65860e6.sys

Device \Driver\Tcpip \Device\Tcp 65860e6.sys

Device \Driver\Tcpip \Device\Udp 65860e6.sys

Device \Driver\Tcpip \Device\RawIp 65860e6.sys

Device \Driver\Tcpip \Device\IPMULTICAST 65860e6.sys

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\65860e6.sys (*** hidden *** ) [sYSTEM] 65860e6 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\65860e6@ImagePath \SystemRoot\System32\drivers\65860e6.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\65860e6@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\65860e6@Start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\65860e6@ErrorControl 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\65860e6@kadfmmqr 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\65860e6@F96ZK6nPB YWxtYXh0cmFkaW5nLmluZm8=

Reg HKLM\SYSTEM\ControlSet003\Services\65860e6@ImagePath \SystemRoot\System32\drivers\65860e6.sys

Reg HKLM\SYSTEM\ControlSet003\Services\65860e6@Type 1

Reg HKLM\SYSTEM\ControlSet003\Services\65860e6@Start 1

Reg HKLM\SYSTEM\ControlSet003\Services\65860e6@ErrorControl 1

Reg HKLM\SYSTEM\ControlSet003\Services\65860e6@kadfmmqr 1

Reg HKLM\SYSTEM\ControlSet003\Services\65860e6@F96ZK6nPB YWxtYXh0cmFkaW5nLmluZm8=

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

ComboFix 09-09-16.05 - trendys 09/17/2009 13:21.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.91 [GMT -5:00]

Running from: c:\documents and settings\trendys\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\WinPCap

c:\program files\WinPCap\rpcapd.exe

c:\windows\system32\drivers\65860e6.sys

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_npf

-------\Service_65860e6

((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))

.

2009-09-13 20:42 . 2008-04-13 18:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys

2009-09-13 20:42 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2009-09-13 20:41 . 2008-04-13 18:46 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys

2009-09-13 20:41 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2009-09-13 20:41 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2009-09-13 20:41 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2009-09-13 20:41 . 2008-04-13 18:46 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys

2009-09-13 20:41 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys

2009-09-13 20:41 . 2008-04-13 18:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2009-09-13 20:41 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2009-09-13 20:41 . 2008-04-13 18:46 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys

2009-09-13 20:41 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2009-09-13 20:41 . 2008-04-13 18:46 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys

2009-09-13 20:41 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2009-09-13 20:40 . 2008-04-14 00:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2009-09-13 20:40 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2009-09-13 20:40 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-09-13 20:40 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2009-09-12 07:33 . 2009-09-12 07:33 -------- d-----w- c:\documents and settings\trendys\Application Data\Malwarebytes

2009-09-12 07:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-12 07:33 . 2009-09-12 07:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-12 07:33 . 2009-09-12 07:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-12 07:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 23:32 . 2009-09-10 23:32 -------- d-----w- c:\program files\UOAM

2009-09-06 16:53 . 2009-09-06 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\EA Games

2009-09-06 08:07 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

2009-09-05 16:17 . 2009-09-07 18:46 -------- d-----w- c:\documents and settings\trendys\Application Data\IGN_DLM

2009-09-04 21:10 . 2009-09-07 18:44 -------- d-----w- c:\program files\ConnectUO Desktop

2009-09-04 21:03 . 2009-09-12 06:18 120 ----a-w- c:\windows\Lruqanunevifo.dat

2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\trendys\Local Settings\Application Data\{857973DA-F40C-4616-B14A-D0BAA03A8CC9}

2009-09-04 18:23 . 2009-09-16 07:54 -------- d-----w- c:\documents and settings\trendys\Local Settings\Application Data\ApplicationHistory

2009-09-04 18:19 . 2009-09-04 18:19 -------- d-----w- c:\windows\system32\URTTEMP

2009-09-04 01:19 . 2009-09-04 01:19 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-28 08:08 . 2009-08-28 08:09 -------- d-----w- C:\57ae6288e3d1651e9098d233ffcf16e4

