Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Hiding And Protecting Itself?


  • This topic is locked This topic is locked
25 replies to this topic

#1 uziyah

uziyah

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Texas, USA
  • Local time:09:14 PM

Posted 17 August 2008 - 01:56 PM

My first post is in "Am I infected" as "Safe Mode Not Safe" ...

Mod. edit. Pasting in information from aforementioned post.

Running Norton AV 2007 w/ frequent Quick scans usually checking 5K-7K files. Now only checking 9-11 files.
Ran Spybot S & D and received "Warning! There were problems in the include file C:\Program Files\Spybot_Search_Destroy\Includes\Trojans.sbi" also in "\TrojansC.sbi".
Reading some of the help info I went into safe mode only to see huge fonts. Not Safe?
Attempted download Spybot160 and received "Error The set-up files are corrupted. Please obtain a new copy of program."
I told it to overwrite my old SSD and now I have NO SSD.
Attempted download SDFix and received "CRC Failed in SDFix\apps\zip.exe".
How does Safe Mode become unsafe?

End of added material. ~ OB

Scans show no malware yet there must be some...Windows security gets shut-down when I log off.
HJT log:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:36 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Airstream Web Accelerator\slipcore.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Airstream Web Accelerator\slipgui.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.airmail.net/src/myportal.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5402
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Airstream Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Airstream Web Accelerator\slipcore.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Airstream Web Accelerator.lnk = C:\Program Files\Airstream Web Accelerator\slipgui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Airstream Web Accelerator\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Airstream Web Accelerator\gui_resource.dll/328
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://kb.bitdefender.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/22d8bc0d53af9d884b22/...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182996732125
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Express Viewer Control) - http://www.autodesk.com/global/expressview...ViewerSetup.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3584CC83-C670-40F8-9A33-63328F499961}: NameServer = 64.136.173.4 64.136.164.76
O17 - HKLM\System\CS1\Services\Tcpip\..\{3584CC83-C670-40F8-9A33-63328F499961}: NameServer = 64.136.173.4 64.136.164.76
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11051 bytes

Hoping the educated will help the confused...uziyah :thumbsup:

Edited by Orange Blossom, 18 August 2008 - 12:11 AM.


BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal

Posted 19 August 2008 - 07:41 AM

Hello,

You might want to save this page on your favorites, so you can find it again when you return.

Welcome to the Bleeping Computer Malware Removal Forum, sorry for the delay in responding, but the amount of people posting with infected computers is through the roof and we sometimes can't get to logs as fast as we would like to.

If you have not resolved this issue and still need assistance, post a HJT log as your system may have changed since your original post.

Thanks for your patience. :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 uziyah

uziyah
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Texas, USA
  • Local time:09:14 PM

Posted 19 August 2008 - 11:08 AM

Thank you for the pending help...How wonderful it is that people will still help people when it does not benefit themselves directly.
Fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:41 AM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Airstream Web Accelerator\slipcore.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Airstream Web Accelerator\slipgui.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.airmail.net/src/myportal.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5402
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Airstream Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Airstream Web Accelerator\slipcore.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Airstream Web Accelerator.lnk = C:\Program Files\Airstream Web Accelerator\slipgui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Airstream Web Accelerator\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Airstream Web Accelerator\gui_resource.dll/328
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://kb.bitdefender.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/22d8bc0d53af9d884b22/...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182996732125
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Express Viewer Control) - http://www.autodesk.com/global/expressview...ViewerSetup.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3584CC83-C670-40F8-9A33-63328F499961}: NameServer = 64.136.173.4 64.136.164.76
O17 - HKLM\System\CS1\Services\Tcpip\..\{3584CC83-C670-40F8-9A33-63328F499961}: NameServer = 64.136.173.4 64.136.164.76
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11051 bytes

:thumbsup:

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal

Posted 19 August 2008 - 12:07 PM

Hi,

Please download the ComboFix from the links above and follow all instructions for running the tool:
"If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!"

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer


Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 uziyah

uziyah
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Texas, USA
  • Local time:09:14 PM

Posted 19 August 2008 - 03:34 PM

Here's what we have so far...Thanks...

