 Win32.TDSS.rtk infection keeps coming back |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help DO NOT post a ComboFix log unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jun 30 2009, 04:13 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 10 Joined: 30-June 09 From: Vermont Member No.: 346,844  |
A good deal of internet research on this rootkit took me to this fine forum to ask for help. I have used good info found while browsing this forum to rid the machine of other pesky malware, but this one is beyond my capabilities. I'd appreciate any assistance. Here's my DDS log file: DDS (Ver_09-06-26.01) - NTFSx86 Run by Owner at 15:57:37.87 on Tue 06/30/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1465 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINNT\system32\svchost -k DcomLaunch svchost.exe C:\WINNT\System32\svchost.exe -k netsvcs C:\WINNT\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\WINNT\Explorer.EXE svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE svchost.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINNT\system32\svchost.exe -k hpdevmgmt C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINNT\System32\svchost.exe -k HPZ12 C:\WINNT\System32\svchost.exe -k HPZ12 C:\WINNT\System32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINNT\system32\SearchIndexer.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINNT\system32\SK9910DM.EXE C:\WINNT\GWMDMMSG.exe C:\WINNT\system32\atwtusb.exe C:\WINNT\system32\RUNDLL32.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\Documents and Settings\Owner\Desktop\Security\dds.scr ============== Pseudo HJT Report =============== uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearch Bar = hxxp://www.google.com/ie uStart Page = hxxp://forecast.weather.gov/MapClick.php?site=BTV&llon=-73.272083&rlon=-72.609583&tlat=44.727917&blat=44.065417&smap=1&mp=1&map.x=110&map.y=88 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: {70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - No File BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe uRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NVMCTRAY.DLL,NvTaskbarInit uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRunOnce: [Shockwave Updater] c:\winnt\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; JUNO; GTB5; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/content/burninrubber2/sis/BurninRubber2.dcr" mRun: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE mRun: [GWMDMpi] c:\winnt\GWMDMpi.exe mRun: [GWMDMMSG] GWMDMMSG.exe mRun: [atwtusb] atwtusb.exe beta mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRunOnce: [0000 - c:\documents and settings\owner\start menu\programs\hp deskjet 810c series v11.1] c:\winnt\system32\command.com /c rmdir "c:\documents and settings\owner\start menu\programs\HP DeskJet 810C Series v11.1" StartupFolder: c:\docume~1\owner\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\owner\application data\leadertech\powerregister\Seagate 2GEVZBMW Product Registration.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google updater\GoogleUpdater.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - c:\program files\verizon online\verizon online control pad\VerizonControlPad.Exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_14.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1097055904031 DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://www.pcpitstop.com/pestscan/pestscan.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228674274203 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228674255953 DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: awtuuVop - awtuuVop.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Authentication Packages = msv1_0 c:\winnt\system32\geBuVNFU LSA: Notification Packages = :\winnt\system32\srrstr.dll scecli ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2009-1-11 325896] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2009-1-11 27784] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-11 298776] R2 BBFat.VxD;BlueBird DSP API;c:\winnt\system32\drivers\BBFat.sys [2002-8-19 7808] R2 mrtRate;mrtRate;c:\winnt\system32\drivers\MrtRate.sys [2003-1-22 34712] R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [2003-1-22 6736] R2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-10 30152] R2 WinDriver;WinDriver;c:\winnt\system32\drivers\windrvr.sys [2003-1-31 205220] S2 gupdate1c9cfd6ade0b7ca;Google Update Service (gupdate1c9cfd6ade0b7ca);c:\program files\google\update\GoogleUpdate.exe [2009-5-8 133104] S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?] S4 AloPar;AloPar;c:\winnt\system32\drivers\AloPar.sys [2003-2-1 4112] =============== Created Last 30 ================ 2009-06-29 20:41 <DIR> --ds---- C:\Combo-Fix 2009-06-29 19:19 1,891 a------- c:\winnt\wincmd.ini 2009-06-29 19:19 545 a------- c:\winnt\UC.PIF 2009-06-29 19:19 545 a------- c:\winnt\RAR.PIF 2009-06-29 19:19 545 a------- c:\winnt\PKZIP.PIF 2009-06-29 19:19 545 a------- c:\winnt\PKUNZIP.PIF 2009-06-29 19:19 545 a------- c:\winnt\NOCLOSE.PIF 2009-06-29 19:19 545 a------- c:\winnt\LHA.PIF 2009-06-29 19:19 545 a------- c:\winnt\ARJ.PIF 2009-06-29 19:19 <DIR> --d----- C:\totalcmd 2009-06-29 19:12 <DIR> --d----- C:\Total Commander 2009-06-29 16:39 <DIR> --d----- c:\program files\common files\xing shared 2009-06-27 15:08 <DIR> --dsh--- c:\winnt\ftpcache 2009-06-27 09:06 327,688 a------- c:\winnt\system32\drivers\avgldx86.sys.prepare 2009-06-27 09:06 27,784 a------- c:\winnt\system32\drivers\avgmfx86.sys.prepare 2009-06-27 09:06 11,952 a------- c:\winnt\system32\avgrsstx.dll.prepare 2009-06-26 12:09 246,272 -------- c:\winnt\system32\dllcache\ieproxy.dll 2009-06-26 12:09 12,800 -------- c:\winnt\system32\dllcache\xpshims.dll 2009-06-25 21:49 <DIR> --d----- c:\program files\iPod 2009-06-25 21:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-06-21 15:42 118,272 a------- c:\winnt\system32\hpz3l696.dll 2009-06-21 15:42 974,848 a----r-- c:\winnt\system32\hpost_p01c.dll 2009-06-21 15:42 737,280 a----r-- c:\winnt\system32\hposwia_p01c.dll 2009-06-21 15:42 307,200 a----r-- c:\winnt\system32\hposc_p01a.dll 2009-06-21 15:40 <DIR> --d----- c:\program files\common files\HP 2009-06-21 15:31 150,623 a------- c:\winnt\hpoins33.dat 2009-06-21 15:31 1,008 -------- c:\winnt\hpomdl33.dat 2009-06-20 11:20 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes 2009-06-20 11:20 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys 2009-06-20 11:20 19,096 a------- c:\winnt\system32\drivers\mbam.sys 2009-06-20 11:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-06-20 11:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-06-10 12:51 <DIR> --d----- c:\program files\Viewpoint ==================== Find3M ==================== 2009-06-29 20:13 393,202 a------- c:\winnt\pchealth\helpctr\config\cache\Personal_32_1033.dat 2009-06-29 16:39 348,160 a------- c:\winnt\system32\msvcr71.dll 2009-05-25 00:24 350,208 -------- c:\winnt\system32\mssph.dll 2009-05-21 11:33 410,984 a------- c:\winnt\system32\deploytk.dll 2009-05-13 01:15 5,936,128 a------- c:\winnt\system32\dllcache\mshtml.dll 2009-05-13 01:15 915,456 a------- c:\winnt\system32\wininet.dll 2009-05-13 01:15 915,456 a------- c:\winnt\system32\dllcache\wininet.dll 2009-05-12 01:11 102,912 -------- c:\winnt\system32\dllcache\iecompat.dll 2009-05-11 08:36 11,952 a------- c:\winnt\system32\avgrsstx.dll 2009-05-11 08:36 325,896 a------- c:\winnt\system32\drivers\avgldx86.sys 2009-05-07 11:32 345,600 a------- c:\winnt\system32\localspl.dll 2009-05-07 11:32 345,600 -------- c:\winnt\system32\dllcache\localspl.dll 2009-04-30 17:22 1,985,024 a------- c:\winnt\system32\dllcache\iertutil.dll 2009-04-30 17:22 11,064,832 a------- c:\winnt\system32\dllcache\ieframe.dll 2009-04-30 17:22 1,207,808 a------- c:\winnt\system32\dllcache\urlmon.dll 2009-04-30 17:22 25,600 a------- c:\winnt\system32\dllcache\jsproxy.dll 2009-04-30 17:22 385,536 a------- c:\winnt\system32\dllcache\iedkcs32.dll 2009-04-30 07:21 173,056 a------- c:\winnt\system32\dllcache\ie4uinit.exe 2009-04-17 08:26 1,847,168 a------- c:\winnt\system32\win32k.sys 2009-04-17 08:26 1,847,168 -------- c:\winnt\system32\dllcache\win32k.sys 2009-04-15 10:51 585,216 a------- c:\winnt\system32\rpcrt4.dll 2009-04-15 10:51 585,216 -------- c:\winnt\system32\dllcache\rpcrt4.dll 2007-07-08 07:45 104,072 -------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT 2002-09-07 02:47 144 -------- c:\program files\pcdocrx_order.html 2001-03-11 07:59 766 -------- c:\program files\pcdoc.ico ============= FINISH: 15:58:33.51 ===============
Attached File(s)
|
 |
 
|
|
Jun 30 2009, 09:01 PM
Post
#2
|
|
 Bleepin' Texan! Group: Malware Response Instructor Posts: 14,170 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846 |
Hello Salar,
 You have more going on here than just the rootkit. I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that!  Tea Timer especially needs to be disabled.This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix. 1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. Please do this: 1. Download HijackThis™ here: http://www.trendsecure.com/portal/en-US/th.../hijackthis.php 2. Click 'Do a System Scan and Save log'. The HJT log will open in notepad. Thanks, tea -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you!    Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3 |
|
|
|
|
Jul 1 2009, 10:48 AM
Post
#3
|
|
|
New Member Group: Members Posts: 10 Joined: 30-June 09 From: Vermont Member No.: 346,844 |
Hello Tea,
Thank you for the reply. My ComboFix and HijackThis logs follow. Note that ComboFix prompted me to install Microsoft Windows Recovery Console, but since I was unsure about the necessity of this, I elected not to do so. Please advise. ComboFix 09-06-29.07 - Owner 07/01/2009 10:51.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1623 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\system32\drivers\UACpfmlwmqbwemovns.sys c:\winnt\system32\powercfg.dll c:\winnt\system32\system c:\winnt\system32\system\msxml4.dll c:\winnt\system32\system\msxml4r.dll c:\winnt\system32\UACcfyxfymsntyqjxt.dll c:\winnt\system32\UACurqxdnmgriwaerd.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys -------\Legacy_WINDRIVER -------\Service_WinDriver ((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 ))))))))))))))))))))))))))))))) . 2009-07-01 13:22 . 2009-06-28 12:16 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll 2009-07-01 13:22 . 2009-06-28 12:16 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe 2009-07-01 13:22 . 2009-06-28 12:16 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2009-07-01 13:22 . 2009-06-28 12:16 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-06-30 00:41 . 2009-06-30 00:48 -------- d-s---w- C:\Combo-Fix 2009-06-29 23:19 . 2009-06-29 23:25 -------- d-----w- C:\totalcmd 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\UC.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\RAR.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\PKZIP.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\PKUNZIP.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\NOCLOSE.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\LHA.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\ARJ.PIF 2009-06-29 23:12 . 2009-06-29 23:24 -------- d-----w- C:\Total Commander 2009-06-29 21:02 . 2009-06-29 21:02 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2009-06-29 21:02 . 2009-06-29 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-06-29 21:02 . 2009-06-29 21:28 -------- d-----w- c:\program files\NOS 2009-06-29 20:39 . 2009-06-29 20:39 -------- d-----w- c:\program files\Common Files\xing shared 2009-06-29 20:37 . 2009-06-29 20:37 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\setup\AU_setup.exe 2009-06-27 19:08 . 2009-06-29 17:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations 2009-06-27 19:08 . 2009-06-27 19:08 -------- d-sh--w- c:\winnt\ftpcache 2009-06-27 19:08 . 2009-01-16 07:19 1731736 ----a-w- c:\documents and settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe 2009-06-27 13:08 . 2009-06-27 13:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR 2009-06-26 22:21 . 2009-06-26 22:21 -------- d-sh--w- c:\documents and settings\Default User\IETldCache 2009-06-26 16:09 . 2009-04-30 21:22 12800 ------w- c:\winnt\system32\dllcache\xpshims.dll 2009-06-26 16:09 . 2009-04-30 21:22 246272 ------w- c:\winnt\system32\dllcache\ieproxy.dll 2009-06-26 01:49 . 2009-06-26 01:49 -------- d-----w- c:\program files\iPod 2009-06-26 01:49 . 2009-06-26 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-06-26 01:40 . 2009-06-26 01:40 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-06-21 20:07 . 2009-07-01 13:49 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData 2009-06-21 19:48 . 2009-06-21 19:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\HP 2009-06-21 19:45 . 2009-06-21 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant 2009-06-21 19:42 . 2008-10-28 16:49 118272 ----a-w- c:\winnt\system32\hpz3l696.dll 2009-06-21 19:42 . 2008-10-30 07:18 737280 ----a-r- c:\winnt\system32\hposwia_p01c.dll 2009-06-21 19:42 . 