2009-08-26 18:22 . 2009-09-06 17:49 -------- d-----w- c:\program files\Razor

2009-08-26 18:15 . 2009-08-26 18:15 -------- d-----w- c:\program files\MSBuild

2009-08-26 18:06 . 2009-08-28 08:10 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-26 18:05 . 2009-08-26 18:05 -------- d-----w- c:\program files\Reference Assemblies

2009-08-26 18:04 . 2006-06-29 18:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-08-26 08:00 . 2009-09-06 08:06 -------- d-----w- c:\program files\EA Games

2009-08-26 06:55 . 2009-08-26 06:55 -------- d-----w- c:\documents and settings\trendys\Local Settings\Application Data\DNA

2009-08-26 06:55 . 2009-09-17 18:32 -------- d-----w- c:\program files\DNA

2009-08-26 06:55 . 2009-09-17 18:32 -------- d-----w- c:\documents and settings\trendys\Application Data\DNA

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-06 23:35 . 2007-11-13 18:10 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-03 17:20 . 2007-12-20 16:00 30512 ----a-w- c:\documents and settings\trendys\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-20 17:52 . 2009-08-14 23:51 -------- d-----w- c:\documents and settings\trendys\Application Data\DivX

2009-08-16 23:13 . 2007-11-19 19:40 -------- d-----w- c:\documents and settings\trendys\Application Data\Apple Computer

2009-08-09 23:47 . 2009-08-09 23:47 -------- d-----w- c:\program files\Microsoft

2009-08-09 23:45 . 2009-08-09 23:45 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-08-09 23:45 . 2007-11-13 18:57 -------- d-----w- c:\program files\Java

2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-31 06:58 . 2009-07-31 06:58 -------- d-----w- c:\program files\NCH Software

2009-07-31 06:57 . 2009-07-31 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound

2009-07-31 06:57 . 2009-07-31 06:57 -------- d-----w- c:\documents and settings\trendys\Application Data\NCH Swift Sound

2009-07-27 09:14 . 2009-07-27 09:14 -------- d-----w- c:\program files\Windows Media Connect 2

2009-07-25 22:22 . 2009-07-25 22:21 -------- d-----w- c:\program files\iTunes

2009-07-25 22:22 . 2009-07-25 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-25 22:21 . 2009-07-25 22:21 -------- d-----w- c:\program files\iPod

2009-07-25 22:15 . 2007-11-19 19:36 -------- d-----w- c:\program files\Common Files\Apple

2009-07-25 22:12 . 2009-07-25 22:12 -------- d-----w- c:\program files\Bonjour

2009-07-25 22:12 . 2007-11-19 19:38 -------- d-----w- c:\program files\QuickTime

2009-07-25 22:09 . 2009-07-25 22:09 -------- d-----w- c:\program files\Apple Software Update

2009-07-25 21:10 . 2009-07-25 21:10 -------- d-----w- c:\program files\LanExpress

2009-07-25 21:10 . 2007-11-13 18:10 -------- d-----w- c:\program files\Common Files\InstallShield

2009-07-25 21:03 . 2009-07-25 21:03 -------- d-----w- c:\program files\Charter

2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-08-26 318272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-09 149280]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"WlanUtil_ASIL"="c:\program files\LanExpress\WlanASIL\Utility\WlanASIL.exe" [2006-11-09 655360]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"=

"c:\\Program Files\\EA Games\\Ultima Online 2D Client\\UO.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/13/2007 1:47 PM 24652]

R4 zdcndis5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [7/25/2009 4:10 PM 18944]

S3 NB762_XP;NB 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanUZXP.sys [7/25/2009 4:03 PM 437760]

S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [7/25/2009 4:03 PM 408064]

S3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\system32\DRIVERS\zd1211Bu.sys --> c:\windows\system32\DRIVERS\zd1211Bu.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - gtndis5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

AddRemove-MS Access 97 SP2 - c:\program files\Microsoft Office\setup\setup.exe

AddRemove-SimEarthv1.0 - c:\maxis\SimEarth\DeIsL1.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-17 13:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3508)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-09-17 13:39 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-17 18:38

Pre-Run: 19,538,198,528 bytes free

Post-Run: 19,522,523,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

208 --- E O F --- 2009-09-05 08:02

Malwarebytes' Anti-Malware 1.41

Database version: 2817

Windows 5.1.2600 Service Pack 3

9/17/2009 1:53:58 PM

mbam-log-2009-09-17 (13-53-58).txt

Scan type: Quick Scan

Objects scanned: 85445

Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Please copy/paste all logs into your topic reply.