ComboFix Log:
ComboFix 08-08-18.05 - don 2008-08-19 14:59:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1257.372.1033.18.176 [GMT -5:00]
Running from: C:\Documents and Settings\don\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\don\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
/wow section - STAGE 3
Ā was unexpected at this time.

/wow section - STAGE 4
Ā was unexpected at this time.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\debbie\UserData
C:\Documents and Settings\debbie\UserData\index.dat
C:\Documents and Settings\don\UserData
C:\Documents and Settings\don\UserData\9BYZLZ02\oWindowsUpdate[1].xml
C:\Documents and Settings\don\UserData\index.dat
C:\Documents and Settings\eliyah\UserData
C:\Documents and Settings\eliyah\UserData\index.dat
C:\Documents and Settings\hezekiyah\UserData
C:\Documents and Settings\hezekiyah\UserData\index.dat
C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-18 17:51 . 2008-08-18 18:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-15 10:07 . 2008-08-15 15:20 <DIR> d-------- C:\SDFix
2008-08-15 09:39 . 2004-08-04 02:56 116,224 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwiadr.dll
2008-08-15 09:39 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxftplt.exe
2008-08-15 09:39 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwbtmp.dll
2008-08-15 09:39 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxscnui.dll
2008-08-15 09:38 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xlog.exe
2008-08-15 09:38 . 2002-08-29 06:00 28,288 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2008-08-15 09:38 . 2004-08-04 01:10 19,328 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wstcodec.sys
2008-08-15 09:38 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xem336n5.sys
2008-08-15 09:38 . 2004-08-04 02:56 8,192 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wshirda.dll
2008-08-15 09:38 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxflnch.exe
2008-08-15 09:36 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\tridxp.dll
2008-08-15 09:35 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\stlnata.sys
2008-08-15 09:34 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\sblfx.dll
2008-08-15 09:33 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\r2mdkxga.sys
2008-08-15 09:32 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ovcodek2.sys
2008-08-15 09:31 . 2002-08-29 06:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2008-08-15 09:30 . 2002-08-29 06:00 1,158,818 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\korwbrkr.lex
2008-08-15 09:29 . 2002-08-29 06:00 471,102 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\imskdic.dll
2008-08-15 09:28 . 2002-08-29 06:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-08-15 09:27 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\el656ct5.sys
2008-08-15 09:26 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\diwan.sys
2008-08-15 09:25 . 2002-08-29 06:00 1,677,824 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll
2008-08-15 09:24 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\bcmdm.sys
2008-08-15 09:23 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\3cwmcru.sys
2008-08-15 09:22 . 2002-08-29 06:00 169,984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iisui.dll
2008-08-15 09:22 . 2002-08-29 06:00 94,720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\certmap.ocx
2008-08-15 09:22 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\s3legacy.dll
2008-08-15 09:22 . 2002-08-29 06:00 19,968 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\inetsloc.dll
2008-08-15 09:22 . 2002-08-29 06:00 14,336 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iisreset.exe
2008-08-15 09:22 . 2002-08-29 06:00 7,680 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\inetmgr.exe
2008-08-15 09:22 . 2002-08-29 06:00 7,168 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wamregps.dll
2008-08-15 09:22 . 2002-08-29 06:00 6,144 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ftpsapi2.dll
2008-08-15 09:22 . 2002-08-29 06:00 5,632 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iisrstap.dll
2008-08-14 21:11 . 2008-08-14 21:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 16:48 . 2008-08-14 16:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-14 14:06 . 2008-05-01 09:30 331,776 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-14 12:51 . 2008-08-14 19:25 <DIR> d-------- C:\Program Files\Panda Security
2008-08-14 12:50 . 2008-08-14 16:47 <DIR> d-------- C:\WINDOWS\LastGood(2)
2008-08-14 11:05 . 2008-08-14 18:36 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-14 09:10 . 2008-08-14 09:10 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2008-08-12 14:16 . 2008-08-14 16:48 <DIR> d-------- C:\WINDOWS\LMI4C.tmp
2008-08-07 14:24 . 2008-08-07 14:24 <DIR> d-------- C:\EAI
2008-08-07 14:19 . 2008-08-07 14:19 <DIR> d-------- C:\Program Files\IBM and Crayola
2008-07-28 15:13 . 2008-07-28 15:13 <DIR> d-------- C:\Program Files\lletters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 19:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-17 03:43 --------- d-----w C:\Documents and Settings\hezekiyah\Application Data\WeatherBug
2008-08-17 03:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-16 16:28 --------- d-----w C:\Documents and Settings\eliyah\Application Data\WeatherBug
2008-08-16 12:08 --------- d-----w C:\Program Files\MUSICMATCH
2008-08-16 12:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-15 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 18:55 --------- d-----w C:\Documents and Settings\don\Application Data\WeatherBug
2008-08-15 16:58 --------- d-----w C:\Documents and Settings\debbie\Application Data\WeatherBug
2008-08-12 21:01 --------- d-----w C:\Program Files\Real
2008-08-12 21:01 --------- d-----w C:\Program Files\Common Files\Real
2008-08-12 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-02 17:13 --------- d-----w C:\Program Files\e-Sword
2008-07-29 11:03 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 15:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-05-31 03:39 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-06-18 12:35 79,672 -c--a-w C:\Documents and Settings\eliyah\Application Data\GDIPFONTCACHEV1.DAT
2005-09-08 14:31 79,672 -c--a-w C:\Documents and Settings\hezekiyah\Application Data\GDIPFONTCACHEV1.DAT
2005-05-14 03:35 79,672 ----a-w C:\Documents and Settings\debbie\Application Data\GDIPFONTCACHEV1.DAT
2005-01-23 12:20 79,672 -c--a-w C:\Documents and Settings\don\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 16:02 1343488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 14:59 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-01 17:44 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 02:11 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 17:44 679936]
"SlipStream"="C:\Program Files\Airstream Web Accelerator\slipcore.exe" [2006-03-06 13:18 258048]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Airstream Web Accelerator.lnk - C:\Program Files\Airstream Web Accelerator\slipgui.exe [2008-05-13 07:29:01 163840]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 cis1284;cis1284;C:\WINDOWS\System32\drivers\cis1284.sys [2001-06-26 22:00]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
R2 WINDDX;WINDDX;C:\WINDOWS\system32\drivers\WINDDX.sys [2003-07-02 18:38]
R3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys [2004-08-04 01:41]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - don.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2007-01-14 04:09]