2008-10-30 07:18 974848 ----a-r- c:\winnt\system32\hpost_p01c.dll 2009-06-21 19:42 . 2008-10-30 07:18 307200 ----a-r- c:\winnt\system32\hposc_p01a.dll 2009-06-21 19:40 . 2009-06-21 19:40 -------- d-----w- c:\program files\Common Files\HP 2009-06-21 19:40 . 2009-06-21 19:40 -------- d-----w- c:\program files\Hewlett-Packard 2009-06-21 19:31 . 2009-06-21 20:02 150623 ----a-w- c:\winnt\hpoins33.dat 2009-06-21 19:31 . 2008-12-10 20:49 1008 ------w- c:\winnt\hpomdl33.dat 2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-06-20 15:20 . 2009-06-17 15:27 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys 2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-20 15:20 . 2009-06-17 15:27 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys 2009-06-12 23:11 . 2009-06-12 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA 2009-06-10 16:51 . 2009-06-10 16:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Viewpoint 2009-06-10 16:51 . 2009-06-10 16:51 -------- d-----w- c:\program files\Viewpoint 2009-06-10 11:03 . 2009-06-10 11:03 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-05 01:33 . 2009-06-05 01:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-06-03 21:54 . 2009-06-03 21:54 -------- d-sh--w- c:\winnt\system32\config\systemprofile\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-01 13:22 . 2009-06-27 13:06 327688 ----a-w- c:\winnt\system32\drivers\avgldx86.sys.prepare 2009-07-01 13:22 . 2009-06-27 13:06 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys.prepare 2009-06-30 00:13 . 2008-04-23 03:05 393202 ----a-w- c:\winnt\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat 2009-06-29 21:35 . 2004-04-24 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-29 21:06 . 2004-04-21 18:44 -------- d-----w- c:\program files\Common Files\Adobe 2009-06-29 20:39 . 2003-01-23 02:10 -------- d-----w- c:\program files\Common Files\Real 2009-06-29 20:39 . 2003-02-21 09:42 348160 ----a-w- c:\winnt\system32\msvcr71.dll 2009-06-29 20:23 . 2005-02-13 16:28 -------- d-----w- c:\program files\Java 2009-06-29 19:01 . 2003-01-23 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-28 19:32 . 2008-05-16 13:31 -------- d-----w- c:\program files\SpywareBlaster 2009-06-27 20:06 . 2003-02-02 12:45 111760 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-27 18:41 . 2007-12-13 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-06-27 18:39 . 2003-01-23 02:13 -------- d-----w- c:\program files\Microsoft Works 2009-06-27 13:23 . 2009-01-11 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-26 22:23 . 2007-12-22 13:00 -------- d-----w- c:\program files\Windows Desktop Search 2009-06-26 01:49 . 2007-07-05 16:43 -------- d-----w- c:\program files\iTunes 2009-06-26 01:49 . 2007-07-05 16:42 -------- d-----w- c:\program files\Common Files\Apple 2009-06-26 01:47 . 2005-09-26 15:11 -------- d-----w- c:\program files\QuickTime 2009-06-21 19:47 . 2007-12-04 15:40 -------- d-----w- c:\documents and settings\Owner\Application Data\HP 2009-06-21 19:47 . 2007-12-04 15:31 -------- d-----w- c:\program files\HP 2009-06-21 19:45 . 2007-12-04 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\HP 2009-06-10 16:51 . 2004-08-05 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2009-05-25 04:24 . 2008-05-27 02:18 350208 ------w- c:\winnt\system32\mssph.dll 2009-05-25 01:51 . 2007-04-15 16:09 -------- d--h--w- c:\documents and settings\Owner\Application Data\Move Networks 2009-05-21 15:33 . 2009-01-17 14:31 410984 ----a-w- c:\winnt\system32\deploytk.dll 2009-05-20 18:13 . 2007-10-10 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-05-13 05:15 . 2004-09-26 23:39 915456 ----a-w- c:\winnt\system32\wininet.dll 2009-05-11 12:36 . 2009-01-11 09:22 11952 ----a-w- c:\winnt\system32\avgrsstx.dll 2009-05-11 12:36 . 2009-01-11 09:22 325896 ----a-w- c:\winnt\system32\drivers\avgldx86.sys 2009-05-11 12:36 . 2009-01-11 09:22 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys 2009-05-10 14:20 . 2009-05-10 14:20 127877 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe 2009-05-10 14:20 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071500000347.dll 2009-05-10 14:20 . 2009-05-10 14:19 1685856 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe 2009-05-10 01:21 . 2007-11-15 16:56 -------- d-----w- c:\program files\Jasc Software Inc 2009-05-10 01:16 . 2009-05-10 01:16 57344 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_SMLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe 2009-05-10 01:16 . 2009-05-10 01:16 57344 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_DTLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe 2009-05-08 12:16 . 2004-05-08 00:11 -------- d-----w- c:\program files\Google 2009-05-07 15:32 . 2004-09-26 23:39 345600 ----a-w- c:\winnt\system32\localspl.dll 2009-05-04 21:18 . 2009-05-04 21:18 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\Update\RealPlayer11.exe 2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe 2009-04-23 00:08 . 2009-04-23 00:08 15340 ----a-w- C:\gtm6F.tmp 2009-04-17 12:26 . 2004-09-26 23:39 1847168 ----a-w- c:\winnt\system32\win32k.sys 2009-04-15 14:51 . 2004-09-26 23:40 585216 ----a-w- c:\winnt\system32\rpcrt4.dll 2002-09-07 06:47 . 2004-04-25 14:26 144 ------w- c:\program files\pcdocrx_order.html 2001-03-11 11:59 . 2004-04-25 14:26 766 ------w- c:\program files\pcdoc.ico . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2003-01-23 02:11 . 2002-07-17 02:21 28672 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe 2005-09-09 00:13 . 2005-09-09 00:13 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe 2008-02-09 14:52 . 2009-06-29 20:39 198160 c:\program files\Common Files\Real\Update_OB\realsched.exe 2003-11-10 13:30 . 2006-03-09 15:47 71328 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe 2005-12-29 16:56 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe 2007-06-28 13:14 . 2007-06-28 13:14 270648 c:\program files\iTunes\bak\iTunesHelper.exe 2009-06-05 17:39 . 2009-06-05 17:39 292136 c:\program files\iTunes\iTunesHelper.exe 2005-05-14 12:51 . 2006-11-07 20:41 8192 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe 2003-01-23 02:10 . 2001-08-01 18:30 94208 c:\program files\QUICKENW\bak\QAGENT.EXE 2007-04-27 13:41 . 2007-04-27 13:41 282624 c:\program files\QuickTime\bak\qttask.exe 2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe 2007-03-11 21:37 . 2007-03-11 21:37 936960 c:\program files\Verizon\bak\McciTrayApp.exe 2006-10-19 00:05 . 2006-10-19 00:05 204288 c:\program files\Windows Media Player\bak\WMPNSCFG.exe 2006-10-19 01:05 . 2006-10-19 01:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe 2003-01-23 02:09 . 