Go to Add/Remove Programs and uninstall Viewpoint Manager and Bonjour

We have some more items to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

Driver::
Viewpoint Manager Service

File::
c:\windows\Lruqanunevifo.dat

Folder::
c:\documents and settings\trendys\Local Settings\Application Data\{857973DA-F40C-4616-B14A-D0BAA03A8CC9}
c:\Program Files\\Bonjour\
c:\program files\Viewpoint\

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
"BitTorrent DNA"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=-

DirLook::
C:\57ae6288e3d1651e9098d233ffcf16e4

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

-----

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Check the boxes the following two boxes:
    • enable "Remove found threats"
    • Scan unwanted applications

    [*]Click the Scan button to begin scanning.

    [*]When the scan is done the log is automatically saved. To retrieve it

    • Close the ESET scan Window.
    • Now open a run line by clicking Start >> Run...
    • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    • The Scan results will now display in Notepad

    [*]Please copy and paste the ESET scan report that can be found in this location

    C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Please post back:

1. C:\Combofix.txt

2. C:\Program Files\EsetOnlineScanner\log.txt

3. A new MBAM log to see if those registry entries are fixed now

Link to post
Share on other sites

ComboFix 09-09-17.04 - trendys 09/17/2009 23:01.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.118 [GMT -5:00]

Running from: c:\documents and settings\trendys\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\trendys\Desktop\CFScript.txt

FILE ::

"c:\windows\Lruqanunevifo.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\trendys\Local Settings\Application Data\{857973DA-F40C-4616-B14A-D0BAA03A8CC9}

c:\documents and settings\trendys\Local Settings\Application Data\{857973DA-F40C-4616-B14A-D0BAA03A8CC9}\chrome.manifest

c:\documents and settings\trendys\Local Settings\Application Data\{857973DA-F40C-4616-B14A-D0BAA03A8CC9}\chrome\content\_cfg.js

c:\documents and settings\trendys\Local Settings\Application Data\{857973DA-F40C-4616-B14A-D0BAA03A8CC9}\chrome\content\overlay.xul

c:\documents and settings\trendys\Local Settings\Application Data\{857973DA-F40C-4616-B14A-D0BAA03A8CC9}\install.rdf

c:\windows\Lruqanunevifo.dat

Malwarebytes' Anti-Malware 1.41

Database version: 2818

Windows 5.1.2600 Service Pack 3

9/18/2009 12:10:17 AM

mbam-log-2009-09-18 (00-10-17).txt

Scan type: Quick Scan

Objects scanned: 85595

Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))

.

2009-09-17 23:39 . 2009-09-17 23:39 -------- d-----w- c:\windows\system32\wbem\Repository

2009-09-17 23:39 . 2009-09-17 23:39 -------- d-----w- C:\Combo-Fix

2009-09-17 23:39 . 2009-09-17 23:39 -------- d-----w- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor

2009-09-17 18:45 . 2009-09-17 23:39 -------- d-----w- C:\RECYCLER(2)

2009-09-13 20:42 . 2008-04-13 18:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys

2009-09-13 20:42 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2009-09-13 20:41 . 2008-04-13 18:46 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys

2009-09-13 20:41 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2009-09-13 20:41 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2009-09-13 20:41 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2009-09-13 20:41 . 2008-04-13 18:46 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys

2009-09-13 20:41 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys

2009-09-13 20:41 . 2008-04-13 18:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2009-09-13 20:41 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2009-09-13 20:41 . 2008-04-13 18:46 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys

2009-09-13 20:41 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2009-09-13 20:41 . 2008-04-13 18:46 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys

2009-09-13 20:41 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2009-09-13 20:40 . 2008-04-14 00:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2009-09-13 20:40 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2009-09-13 20:40 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-09-13 20:40 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2009-09-12 07:33 . 2009-09-12 07:33 -------- d-----w- c:\documents and settings\trendys\Application Data\Malwarebytes