2008-08-19 C:\WINDOWS\Tasks\User_Feed_Synchronization-{FBE8D378-D2FE-49C1-9651-4871142252D0}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://home.airmail.net/src/myportal.php
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R0 -: HKLM-Main,Search Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

- C:\WINDOWS\Downloaded Program Files\smsx.inf

O16 -: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
C:\WINDOWS\Downloaded Program Files\RealArcadeRdxIE.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 15:03:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-19 15:09:05
ComboFix-quarantined-files.txt 2008-08-19 20:09:01

Pre-Run: 35,916,529,664 bytes free
Post-Run: 36,786,270,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

200 --- E O F --- 2008-08-16 02:28:14



Fresh HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:55 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Airstream Web Accelerator\slipcore.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Airstream Web Accelerator\slipgui.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.airmail.net/src/myportal.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5402
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:5402;*update.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;*.phobos.apple.com;update.adobe.com;localhost;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Airstream Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Airstream Web Accelerator\slipcore.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Airstream Web Accelerator.lnk = C:\Program Files\Airstream Web Accelerator\slipgui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Airstream Web Accelerator\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Airstream Web Accelerator\gui_resource.dll/328
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://kb.bitdefender.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182996732125
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Express Viewer Control) - http://www.autodesk.com/global/expressview...ViewerSetup.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3584CC83-C670-40F8-9A33-63328F499961}: NameServer = 64.136.173.4 64.136.164.76
O17 - HKLM\System\CS1\Services\Tcpip\..\{3584CC83-C670-40F8-9A33-63328F499961}: NameServer = 64.136.173.4 64.136.164.76
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10989 bytes

WOW! Thanks for the great start at cleaning up our mess...

:thumbsup:

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal

Posted 20 August 2008 - 04:20 AM

Hi,

I see you have the Viewpoint products. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest that you remove the Viewpoint products; however, decide for yourself. Please let me know about that in your next reply.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 uziyah

uziyah
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Texas, USA
  • Local time:09:14 PM

Posted 20 August 2008 - 07:10 AM

Howdy,

I have several products that are seldom or no longer used, but didn't need anymore computer grief from their attempted removal.