2002-08-06 21:24 53248 c:\winnt\bak\GWMDMpi.exe 2007-10-27 15:00 . 2002-08-06 21:24 53248 c:\winnt\GWMDMpi.exe 2004-09-26 23:40 . 2004-08-04 07:56 15360 c:\winnt\system32\bak\ctfmon.exe 2004-09-26 23:40 . 2008-04-14 00:12 15360 c:\winnt\system32\ctfmon.exe 2006-02-26 19:29 . 2006-01-12 19:40 155648 c:\winnt\system32\bak\NeroCheck.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360] "NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2003-07-28 49152] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Shockwave Updater"="c:\winnt\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; JUNO; GTB5; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET" [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248] "NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2003-07-28 4841472] "NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2003-07-28 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-11 1947928] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-29 198160] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048] "GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-08-06 90112] "atwtusb"="atwtusb.exe" - c:\winnt\system32\atwtusb.exe [2002-11-21 188416] "nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2003-07-28 323584] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "0000 - c:\documents and settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1"="c:\winnt\system32\command.com" [2002-08-29 50620] c:\documents and settings\Owner\Start Menu\Programs\Startup\ Seagate 2GEVZBMW Product Registration.lnk - c:\documents and settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe [2009-6-27 1731736] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2007-10-10 126136] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-11 12:36 11952 ----a-w- c:\winnt\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPar.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator] @="Driver Group" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CADIX Screen Saver Control.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CADIX Screen Saver Control.lnk backup=c:\winnt\pss\CADIX Screen Saver Control.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk backup=c:\winnt\pss\Image Transfer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reminder-hpc41004.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Reminder-hpc41004.lnk backup=c:\winnt\pss\Reminder-hpc41004.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk backup=c:\winnt\pss\Verizon Online Support Center.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Quick StartUp.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Quick StartUp.lnk backup=c:\winnt\pss\Quick StartUp.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Start.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Start.lnk backup=c:\winnt\pss\Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Speed Disk service"=2 (0x2) "Creative Service for CDROM Access"=2 (0x2) "PrismXL"=2 (0x2) "Apple Mobile Device"=2 (0x2) "LightScribeService"=3 (0x3) "iPod Service"=3 (0x3) "Bonjour Service"=2 (0x2) "WMPNetworkSvc"=2 (0x2) "RPSUpdaterR"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "NVSvc"=2 (0x2) "idsvc"=3 (0x3) "IDriverT"=3 (0x3) "dvpapi"=2 (0x2) "sdCoreService"=2 (0x2) "sdAuxService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_server.exe"= "c:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"= "c:\\WINNT\\system32\\dplaysvr.exe"= "c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Gateway\\Gateway Download Assistant\\Downloader.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Google\\Google Earth\\googleearth.exe"= "c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"= "c:\\Program Files\\Google\\Google Updater\\GoogleUpdater.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [1/11/2009 5:22 AM 325896] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/11/2009 5:22 AM 298776] R2 BBFat.VxD;BlueBird DSP API;c:\winnt\system32\drivers\BBFat.sys [8/19/2002 5:25 PM 7808] R2 mrtRate;mrtRate;c:\winnt\system32\drivers\MrtRate.sys [1/22/2003 10:11 PM 34712] R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [1/22/2003 10:15 PM 6736] R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/10/2009 12:51 PM 30152] S2 gupdate1c9cfd6ade0b7ca;Google Update Service (gupdate1c9cfd6ade0b7ca);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:15 AM 133104] S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?] S4 AloPar;AloPar;c:\winnt\system32\drivers\AloPar.sys [2/1/2003 1:11 PM 4112] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-26 c:\winnt\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-07-01 c:\winnt\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:15] 2009-07-01 c:\winnt\Tasks\{925FCACA-D57F-4037-9499-423C3A36AF61}_S0029534513_Owner.job - c:\winnt\system32\mobsync.exe [2004-09-26 00:12] . - - - - ORPHANS REMOVED - - - - BHO-{70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - (no file) Notify-awtuuVop - awtuuVop.dll . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://forecast.weather.gov/MapClick.php?site=BTV&llon=-73.272083&rlon=-72.609583&tlat=44.727917&blat=44.065417&smap=1&mp=1&map.x=110&map.y=88 uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-01 11:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F57B7ED0-D8AB-11D1-85DFˆÿÿÿnk *fPvŸ!t\TypeLib] @="{0002E157-0000-0000-C000-000000000046}" "Version"="5.3" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3904) c:\winnt\system32\WININET.dll c:\winnt\system32\ieframe.dll c:\winnt\system32\webcheck.dll c:\winnt\system32\WPDShServiceObj.dll c:\winnt\system32\PortableDeviceTypes.dll c:\winnt\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\winnt\system32\LEXBCES.EXE c:\winnt\system32\LEXPPS.EXE c:\program files\Java\jre6\bin\jqs.exe c:\winnt\system32\searchindexer.exe c:\program files\AVG\AVG8\avgrsx.exe c:\winnt\system32\wscntfy.exe c:\winnt\system32\rundll32.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe . ************************************************************************** . Completion time: 2009-07-01 11:15 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-01 15:15 Pre-Run: 12,008,103,936 bytes free Post-Run: 11,944,546,304 bytes free Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5 339 --- E O F --- 2009-06-27 03:02 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:26:22 AM, on 7/1/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINNT\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINNT\system32\SearchIndexer.