2009-09-12 07:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-12 07:33 . 2009-09-17 23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-12 07:33 . 2009-09-12 07:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-12 07:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 23:32 . 2009-09-10 23:32 -------- d-----w- c:\program files\UOAM

2009-09-06 16:53 . 2009-09-06 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\EA Games

2009-09-06 08:07 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

2009-09-05 16:17 . 2009-09-07 18:46 -------- d-----w- c:\documents and settings\trendys\Application Data\IGN_DLM

2009-09-04 21:10 . 2009-09-07 18:44 -------- d-----w- c:\program files\ConnectUO Desktop

2009-09-04 18:23 . 2009-09-16 07:54 -------- d-----w- c:\documents and settings\trendys\Local Settings\Application Data\ApplicationHistory

2009-09-04 18:19 . 2009-09-04 18:19 -------- d-----w- c:\windows\system32\URTTEMP

2009-08-28 08:08 . 2009-08-28 08:09 -------- d-----w- C:\57ae6288e3d1651e9098d233ffcf16e4

2009-08-26 18:22 . 2009-09-06 17:49 -------- d-----w- c:\program files\Razor

2009-08-26 18:15 . 2009-08-26 18:15 -------- d-----w- c:\program files\MSBuild

2009-08-26 18:06 . 2009-08-28 08:10 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-26 18:05 . 2009-08-26 18:05 -------- d-----w- c:\program files\Reference Assemblies

2009-08-26 18:04 . 2006-06-29 18:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-08-26 08:00 . 2009-09-06 08:06 -------- d-----w- c:\program files\EA Games

2009-08-26 06:55 . 2009-08-26 06:55 -------- d-----w- c:\documents and settings\trendys\Local Settings\Application Data\DNA

2009-08-26 06:55 . 2009-09-18 04:09 -------- d-----w- c:\documents and settings\trendys\Application Data\DNA

2009-08-26 06:55 . 2009-09-18 04:09 -------- d-----w- c:\program files\DNA

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-18 03:53 . 2007-11-13 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-09-06 23:35 . 2007-11-13 18:10 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-03 17:20 . 2007-12-20 16:00 30512 ----a-w- c:\documents and settings\trendys\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-20 17:52 . 2009-08-14 23:51 -------- d-----w- c:\documents and settings\trendys\Application Data\DivX

2009-08-16 23:13 . 2007-11-19 19:40 -------- d-----w- c:\documents and settings\trendys\Application Data\Apple Computer

2009-08-09 23:47 . 2009-08-09 23:47 -------- d-----w- c:\program files\Microsoft

2009-08-09 23:45 . 2009-08-09 23:45 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-08-09 23:45 . 2007-11-13 18:57 -------- d-----w- c:\program files\Java

2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-31 06:58 . 2009-07-31 06:58 -------- d-----w- c:\program files\NCH Software

2009-07-31 06:57 . 2009-07-31 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound

2009-07-31 06:57 . 2009-07-31 06:57 -------- d-----w- c:\documents and settings\trendys\Application Data\NCH Swift Sound

2009-07-27 09:14 . 2009-07-27 09:14 -------- d-----w- c:\program files\Windows Media Connect 2

2009-07-25 22:22 . 2009-07-25 22:21 -------- d-----w- c:\program files\iTunes

2009-07-25 22:22 . 2009-07-25 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-25 22:21 . 2009-07-25 22:21 -------- d-----w- c:\program files\iPod

2009-07-25 22:15 . 2007-11-19 19:36 -------- d-----w- c:\program files\Common Files\Apple

2009-07-25 22:12 . 2007-11-19 19:38 -------- d-----w- c:\program files\QuickTime

2009-07-25 22:09 . 2009-07-25 22:09 -------- d-----w- c:\program files\Apple Software Update

2009-07-25 21:10 . 2009-07-25 21:10 -------- d-----w- c:\program files\LanExpress

2009-07-25 21:10 . 2007-11-13 18:10 -------- d-----w- c:\program files\Common Files\InstallShield