In the Add/Remove programs I see only one Viewpoint product (Manager). Will removing that program remove all Viewpoint Products?

Zone Alarm, which I have not had in years, has a file I noticed in the scan. Problem?

Earlier, I had attempted to replace my existing version of SSD with SSD160 and had the program overwrite the older SSD.

Received a files are corrupted message, please obtain a new copy of the program...Now...

SS&D160 is on my desktop with a security warning that it may be blocked because it came from another computer.

Should I unblock SSD and see what happens?

I cannot run SSD, but the SSD resident is working :)

I also received an open file security warning! "C:\Program Files\Spybot-Search & Destroy\Spybot.exe" is not a valid Win32 application.

Thank you so much for continueing to help...you are appreciated :thumbsup: uziyah

#8 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal

Posted 20 August 2008 - 09:04 AM

Hi,

Please run again the ComboFix and post the results. :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#9 uziyah

uziyah
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Texas, USA
  • Local time:09:14 PM

Posted 20 August 2008 - 07:04 PM

Thanks again PMF...Fresh ComboFix:

ComboFix 08-08-18.05 - don 2008-08-20 18:27:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1257.372.1033.18.217 [GMT -5:00]
Running from: C:\Documents and Settings\don\Desktop\ComboFix.exe
.
/wow section - STAGE 3
Ä€ was unexpected at this time.

/wow section - STAGE 4
Ä€ was unexpected at this time.