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINNT\system32\wscntfy.exe C:\WINNT\system32\SK9910DM.EXE C:\WINNT\GWMDMMSG.exe C:\WINNT\system32\RUNDLL32.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\WINNT\explorer.exe C:\Documents and Settings\Owner\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?s...10&map.y=88 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file) O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1] C:\WINNT\system32\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINNT\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; JUNO; GTB5; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/content/burninrubber2/sis/BurninRubber2.dcr" O4 - Startup: Seagate 2GEVZBMW Product Registration.lnk = C:\Documents and Settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228674274203 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228674255953 O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Update Service (gupdate1c9cfd6ade0b7ca) (gupdate1c9cfd6ade0b7ca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 13059 bytes |
|
|
|
|
Jul 1 2009, 03:20 PM
Post
#4
|
|
|
Bleepin' Texan! Group: Malware Response Instructor Posts: 14,170 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846 |
Hello,
Though ComboFix removed pieces of the rootkit you have, there's also another infection present we need to take care of : # *Please download FindAWF by noahdfear and save it to your desktop: # Please double-click FindAWF.exe to run option 1. # If a security alert shows, allow the program to run. # When the tool has completed, a report will open in Notepad. # Please post the results of the awf.txt in your next reply. Thanks, tea -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3 |
|
|
|
|
Jul 1 2009, 09:47 PM
Post
#5
|
|
|
New Member Group: Members Posts: 10 Joined: 30-June 09 From: Vermont Member No.: 346,844 |
OK, here's my awf.txt (from running Option 1):
Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Wed 07/01/2009 The current time is: 22:06:02.60 bak folders found ~~~~~~~~~~~ Directory of C:\WINNT\BAK 08/06/2002 05:24 PM 53,248 GWMDMpi.exe 1 File(s) 53,248 bytes Directory of C:\PROGRA~1\ITUNES\BAK 06/28/2007 09:14 AM 270,648 iTunesHelper.exe 1 File(s) 270,648 bytes Directory of C:\PROGRA~1\QUICKENW\BAK 08/01/2001 02:30 PM 94,208 QAGENT.EXE 1 File(s) 94,208 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 04/27/2007 09:41 AM 282,624 qttask.exe 1 File(s) 282,624 bytes Directory of C:\PROGRA~1\VERIZON\BAK 03/11/2007 05:37 PM 936,960 McciTrayApp.exe 1 File(s) 936,960 bytes Directory of C:\PROGRA~1\WINDOW~2\BAK 10/18/2006 08:05 PM 204,288 WMPNSCFG.exe 1 File(s) 204,288 bytes Directory of C:\WINNT\SYSTEM32\BAK 08/04/2004 03:56 AM 15,360 ctfmon.exe 01/12/2006 03:40 PM 155,648 NeroCheck.exe 2 File(s) 171,008 bytes Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK 03/09/2006 11:47 AM 71,328 ccApp.exe 1 File(s) 71,328 bytes Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK 11/07/2006 04:41 PM 8,192 mimboot.exe 1 File(s) 8,192 bytes Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK 07/16/2002 10:21 PM 28,672 WkUFind.exe 1 File(s) 28,672 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 09/08/2005 08:13 PM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK 12/02/2004 06:23 PM 102,400 CTDetect.exe 1 File(s) 102,400 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 53248 Aug 6 2002 "C:\OEMDRVRS\GWMDMPI.EXE" 53248 Aug 6 2002 "C:\WINNT\GWMDMpi.exe" 53248 Aug 6 2002 "C:\WINNT\bak\GWMDMpi.exe" 292136 Jun 5 2009 "C:\Program Files\iTunes\iTunesHelper.exe" 270648 Jun 28 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 Jun 25 2009 "C:\WINNT\Installer\{5D601655-6D54-4384-B52C-17EC5385FBBD}\iTunesIco.exe" 94208 Aug 1 2001 "C:\Program Files\QUICKENW\bak\QAGENT.EXE" 413696 May 26 2009 "C:\Program Files\QuickTime\QTTask.exe" 282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe" 936960 Mar 11 2007 "C:\Program Files\Verizon\bak\McciTrayApp.exe" 204288 Oct 18 2006 "C:\Program Files\Windows Media Player\wmpnscfg.exe" 204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe" 15360 Apr 13 2008 "C:\WINNT\system32\ctfmon.exe" 15360 Aug 4 2004 "C:\WINNT\system32\bak\ctfmon.exe" 155648 Jan 12 2006 "C:\WINNT\system32\bak\NeroCheck.exe" 71328 Mar 9 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" 8192 Nov 7 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe" 8192 Dec 10 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mimboot.exe" 28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe" 198160 Jun 29 2009 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 180269 Sep 8 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe" end of report I also want to let you know that later this afternoon (while offline after my last post) the AVG Resident Shield detected 2 new trojans that I've never seen before: 1. Trojan Horse Injector.EP at C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1009\A0208129.sys 2. Win32/Cryptor at C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1009\A0208130.dll They were moved to the AVG Virus Vault. And a question regarding my comment in my previous reply: Is it benefical to have the Microsoft Windows Recovery Console installed?? Thanks, Salar |
|
|
|
|
Jul 1 2009, 10:12 PM
Post
#6
|
|
|
Bleepin' Texan! Group: Malware Response Instructor Posts: 14,170 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846 |
Hello,
My apologies, I saw that I hadn't answered your question after I posted, and I should have edited it in. It's up to you on the Recovery Console, but I would suggest installing it for future "just in cases". It's like insurance.....you may never need it, but you'll have it if something comes up.  On those two files.....they are in System Restore and not a threat to you right now, and we'll clear those when the machine is clean. Please double-click the FindAWF icon once again If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 2 then Enter to restore files from bak folders A text file opens called: files.txt Click below the line and paste the following list of files to be restored: "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\QUICKENW\bak\QAGENT.EXE" "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\Verizon\bak\McciTrayApp.exe" "C:\WINNT\system32\bak\NeroCheck.exe" "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe" "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe" "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe" Next, close and click Yes to save the changes. Once files.txt is saved, FindAWF does the following: -It attempts to terminate the process represented by each filename on the list, if running -Deletes the rogue file from the parent folder, if present -Copies the original file to the parent folder When done with the above, it automatically runs a new scan and opens a new log. Please provide the new FindAWF log in your reply. Thanks, tea -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3 |