2009-07-25 21:03 . 2009-07-25 21:03 -------- d-----w- c:\program files\Charter

2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2006-02-28 12:00 915456 ------w- c:\windows\system32\wininet.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of C:\57ae6288e3d1651e9098d233ffcf16e4 ----

2009-08-28 08:09 . 2008-06-19 05:33 72 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\i386\msxpsinc.ppd

2009-08-28 08:09 . 2008-06-19 05:33 72 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\amd64\msxpsinc.ppd

2009-08-28 08:09 . 2008-06-19 05:33 2204 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\i386\msxpsdrv.inf

2009-08-28 08:09 . 2008-06-19 16:03 73 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\i386\msxpsinc.gpd

2009-08-28 08:09 . 2008-06-19 05:33 2204 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\amd64\msxpsdrv.inf

2009-08-28 08:09 . 2008-07-06 12:06 10929 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\amd64\msxpsdrv.cat

2009-08-28 08:09 . 2008-07-06 12:06 10929 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\i386\msxpsdrv.cat

2009-08-28 08:09 . 2008-07-06 12:06 147456 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\amd64\filterpipelineprintproc.dll

2009-08-28 08:08 . 2008-07-06 12:06 89088 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\i386\filterpipelineprintproc.dll

2009-08-28 08:08 . 2008-07-06 12:06 765440 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\i386\mxdwdrv.dll

2009-08-28 08:08 . 2008-07-06 12:06 1676288 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\i386\xpssvcs.dll

2009-08-28 08:08 . 2008-07-06 12:06 748032 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\amd64\mxdwdrv.dll

2008-07-06 22:36 . 2008-07-06 22:36 2936832 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\amd64\xpssvcs.dll

2008-06-19 16:03 . 2008-06-19 16:03 73 ------w- c:\57ae6288e3d1651e9098d233ffcf16e4\amd64\msxpsinc.gpd

((((((((((((((((((((((((((((( SnapShot@2009-09-18_00.01.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-18 04:08 . 2009-09-18 04:08 16384 c:\windows\temp\Perflib_Perfdata_4e8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-08-26 318272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-09 149280]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"WlanUtil_ASIL"="c:\program files\LanExpress\WlanASIL\Utility\WlanASIL.exe" [2006-11-09 655360]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"=

"c:\\Program Files\\EA Games\\Ultima Online 2D Client\\UO.exe"=

R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [7/25/2009 4:10 PM 18944]

S3 NB762_XP;NB 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanUZXP.sys [7/25/2009 4:03 PM 437760]

S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [7/25/2009 4:03 PM 408064]

S3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\system32\DRIVERS\zd1211Bu.sys --> c:\windows\system32\DRIVERS\zd1211Bu.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-17 23:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

hidec.exe [1916]

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2128)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-09-18 23:17 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-18 04:16

ComboFix2.txt 2009-09-18 00:07

ComboFix3.txt 2009-09-17 18:39

Pre-Run: 19,338,661,888 bytes free

Post-Run: 19,297,763,328 bytes free

209

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=c134f0a6de904d4daed4719416990d5d

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-09-18 05:00:00

# local_time=2009-09-18 12:00:00 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# scanned=63336

# found=5

# cleaned=5

# scan_time=1749

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\65860e6.sys.vir a variant of Win32/Rustock.NKU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{617559B0-E6E1-4559-8464-307E56286962}\RP74\A0008797.sys a variant of Win32/Rustock.NKU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{617559B0-E6E1-4559-8464-307E56286962}\RP74\A0008812.sys a variant of Win32/Rustock.NKU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{617559B0-E6E1-4559-8464-307E56286962}\RP77\A0009438.sys a variant of Win32/Rustock.NKU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{617559B0-E6E1-4559-8464-307E56286962}\RP77\A0009454.sys a variant of Win32/Rustock.NKU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

OK that looks much better and it's what I expected.

Can you do this please -

To download and properly install HijackThis:

1. Download the HijackThis Installer here:

http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

2. Save the HJT Installer to your desktop or the folder of your choice, then navigate to that folder and double-click HJTInstall.exe to start the installation.