((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-18 17:51 . 2008-08-18 18:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-15 10:07 . 2008-08-15 15:20 <DIR> d-------- C:\SDFix
2008-08-15 09:39 . 2004-08-04 02:56 116,224 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwiadr.dll
2008-08-15 09:39 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxftplt.exe
2008-08-15 09:39 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwbtmp.dll
2008-08-15 09:39 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxscnui.dll
2008-08-15 09:38 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xlog.exe
2008-08-15 09:38 . 2002-08-29 06:00 28,288 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2008-08-15 09:38 . 2004-08-04 01:10 19,328 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wstcodec.sys
2008-08-15 09:38 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xem336n5.sys
2008-08-15 09:38 . 2004-08-04 02:56 8,192 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wshirda.dll
2008-08-15 09:38 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxflnch.exe
2008-08-15 09:36 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\tridxp.dll
2008-08-15 09:35 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\stlnata.sys
2008-08-15 09:34 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\sblfx.dll
2008-08-15 09:33 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\r2mdkxga.sys
2008-08-15 09:32 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ovcodek2.sys
2008-08-15 09:31 . 2002-08-29 06:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2008-08-15 09:30 . 2002-08-29 06:00 1,158,818 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\korwbrkr.lex
2008-08-15 09:29 . 2002-08-29 06:00 471,102 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\imskdic.dll
2008-08-15 09:28 . 2002-08-29 06:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-08-15 09:27 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\el656ct5.sys
2008-08-15 09:26 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\diwan.sys
2008-08-15 09:25 . 2002-08-29 06:00 1,677,824 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll
2008-08-15 09:24 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\bcmdm.sys
2008-08-15 09:23 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\3cwmcru.sys
2008-08-15 09:22 . 2002-08-29 06:00 169,984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iisui.dll
2008-08-15 09:22 . 2002-08-29 06:00 94,720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\certmap.ocx
2008-08-15 09:22 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\s3legacy.dll
2008-08-15 09:22 . 2002-08-29 06:00 19,968 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\inetsloc.dll
2008-08-15 09:22 . 2002-08-29 06:00 14,336 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iisreset.exe
2008-08-15 09:22 . 2002-08-29 06:00 7,680 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\inetmgr.exe
2008-08-15 09:22 . 2002-08-29 06:00 7,168 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wamregps.dll
2008-08-15 09:22 . 2002-08-29 06:00 6,144 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ftpsapi2.dll
2008-08-15 09:22 . 2002-08-29 06:00 5,632 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iisrstap.dll
2008-08-14 21:11 . 2008-08-14 21:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 16:48 . 2008-08-14 16:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-14 14:06 . 2008-05-01 09:30 331,776 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-14 12:51 . 2008-08-14 19:25 <DIR> d-------- C:\Program Files\Panda Security
2008-08-14 12:50 . 2008-08-14 16:47 <DIR> d-------- C:\WINDOWS\LastGood(2)
2008-08-14 11:05 . 2008-08-14 18:36 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-14 09:10 . 2008-08-14 09:10 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2008-08-12 14:16 . 2008-08-14 16:48 <DIR> d-------- C:\WINDOWS\LMI4C.tmp
2008-08-07 14:24 . 2008-08-07 14:24 <DIR> d-------- C:\EAI
2008-08-07 14:19 . 2008-08-07 14:19 <DIR> d-------- C:\Program Files\IBM and Crayola
2008-07-28 15:13 . 2008-07-28 15:13 <DIR> d-------- C:\Program Files\lletters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 23:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-19 21:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-17 03:43 --------- d-----w C:\Documents and Settings\hezekiyah\Application Data\WeatherBug
2008-08-16 16:28 --------- d-----w C:\Documents and Settings\eliyah\Application Data\WeatherBug
2008-08-16 12:08 --------- d-----w C:\Program Files\MUSICMATCH
2008-08-16 12:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-15 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 18:55 --------- d-----w C:\Documents and Settings\don\Application Data\WeatherBug
2008-08-15 16:58 --------- d-----w C:\Documents and Settings\debbie\Application Data\WeatherBug
2008-08-12 21:01 --------- d-----w C:\Program Files\Real
2008-08-12 21:01 --------- d-----w C:\Program Files\Common Files\Real
2008-08-12 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-02 17:13 --------- d-----w C:\Program Files\e-Sword
2008-07-29 11:03 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 15:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-05-31 03:39 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-06-18 12:35 79,672 -c--a-w C:\Documents and Settings\eliyah\Application Data\GDIPFONTCACHEV1.DAT
2005-09-08 14:31 79,672 -c--a-w C:\Documents and Settings\hezekiyah\Application Data\GDIPFONTCACHEV1.DAT
2005-05-14 03:35 79,672 ----a-w C:\Documents and Settings\debbie\Application Data\GDIPFONTCACHEV1.DAT
2005-01-23 12:20 79,672 -c--a-w C:\Documents and Settings\don\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-19_15.08.38.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-16 02:28:10 167,936 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-08-20 00:18:14 167,936 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-08-16 02:28:10 2,560 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-08-20 00:18:14 2,560 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-08-16 02:28:10 34,304 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-08-20 00:18:13 34,304 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-08-16 02:28:10 8,192 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-08-20 00:18:14 8,192 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-08-16 02:28:10 3,584 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-08-20 00:18:14 3,584 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-08-16 02:28:10 114,688 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-08-20 00:18:14 114,688 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-08-16 02:28:10 16,384 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-08-20 00:18:13 16,384 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-08-16 02:28:10 30,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-08-20 00:18:13 30,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-08-16 02:28:11 22,528 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-08-20 00:18:14 22,528 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-08-16 02:28:10 45,056 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-08-20 00:18:13 45,056 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-08-16 02:28:09 90,112 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-08-20 00:18:13 90,112 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 16:02 1343488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 14:59 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-01 17:44 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 02:11 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 17:44 679936]
"SlipStream"="C:\Program Files\Airstream Web Accelerator\slipcore.exe" [2006-03-06 13:18 258048]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Airstream Web Accelerator.lnk - C:\Program Files\Airstream Web Accelerator\slipgui.exe [2008-05-13 07:29:01 163840]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 cis1284;cis1284;C:\WINDOWS\System32\drivers\cis1284.sys [2001-06-26 22:00]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
R2 WINDDX;WINDDX;C:\WINDOWS\system32\drivers\WINDDX.sys [2003-07-02 18:38]
R3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys [2004-08-04 01:41]
.
Contents of the 'Scheduled Tasks' folder

2008-08-17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - don.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2007-01-14 04:09]

2008-08-20 C:\WINDOWS\Tasks\User_Feed_Synchronization-{FBE8D378-D2FE-49C1-9651-4871142252D0}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://home.airmail.net/src/myportal.php
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R0 -: HKLM-Main,Search Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

