Jump to content

Recommended Posts

Hello,

Thanks for your great service!

I have spent the last two days fighting a malware infection that is pretty damn persistent. Initial indications were numerous antivirus popups ("Antivirus Plus") with fake reports of infection and redirects of MS Internet Explorer and Firefox. All attempts to load new antivirus software failed (computer was "protected" by McAfee but that didn't help and attempts to click on McAfee brought me back to the malware). It was (and is still) impossible to load hijack plus.

I was finally able to load Malwarebytes Anti-malware yesterday afternoon. It got rid of much of the problematic malware. The initial scan came up with infections by trojan.BHO, trojan.fakealert, adware.mywebsearch, rogue.antivirus plus.

I can now use my computer without the annoying popups and I was able to load Norton 360 protection (mostly to get my most important files backed up). But I still cannot load hijackthis! nor can I do any web searches dealing with hijackthis failing to load--both internet explorer and firefox flash for a second and disappear. Also, when I tried to update Norton, my computer disconnected from the internet. This happened twice although I was finally able to get a good update.

I have only the malwarebytes logs...nothing else will load.

Any suggestions??

Thanks,

Ed

Link to post
Share on other sites

Do you think this could be related to that nasty TDSSserv rootkit?
I was finally able to load Malwarebytes Anti-malware yesterday afternoon. It got rid of much of the problematic malware. The initial scan came up with infections by trojan.BHO, trojan.fakealert, adware.mywebsearch, rogue.antivirus plus.

Nope , if it was this TDSS we would not be able to run either .

Link to post
Share on other sites

Ah yes, I thought perhaps the executable was renamed to run.

Tried to rename and run hijack this...(used the catfood.exe suggestion!). Didn't work--same characteristic flash screen but not launched.

Was able to load runscanner...here's the log (also saved a .run file, but not sure what is more useful to you):

Runscanner logfile http://www.runscanner.net

* = signed file

- = file not found

General info

------------

Computer name : FAMILY

Creation time : 12/1/2008 5:15:55 PM

Hosts <> 127.0.0.1 : 0

Hosts file location : %SystemRoot%\System32\drivers\etc

IE version : 7.0.5730.11

OS : Microsoft Windows XP

OS Build : 2600

OS SP : Service Pack 3

RunScanner Version : 1.7.0.0

User Language : English (United States)

User rights : Administrator

Windows folder : C:\WINDOWS

Running processes

-----------------

* C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (Lavasoft)

* C:\Program Files\Common Files\AOL\1102872271\ee\AOLSoftware.exe (AOL LLC)

* C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (AOL LLC)

* C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe (America Online Inc)

* C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)

c:\program files\common files\aol\1102872271\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

* C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

* C:\WINDOWS\System32\alg.exe (Microsoft Corporation)

* C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)

* C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)

* C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)

* C:\WINDOWS\system32\cisvc.exe (Microsoft Corporation)

C:\WINDOWS\system32\CTSvcCDA.EXE (Creative Technology Ltd)

* C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)

* C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

C:\WINDOWS\System32\GEARSec.exe (GEAR Software)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)

C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe (Hewlett-Packard Company)

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe (Intel Corporation)

* C:\WINDOWS\system32\cidaemon.exe (Microsoft Corporation)

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe (Intel Corporation)

* C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

* C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

* C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)

C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe (Hewlett-Packard Company)

* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)

* C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (Nero AG)

* C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Pure Networks, Inc.)

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe (Visioneer Inc)

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\WINDOWS\system32\IoctlSvc.exe (Prolific Technology Inc.)

C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)

* C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Pure Networks, Inc.)

* C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Pure Networks, Inc.)

* C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation)

* C:\Documents and Settings\Ed\Desktop\Antivirus & Malware Programs\RunScanner.exe (Runscanner.net)

* C:\WINDOWS\system32\services.exe (Microsoft Corporation)

* C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)

* C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

* C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

* C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

* C:\Program Files\TomTom HOME 2\HOMERunner.exe (TomTom)

* C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)

C:\WINDOWS\system32\wwSecure.exe (Webroot Software, Inc.)

C:\Program Files\mobile PhoneTools\WatchDog.exe

* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)

* C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)

* c:\windows\System32\smss.exe (Microsoft Corporation)

C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)

Unrated items

-------------

002 * C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)

002 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)

002 C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)

002 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

002 C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe (Hewlett-Packard Company)

002 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)

002 C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe (Hewlett-Packard Company)

002 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE (CANON INC.)