|
|
|
|
Jul 2 2009, 10:37 AM
Post
#7
|
|
|
New Member Group: Members Posts: 10 Joined: 30-June 09 From: Vermont Member No.: 346,844 |
Hi again,
Here is the FindAWF log: Find AWF report by noahdfear ©2006 Version 1.40 Option 2 run successfully The current date is: Thu 07/02/2009 The current time is: 11:27:38.29 bak folders found ~~~~~~~~~~~ Directory of C:\WINNT\BAK 08/06/2002 05:24 PM 53,248 GWMDMpi.exe 1 File(s) 53,248 bytes Directory of C:\PROGRA~1\ITUNES\BAK 06/28/2007 09:14 AM 270,648 iTunesHelper.exe 1 File(s) 270,648 bytes Directory of C:\PROGRA~1\QUICKENW\BAK 08/01/2001 02:30 PM 94,208 QAGENT.EXE 1 File(s) 94,208 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 04/27/2007 09:41 AM 282,624 qttask.exe 1 File(s) 282,624 bytes Directory of C:\PROGRA~1\VERIZON\BAK 03/11/2007 05:37 PM 936,960 McciTrayApp.exe 1 File(s) 936,960 bytes Directory of C:\PROGRA~1\WINDOW~2\BAK 10/18/2006 08:05 PM 204,288 WMPNSCFG.exe 1 File(s) 204,288 bytes Directory of C:\WINNT\SYSTEM32\BAK 08/04/2004 03:56 AM 15,360 ctfmon.exe 01/12/2006 03:40 PM 155,648 NeroCheck.exe 2 File(s) 171,008 bytes Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK 03/09/2006 11:47 AM 71,328 ccApp.exe 1 File(s) 71,328 bytes Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK 11/07/2006 04:41 PM 8,192 mimboot.exe 1 File(s) 8,192 bytes Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK 07/16/2002 10:21 PM 28,672 WkUFind.exe 1 File(s) 28,672 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 09/08/2005 08:13 PM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK 12/02/2004 06:23 PM 102,400 CTDetect.exe 1 File(s) 102,400 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 53248 Aug 6 2002 "C:\OEMDRVRS\GWMDMPI.EXE" 53248 Aug 6 2002 "C:\WINNT\GWMDMpi.exe" 53248 Aug 6 2002 "C:\WINNT\bak\GWMDMpi.exe" 270648 Jun 28 2007 "C:\Program Files\iTunes\iTunesHelper.exe" 270648 Jun 28 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 Jun 25 2009 "C:\WINNT\Installer\{5D601655-6D54-4384-B52C-17EC5385FBBD}\iTunesIco.exe" 94208 Aug 1 2001 "C:\Program Files\QUICKENW\QAGENT.EXE" 94208 Aug 1 2001 "C:\Program Files\QUICKENW\bak\QAGENT.EXE" 282624 Apr 27 2007 "C:\Program Files\QuickTime\qttask.exe" 282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe" 936960 Mar 11 2007 "C:\Program Files\Verizon\McciTrayApp.exe" 936960 Mar 11 2007 "C:\Program Files\Verizon\bak\McciTrayApp.exe" 204288 Oct 18 2006 "C:\Program Files\Windows Media Player\wmpnscfg.exe" 204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe" 15360 Apr 13 2008 "C:\WINNT\system32\ctfmon.exe" 15360 Aug 4 2004 "C:\WINNT\system32\bak\ctfmon.exe" 155648 Jan 12 2006 "C:\WINNT\system32\NeroCheck.exe" 155648 Jan 12 2006 "C:\WINNT\system32\bak\NeroCheck.exe" 71328 Mar 9 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" 71328 Mar 9 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" 8192 Nov 7 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe" 8192 Nov 7 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe" 8192 Dec 10 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mimboot.exe" 28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" 28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe" 180269 Sep 8 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 180269 Sep 8 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" 102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe" end of report |
|
|
|
|
Jul 2 2009, 10:07 PM
Post
#8
|
|
|
Bleepin' Texan! Group: Malware Response Instructor Posts: 14,170 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846 |
Hello,
Excellent, thanks. In case you're wondering, this infection takes legit files and scrambles them around, replacing them with bogus ones. What we're doing here is unscrambling them and putting the real ones back where they belong. Please double-click the FindAWF icon once again This time we are going to remove some folders. If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 3 then Enter to remove bak folders A text file opens called: folders.txt Click below the line and paste the following list of folders to be removed: C:\WINNT\bak C:\Program Files\iTunes\bak C:\Program Files\QUICKENW\bak C:\Program Files\QuickTime\bak C:\Program Files\Verizon\bak C:\Program Files\Windows Media Player\bak C:\WINNT\system32\bak C:\Program Files\Common Files\Symantec Shared\bak C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak C:\Program Files\Common Files\Real\Update_OB\bak C:\Program Files\Creative\MediaSource\Detector\bak Next, close and click Yes to save the changes. When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post. Please provide the new FindAWF log in your reply. If all is well, we'll finish with AWF and go on the the rest of it. Thanks, tea This post has been edited by teacup61: Jul 2 2009, 10:08 PM -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3 |
|
|
|
|
Jul 2 2009, 10:37 PM
Post
#9
|
|
|
New Member Group: Members Posts: 10 Joined: 30-June 09 From: Vermont Member No.: 346,844 |
Thanks tea, for the explanation. I was indeed wondering if that was the case.
Here's my FindAWF log: Find AWF report by noahdfear ©2006 Version 1.40 Option 3 run successfully The current date is: Thu 07/02/2009 The current time is: 23:20:45.03 bak folders found ~~~~~~~~~~~ Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ end of report |
|
|
|
|
Jul 2 2009, 11:00 PM
Post
#10
|
|
|
Bleepin' Texan! Group: Malware Response Instructor Posts: 14,170 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846 |
Hello,
You're welcome, and that log looks perfect. No more duplicates. To finish, run Option 4. Double-click the FindAWF icon once again. Use the following option: Press 4 then Enter to reset domain zones. When the program returns to the main menu, use the following option: Press E then Enter to EXIT. Now let's see what a ComboFix report looks like. But first I'd like for you to get a fresh copy, so...... Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. 1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. Thanks, tea -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3 |
|
|
|
|
Jul 3 2009, 07:09 AM
Post
#11
|
|
|
New Member Group: Members Posts: 10 Joined: 30-June 09 From: Vermont Member No.: 346,844 |
My ComboFix log is pasted below. This stuff is fascinating!