3. When the Trend Micro HJT install box appears, click Install.

4. HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.

To obtain a HijackThis Log:

1. Launch HijackThis by double-clicking its desktop shortcut or by clicking Start -> All Programs -> HijackThis.

2. Select the "Do a system scan and save a logfile" option

3. HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.

4. Please copy and paste the HijackThis log (the contents of the notepad file) into your next reply.

I noticed that your P2P filesharing program is still running at startup.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-08-26 318272]

My recommendations to avoid reinfection are to:

1. Adjust your file-sharing program settings so it does NOT automatically run at Windows Startup

2. Adjust your file-sharing program settings so it does NOT allow others on the P2P network to openly access downloads from you computer (in other words do NOT maintain a shared directory)

3. Close your filesharing program when you are not actively using it

Your P2P program has open access in your firewall which means anything can come barreling through there anytime.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\DNA\\btdna.exe"=

You should set your firewall to prompt you for network access when you run the program to avoid reinfection.

Link to post
Share on other sites

As soon as I followed all your past instructions the Auto Updates opped right on! Thank you! As for the recommendations, as this computer was given to me, I am unsure what the P2P program is or how to shut it off. Any help? Here is the log you requested. In the mean time I'm going to try and find that program and shut it down.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:41:04 PM, on 9/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\LanExpress\WlanASIL\Utility\WlanASIL.exe

C:\Program Files\DNA\btdna.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [WlanUtil_ASIL] C:\Program Files\LanExpress\WlanASIL\Utility\WlanASIL.exe

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {39b0684f-d7bf-4743-b050-fdc3f48f7e3b} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1248622636306

O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1252897293921

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--

End of file - 6045 bytes

Link to post
Share on other sites

As soon as I followed all your past instructions the Auto Updates opped right on! Thank you!

You're welcome. I'm glad to hear that!

I am also glad you got rid of the BitTorrent DNA P2P program. That is very possibly how you got infected because it was running in the background with a free pass through your firewall. I am going to have you run a regfix to close that port and also remove some things remaining in HJT.

Scan with HijackThis by clicking the "Scan " button and place a checkmark next to the following items. Close ALL other windows and browsers except HijackThis. Click "fix checked".

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

Close HJT

Open a notepad

Paste the following text in the code box into the notepad window:

REGEDIT4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-

Save the file to your desktop by setting the "Save as Type" to "all files", and save it as fixme.reg

Double-click the fixme.reg block icon on your desktop. You will have to approve the information to be added to the registry when it prompts you, and then allow the script to run for few seconds. You should get a message that says the information was successfully added to the Registry. Let me know if you didn't please.

Reboot

Make sure you can view hidden files and folders

You can also delete these folders if present:

c:\documents and settings\trendys\Local Settings\Application Data\DNA

c:\program files\DNA

c:\documents and settings\trendys\Application Data\DNA

BTW, this game also have firewall access. Do you still use use this for online play and or updates

"c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"=

What antivirus are you running? I am only seeing registry remnants for AVG8 so if you are in need of an antivirus, please download, install and run this highly rated antivirus called Antivir by Avira:

http://www.free-av.com/en/trialpay_downloa..._antivirus.html

If your system does not have a software firewall installed other than the Windows fiirewall, please download and install Online Armor Free from here:

http://www.tallemu.com/products-online-armor-free.php

The link to the free version is on the left hand side of that page.

Now, post a new HJT log.

Link to post
Share on other sites

I still use the Ultima Online Client to play the Game Ultima Online. Is this unsafe?

I followed your instructions and everything seemed to go ok. I also installed both programs you directed me to. Thanks for the tip on the freebie software.

Here is the log you requested:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:07:44 AM, on 9/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Tall Emu\Online Armor\OAcat.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\LanExpress\WlanASIL\Utility\WlanASIL.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Tall Emu\Online Armor\OAhlp.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [WlanUtil_ASIL] C:\Program Files\LanExpress\WlanASIL\Utility\WlanASIL.exe

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {39b0684f-d7bf-4743-b050-fdc3f48f7e3b} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1248622636306

O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1252897293921

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--

End of file - 6285 bytes

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.