002 * C:\Program Files\Common Files\AOL\1102872271\ee\AOLSoftware.exe (AOL LLC)

002 C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe (Hewlett-Packard Company)

002 C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe (Intel Corporation)

002 C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

002 C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)

002 C:\Program Files\PureEdge\Viewer 6.5\masqform.exe (PureEdge

Link to post
Share on other sites

Any thoughts as to how difficult it will be to fix this computer? Or are we at the "forget it" stage yet? Does anyone need anymore data or logs to figure this one out?

I haven't given up hope yet but I'm just about ready towipe the drive clean and start over, even if that will take an entire weekend of work. I was hoping that when malwarebyte's antivirus found the infection & cleaned it, that we were done.

Thanks again for your help?

--Ed

Link to post
Share on other sites

067 C:\WINDOWS\system32\ddccfaeefebff.dll

^^^ There is your problem . ^^^

Unzip and run the file attached to this post , it will create a folder called malware on your desktop . Zip and attach that folder here :

http://www.malwarebytes.org/forums/index.php?showforum=55

This is a notify loaded dll so the easiest way to kill it will be to add it to MBAM defs and let MBAM do it .

capture.zip

capture.zip

Link to post
Share on other sites

067 C:\WINDOWS\system32\ddccfaeefebff.dll

^^^ There is your problem . ^^^

Unzip and run the file attached to this post , it will create a folder called malware on your desktop . Zip and attach that folder here :

http://www.malwarebytes.org/forums/index.php?showforum=55

This is a notify loaded dll so the easiest way to kill it will be to add it to MBAM defs and let MBAM do it .

Interestingly, I can't move or copy the file from within windows into this folder. I will attempt to copy it from outside windows operating system.

Link to post
Share on other sites

Using Windows Recovery, prior to loading Windows, I was able to rename the file ddccfaeefebff.old and subsequently move it into the malware folder. This is the file I'll upload to you there.

By the way, HijackThis! worked right away and I will include the log of it in the other post.

One question: I moved rather than copied the file into the "malware" folder, so it is now off my system. Should I have let malwarebytes software do something to it, rather than a straight move. Note: when I checked the file directly using MWB it showed no infection, likely because it is not yet on the definition list...is that correct?

Thanks again. Will post the file and log to the other part of the blog with a link to this one.

--Ed G

Link to post
Share on other sites

The file upload procedure "will not allow me to upload this type of file" to the site. Any other procedure I should use?

By the way, here's the HJT log which finally opened after I isolated this .dll.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:55:17 PM, on 12/2/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\CTSvcCDA.EXE

C:\WINDOWS\System32\GEARSec.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wwSecure.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\mobile PhoneTools\WatchDog.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program Files\Common Files\AOL\1102872271\ee\AOLSoftware.exe

C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\TomTom HOME 2\HOMERunner.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\Program Files\iPod\bin\iPodService.exe

c:\program files\common files\aol\1102872271\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Ed\Desktop\Antivirus & Malware Programs\Catfood.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igoogle.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 10.0.0.138

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = adslproxy.iol.cz:3128

R3 - URLSearchHook: IAOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Visioneer OneTouch\OneTouchMon.exe"

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"

O4 - HKLM\..\Run: [masqform.exe] "C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" -RunOnce

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"

O4 - HKLM\..\Run: [HPCDTray] "C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe"

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102872271\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"

O4 - HKCU\..\Run: [LightScribe Control Panel] "C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" -hidden

O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"

O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\DRIVE_D\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add item - file://c:\add.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Print Using ClickBook - {180E1E16-F536-4B51-9723-6025D98AA375} - C:\Program Files\Blue Squirrel\ClickBook\macros\ieprint.htm

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.Program Files

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab

O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124341887843

O16 - DPF: {8A177687-28EB-48DB-9CCB-5C5254D10568} (EduSpeak Recognizer ActiveX) - file:///Q:/program/Base/Components/EduSpeakX.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab

O20 - Winlogon Notify: ddccfaeefebff - C:\WINDOWS\system32\ddccfaeefebff.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--

End of file - 19432 bytes

Link to post
Share on other sites

My system appears to be working normally, i.e. full HJT functionality and no directs from searches in either Firefox or IE. Malware file is saved on my computer, but cannot seem to download it to your site. When I click on the browse button and select the file, then upload, I get the error: you are not allowed to upload this type of file.

Thanks for your help...awaiting your instructions.

--Ed G

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.