ComboFix 09-07-02.02 - Owner 07/03/2009 7:51.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1562 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 ))))))))))))))))))))))))))))))) . 2009-07-02 15:27 . 2006-01-12 19:40 155648 ----a-w- c:\winnt\system32\NeroCheck.exe 2009-07-01 17:50 . 2009-07-01 17:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp 2009-07-01 13:22 . 2009-06-28 12:16 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll 2009-07-01 13:22 . 2009-06-28 12:16 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe 2009-07-01 13:22 . 2009-06-28 12:16 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2009-07-01 13:22 . 2009-06-28 12:16 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-06-30 00:41 . 2009-06-30 00:48 -------- d-s---w- C:\Combo-Fix 2009-06-29 23:19 . 2009-06-29 23:25 -------- d-----w- C:\totalcmd 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\UC.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\RAR.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\PKZIP.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\PKUNZIP.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\NOCLOSE.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\LHA.PIF 2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\ARJ.PIF 2009-06-29 23:12 . 2009-06-29 23:24 -------- d-----w- C:\Total Commander 2009-06-29 21:02 . 2009-06-29 21:02 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2009-06-29 21:02 . 2009-06-29 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-06-29 21:02 . 2009-06-29 21:28 -------- d-----w- c:\program files\NOS 2009-06-29 20:39 . 2009-06-29 20:39 -------- d-----w- c:\program files\Common Files\xing shared 2009-06-29 20:37 . 2009-06-29 20:37 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\setup\AU_setup.exe 2009-06-27 19:08 . 2009-06-29 17:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations 2009-06-27 19:08 . 2009-06-27 19:08 -------- d-sh--w- c:\winnt\ftpcache 2009-06-27 19:08 . 2009-01-16 07:19 1731736 ----a-w- c:\documents and settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe 2009-06-27 13:08 . 2009-06-27 13:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR 2009-06-26 22:21 . 2009-06-26 22:21 -------- d-sh--w- c:\documents and settings\Default User\IETldCache 2009-06-26 16:09 . 2009-04-30 21:22 12800 ------w- c:\winnt\system32\dllcache\xpshims.dll 2009-06-26 16:09 . 2009-04-30 21:22 246272 ------w- c:\winnt\system32\dllcache\ieproxy.dll 2009-06-26 01:49 . 2009-06-26 01:49 -------- d-----w- c:\program files\iPod 2009-06-26 01:49 . 2009-06-26 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-06-26 01:40 . 2009-06-26 01:40 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-06-21 20:07 . 2009-07-03 11:43 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData 2009-06-21 19:48 . 2009-06-21 19:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\HP 2009-06-21 19:45 . 2009-06-21 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant 2009-06-21 19:42 . 2008-10-28 16:49 118272 ----a-w- c:\winnt\system32\hpz3l696.dll 2009-06-21 19:42 . 2008-10-30 07:18 737280 ----a-r- c:\winnt\system32\hposwia_p01c.dll 2009-06-21 19:42 . 2008-10-30 07:18 974848 ----a-r- c:\winnt\system32\hpost_p01c.dll 2009-06-21 19:42 . 2008-10-30 07:18 307200 ----a-r- c:\winnt\system32\hposc_p01a.dll 2009-06-21 19:40 . 2009-06-21 19:40 -------- d-----w- c:\program files\Common Files\HP 2009-06-21 19:40 . 2009-06-21 19:40 -------- d-----w- c:\program files\Hewlett-Packard 2009-06-21 19:31 . 2009-06-21 20:02 150623 ----a-w- c:\winnt\hpoins33.dat 2009-06-21 19:31 . 2008-12-10 20:49 1008 ------w- c:\winnt\hpomdl33.dat 2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-06-20 15:20 . 2009-06-17 15:27 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys 2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-20 15:20 . 2009-06-17 15:27 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys 2009-06-12 23:11 . 2009-06-12 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA 2009-06-10 16:51 . 2009-06-10 16:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Viewpoint 2009-06-10 16:51 . 2009-06-10 16:51 -------- d-----w- c:\program files\Viewpoint 2009-06-10 11:03 . 2009-06-10 11:03 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-05 01:33 . 2009-06-05 01:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-06-03 21:54 . 2009-06-03 21:54 -------- d-sh--w- c:\winnt\system32\config\systemprofile\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-03 03:20 . 2003-01-23 02:14 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-07-03 03:20 . 2007-07-05 16:43 -------- d-----w- c:\program files\iTunes 2009-07-03 03:20 . 2006-05-22 14:38 -------- d-----w- c:\program files\Verizon 2009-07-03 03:20 . 2005-09-26 15:11 -------- d-----w- c:\program files\QuickTime 2009-07-03 03:20 . 2003-01-23 02:10 -------- d-----w- c:\program files\QUICKENW 2009-07-01 17:54 . 2004-05-08 00:11 -------- d-----w- c:\program files\Google 2009-07-01 13:22 . 2009-06-27 13:06 327688 ----a-w- c:\winnt\system32\drivers\avgldx86.sys.prepare 2009-07-01 13:22 . 2009-06-27 13:06 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys.prepare 2009-06-30 00:13 . 2008-04-23 03:05 393202 ----a-w- c:\winnt\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat 2009-06-29 21:35 . 2004-04-24 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-29 21:06 . 2004-04-21 18:44 -------- d-----w- c:\program files\Common Files\Adobe 2009-06-29 20:39 . 2003-01-23 02:10 -------- d-----w- c:\program files\Common Files\Real 2009-06-29 20:39 . 2003-02-21 09:42 348160 ----a-w- c:\winnt\system32\msvcr71.dll 2009-06-29 20:23 . 2005-02-13 16:28 -------- d-----w- c:\program files\Java 2009-06-29 19:01 . 2003-01-23 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-28 19:32 . 2008-05-16 13:31 -------- d-----w- c:\program files\SpywareBlaster 2009-06-27 20:06 . 2003-02-02 12:45 111760 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-27 18:41 . 2007-12-13 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-06-27 18:39 . 2003-01-23 02:13 -------- d-----w- c:\program files\Microsoft Works 2009-06-27 13:23 . 2009-01-11 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-26 22:23 . 2007-12-22 13:00 -------- d-----w- c:\program files\Windows Desktop Search 2009-06-26 01:49 . 2007-07-05 16:42 -------- d-----w- c:\program files\Common Files\Apple 2009-06-21 19:47 . 2007-12-04 15:40 -------- d-----w- c:\documents and settings\Owner\Application Data\HP 2009-06-21 19:47 . 2007-12-04 15:31 -------- d-----w- c:\program files\HP 2009-06-21 19:45 . 2007-12-04 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\HP 2009-06-10 16:51 . 2004-08-05 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2009-05-25 04:24 . 2008-05-27 02:18 350208 ------w- c:\winnt\system32\mssph.dll 2009-05-25 01:51 . 