- C:\WINDOWS\Downloaded Program Files\smsx.inf

O16 -: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
C:\WINDOWS\Downloaded Program Files\RealArcadeRdxIE.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 18:29:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-20 18:36:00
ComboFix-quarantined-files.txt 2008-08-20 23:35:55
ComboFix2.txt 2008-08-19 20:09:06

Pre-Run: 38,553,645,056 bytes free
Post-Run: 38,549,430,272 bytes free

202 --- E O F --- 2008-08-16 02:28:14

Muchas Gracias...uziyah :thumbsup:

Edited by uziyah, 20 August 2008 - 07:08 PM.


#10 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal

Posted 21 August 2008 - 06:40 AM

Go to Start » Run » type: Notepad » OK.
Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the code box below to Notepad. (Be sure to use Notepad, not Wordpad, otherwise it won't work).
@ECHO OFF
sc stop "Viewpoint Manager Service"
sc config "Viewpoint Manager Service"= disabled
sc delete "Viewpoint Manager Service"
delete fixsvc.bat
exit
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it fixsvc.bat and save it on your desktop.
  • It should look like this: Posted Image
  • Double click fixsvc.bat. A window will open and close. This is normal.
Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove:

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoit Toolbar


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files and Folders, "if present":

C:\Program Files\Viewpoint <- this folder

Reboot normaly your PC and do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#11 uziyah

uziyah
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Texas, USA
  • Local time:09:14 PM

Posted 21 August 2008 - 08:32 PM

PMF,

Following your detailed instructions, I now have the fixsvc icon on my desktop and have removed the viewpoint manager. Thanks...

That's where the fun stopped. Have you ever wished you live near the top of a really tall building? I have been wishing that most of day. I live in the country and have dial-up. It's that or hijackable satellite. Flying at 16.8K, yes the decimal is suppose to be there, is quiet a step-down from broadband!

Following the link to Kaspersky, K informed me that I needed a newer version of Java. Following their link to Sun-Java I began the first of two four hour download attempts. How excited I was to see the Java control panel in the tray. :thumbsup:

Heading back to K, clicking on free scan to find that my computer now meets K's requirements. :)

Clicked the accept button and am greeted with... !Starting Java applet has failed! Please go online to use this program.

I am online...

Really getting a greater appreciation for what yall have trained yourselves to do. I had NO idea!

What next Commander?

#12 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal

Posted 22 August 2008 - 05:02 AM

I live in the country and have dial-up.

Ups :)

Ok lets skip that terrible part. Please post a new HijackThis log and let me know how your computer its running now.

Thanks :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#13 uziyah

uziyah
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Texas, USA
  • Local time:09:14 PM

Posted 22 August 2008 - 08:31 AM

PMF,

Always wanting to learn, what did the applet message reveal? In the start, explore, programs, Java, it appears everything is there but the applet. Its file is empty. Should I remove Java from my CPU? How about SSD160?

If we will deal with those issues later, please let me know.

Todah...thank you...

Fresh HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:44 AM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Airstream Web Accelerator\slipcore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Airstream Web Accelerator\slipgui.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.airmail.net/src/myportal.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5402
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Airstream Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Airstream Web Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Airstream Web Accelerator.lnk = C:\Program Files\Airstream Web Accelerator\slipgui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Airstream Web Accelerator\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Airstream Web Accelerator\gui_resource.dll/328
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://kb.bitdefender.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182996732125
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Express Viewer Control) - http://www.autodesk.com/global/expressview...ViewerSetup.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3584CC83-C670-40F8-9A33-63328F499961}: NameServer = 64.136.173.5 64.136.164.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{3584CC83-C670-40F8-9A33-63328F499961}: NameServer = 64.136.173.5 64.136.164.77
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11024 bytes

Thanks again... :thumbsup: uziyah

p.s. Windows Security Center is still being shut-down...

Edited by uziyah, 22 August 2008 - 08:40 AM.


#14 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal

Posted 22 August 2008 - 09:17 AM

Hi,

SSD, are you talking about Solid-state Storage Device?

We will take care abou Java issue, later. Now we have to clean your PC, still show an adware.

Please delete your old version of Combofix and download and run again, please.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#15 uziyah

uziyah
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Texas, USA
  • Local time:09:14 PM

Posted 22 August 2008 - 12:59 PM

Howdy,

Sorry...SSD is Spybot-Search & Destroy, here: [post="http://www.spybot.info/en/home/index.html"]Spybot- Search & Destroy[/post]

Went to start, explore, programs, located it, but would not allow delete.

ComboFix Log:

ComboFix 08-08-21.02 - don 2008-08-22 12:24:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1257.372.1033.18.211 [GMT -5:00]
Running from: C:\Documents and Settings\don\Desktop\ComboFix.exe
* Created a new restore point
.
/wow section - STAGE 3
Ā was unexpected at this time.

/wow section - STAGE 4
Ā was unexpected at this time.


((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.

2008-08-21 19:33 . 2008-08-21 19:33 <DIR> d-------- C:\WINDOWS\Sun
2008-08-21 18:18 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-08-21 18:17 . 2008-08-21 18:18 <DIR> d-------- C:\Program Files\Java
2008-08-21 15:38 . 2008-08-21 15:38 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-18 17:51 . 2008-08-18 18:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-15 10:07 . 2008-08-15 15:20 <DIR> d-------- C:\SDFix
2008-08-15 09:39 . 2004-08-04 02:56 116,224 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwiadr.dll
2008-08-15 09:39 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxftplt.exe
2008-08-15 09:39 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwbtmp.dll
2008-08-15 09:39 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxscnui.dll
2008-08-15 09:38 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xlog.exe
2008-08-15 09:38 . 2002-08-29 06:00 28,288 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2008-08-15 09:38 . 2004-08-04 01:10 19,328 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wstcodec.sys
2008-08-15 09:38 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xem336n5.sys
2008-08-15 09:38 . 2004-08-04 02:56 8,192 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wshirda.dll
2008-08-15 09:38 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxflnch.exe
2008-08-15 09:36 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\tridxp.dll
2008-08-15 09:35 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\stlnata.sys
2008-08-15 09:34 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\sblfx.dll
2008-08-15 09:33 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\r2mdkxga.sys
2008-08-15 09:32 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ovcodek2.sys
2008-08-15 09:31 . 2002-08-29 06:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2008-08-15 09:30 . 2002-08-29 06:00 1,158,818 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\korwbrkr.lex
2008-08-15 09:29 . 2002-08-29 06:00 471,102 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\imskdic.dll
2008-08-15 09:28 . 2002-08-29 06:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-08-15 09:27 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\el656ct5.sys
2008-08-15 09:26 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\diwan.sys
2008-08-15 09:25 . 2002-08-29 06:00 1,677,824 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll
2008-08-15 09:24 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\bcmdm.sys
2008-08-15 09:23 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\3cwmcru.sys
2008-08-15 09:22 . 2002-08-29 06:00 169,984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iisui.dll
2008-08-15 09:22 . 2002-08-29 06:00 94,720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\certmap.ocx
2008-08-15 09:22 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\s3legacy.dll
2008-08-15 09:22 . 2002-08-29 06:00 19,968 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\inetsloc.dll
2008-08-15 09:22 . 2002-08-29 06:00 14,336 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iisreset.exe
2008-08-15 09:22 . 2002-08-29 06:00 7,680 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\inetmgr.exe
2008-08-15 09:22 . 2002-08-29 06:00 7,168 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wamregps.dll
2008-08-15 09:22 . 2002-08-29 06:00 6,144 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ftpsapi2.dll
2008-08-15 09:22 . 2002-08-29 06:00 5,632 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iisrstap.dll
2008-08-14 21:11 . 2008-08-14 21:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 16:48 . 2008-08-14 16:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-14 14:06 . 2008-05-01 09:30 331,776 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-14 12:50 . 2008-08-14 16:47 <DIR> d-------- C:\WINDOWS\LastGood(2)
2008-08-14 11:05 . 2008-08-14 18:36 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-14 09:10 . 2008-08-14 09:10 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2008-08-12 14:16 . 2008-08-14 16:48 <DIR> d-------- C:\WINDOWS\LMI4C.tmp
2008-08-07 14:24 . 2008-08-07 14:24 <DIR> d-------- C:\EAI
2008-08-07 14:19 . 2008-08-07 14:19 <DIR> d-------- C:\Program Files\IBM and Crayola
2008-07-28 15:13 . 2008-07-28 15:13 <DIR> d-------- C:\Program Files\lletters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 11:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-21 11:00 --------- d-----w C:\Documents and Settings\don\Application Data\WeatherBug
2008-08-19 21:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-17 03:43 --------- d-----w C:\Documents and Settings\hezekiyah\Application Data\WeatherBug
2008-08-16 16:28 --------- d-----w C:\Documents and Settings\eliyah\Application Data\WeatherBug
2008-08-16 12:08 --------- d-----w C:\Program Files\MUSICMATCH
2008-08-16 12:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-15 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 16:58 --------- d-----w C:\Documents and Settings\debbie\Application Data\WeatherBug
2008-08-12 21:01 --------- d-----w C:\Program Files\Real
2008-08-12 21:01 --------- d-----w C:\Program Files\Common Files\Real
2008-08-12 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-02 17:13 --------- d-----w C:\Program Files\e-Sword
2008-07-29 11:03 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 15:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-05-31 03:39 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-06-18 12:35 79,672 -c--a-w C:\Documents and Settings\eliyah\Application Data\GDIPFONTCACHEV1.DAT
2005-09-08 14:31 79,672 -c--a-w C:\Documents and Settings\hezekiyah\Application Data\GDIPFONTCACHEV1.DAT
2005-05-14 03:35 79,672 ----a-w C:\Documents and Settings\debbie\Application Data\GDIPFONTCACHEV1.DAT
2005-01-23 12:20 79,672 -c--a-w C:\Documents and Settings\don\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-19_15.08.38.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-16 02:28:10 167,936 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-08-20 00:18:14 167,936 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-08-16 02:28:10 2,560 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-08-20 00:18:14 2,560 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-08-16 02:28:10 34,304 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-08-20 00:18:13 34,304 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-08-16 02:28:10 8,192 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-08-20 00:18:14 8,192 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-08-16 02:28:10 3,584 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-08-20 00:18:14 3,584 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-08-16 02:28:10 114,688 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-08-20 00:18:14 114,688 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-08-16 02:28:10 16,384 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-08-20 00:18:13 16,384 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-08-16 02:28:10 30,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-08-20 00:18:13 30,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-08-16 02:28:11 22,528 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-08-20 00:18:14 22,528 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-08-16 02:28:10 45,056 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-08-20 00:18:13 45,056 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-08-16 02:28:09 90,112 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-08-20 00:18:13 90,112 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 16:02 1343488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 14:59 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-01 17:44 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 02:11 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 17:44 679936]
"SlipStream"="C:\Program Files\Airstream Web Accelerator\slipcore.exe" [2006-03-06 13:18 258048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Airstream Web Accelerator.lnk - C:\Program Files\Airstream Web Accelerator\slipgui.exe [2008-05-13 07:29:01 163840]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 cis1284;cis1284;C:\WINDOWS\System32\drivers\cis1284.sys [2001-06-26 22:00]
R2 WINDDX;WINDDX;C:\WINDOWS\system32\drivers\WINDDX.sys [2003-07-02 18:38]
R3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys [2004-08-04 01:41]
.
Contents of the 'Scheduled Tasks' folder

2008-08-17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - don.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2007-01-14 04:09]

2008-08-22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{FBE8D378-D2FE-49C1-9651-4871142252D0}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://home.airmail.net/src/myportal.php
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R0 -: HKLM-Main,Search Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

- C:\WINDOWS\Downloaded Program Files\smsx.inf

O16 -: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
C:\WINDOWS\Downloaded Program Files\RealArcadeRdxIE.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 12:27:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-22 12:33:42
ComboFix-quarantined-files.txt 2008-08-22 17:33:37
ComboFix2.txt 2008-08-20 23:36:01
ComboFix3.txt 2008-08-19 20:09:06

Pre-Run: 38,300,106,752 bytes free
Post-Run: 38,319,501,312 bytes free

207 --- E O F --- 2008-08-16 02:28:14

Thanks again...blood pressure much better today :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users