2007-04-15 16:09 -------- d--h--w- c:\documents and settings\Owner\Application Data\Move Networks 2009-05-21 15:33 . 2009-01-17 14:31 410984 ----a-w- c:\winnt\system32\deploytk.dll 2009-05-20 18:13 . 2007-10-10 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-05-13 05:15 . 2004-09-26 23:39 915456 ----a-w- c:\winnt\system32\wininet.dll 2009-05-11 12:36 . 2009-01-11 09:22 11952 ----a-w- c:\winnt\system32\avgrsstx.dll 2009-05-11 12:36 . 2009-01-11 09:22 325896 ----a-w- c:\winnt\system32\drivers\avgldx86.sys 2009-05-11 12:36 . 2009-01-11 09:22 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys 2009-05-10 14:20 . 2009-05-10 14:20 127877 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe 2009-05-10 14:20 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071500000347.dll 2009-05-10 14:20 . 2009-05-10 14:19 1685856 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe 2009-05-10 01:21 . 2007-11-15 16:56 -------- d-----w- c:\program files\Jasc Software Inc 2009-05-10 01:16 . 2009-05-10 01:16 57344 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_SMLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe 2009-05-10 01:16 . 2009-05-10 01:16 57344 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_DTLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe 2009-05-07 15:32 . 2004-09-26 23:39 345600 ----a-w- c:\winnt\system32\localspl.dll 2009-05-04 21:18 . 2009-05-04 21:18 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\Update\RealPlayer11.exe 2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe 2009-04-23 00:08 . 2009-04-23 00:08 15340 ----a-w- C:\gtm6F.tmp 2009-04-17 12:26 . 2004-09-26 23:39 1847168 ----a-w- c:\winnt\system32\win32k.sys 2009-04-15 14:51 . 2004-09-26 23:40 585216 ----a-w- c:\winnt\system32\rpcrt4.dll 2002-09-07 06:47 . 2004-04-25 14:26 144 ------w- c:\program files\pcdocrx_order.html 2001-03-11 11:59 . 2004-04-25 14:26 766 ------w- c:\program files\pcdoc.ico . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360] "NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2003-07-28 49152] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248] "NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2003-07-28 4841472] "NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2003-07-28 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-28 270648] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-11 1947928] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-09 180269] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048] "GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-08-06 90112] "atwtusb"="atwtusb.exe" - c:\winnt\system32\atwtusb.exe [2002-11-21 188416] "nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2003-07-28 323584] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "0000 - c:\documents and settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1"="c:\winnt\system32\command.com" [2002-08-29 50620] c:\documents and settings\Owner\Start Menu\Programs\Startup\ Seagate 2GEVZBMW Product Registration.lnk - c:\documents and settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe [2009-6-27 1731736] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2007-10-10 126136] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-11 12:36 11952 ----a-w- c:\winnt\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPar.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator] @="Driver Group" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CADIX Screen Saver Control.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CADIX Screen Saver Control.lnk backup=c:\winnt\pss\CADIX Screen Saver Control.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk backup=c:\winnt\pss\Image Transfer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reminder-hpc41004.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Reminder-hpc41004.lnk backup=c:\winnt\pss\Reminder-hpc41004.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk backup=c:\winnt\pss\Verizon Online Support Center.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Quick StartUp.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Quick StartUp.lnk backup=c:\winnt\pss\Quick StartUp.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Start.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Start.lnk backup=c:\winnt\pss\Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Speed Disk service"=2 (0x2) "Creative Service for CDROM Access"=2 (0x2) "PrismXL"=2 (0x2) "Apple Mobile Device"=2 (0x2) "LightScribeService"=3 (0x3) "iPod Service"=3 (0x3) "Bonjour Service"=2 (0x2) "WMPNetworkSvc"=2 (0x2) "RPSUpdaterR"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "NVSvc"=2 (0x2) "idsvc"=3 (0x3) "IDriverT"=3 (0x3) "dvpapi"=2 (0x2) "sdCoreService"=2 (0x2) "sdAuxService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_server.exe"= "c:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"= "c:\\WINNT\\system32\\dplaysvr.exe"= "c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Gateway\\Gateway Download Assistant\\Downloader.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Google\\Google Earth\\googleearth.exe"= "c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"= "c:\\Program Files\\Google\\Google Updater\\GoogleUpdater.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [1/11/2009 5:22 AM 325896] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/11/2009 5:22 AM 298776] R2 BBFat.VxD;BlueBird DSP API;c:\winnt\system32\drivers\BBFat.sys [8/19/2002 5:25 PM 7808] R2 mrtRate;mrtRate;c:\winnt\system32\drivers\MrtRate.sys [1/22/2003 10:11 PM 34712] R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [1/22/2003 10:15 PM 6736] R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/10/2009 12:51 PM 30152] S2 gupdate1c9cfd6ade0b7ca;Google Update Service (gupdate1c9cfd6ade0b7ca);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:15 AM 133104] S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?] S4 AloPar;AloPar;c:\winnt\system32\drivers\AloPar.sys [2/1/2003 1:11 PM 4112] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-03 c:\winnt\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-07-03 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:15] 2009-07-03 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:15] 2009-07-02 c:\winnt\Tasks\{925FCACA-D57F-4037-9499-423C3A36AF61}_S0029534513_Owner.job - c:\winnt\system32\mobsync.exe [2004-09-26 00:12] . - - - - ORPHANS REMOVED - - - - BHO-{70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - (no file) HKCU-RunOnce-Shockwave Updater - c:\winnt\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; JUNO; GTB5; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET Notify-awtuuVop - (no file) . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://forecast.weather.gov/MapClick.php?site=BTV&llon=-73.272083&rlon=-72.609583&tlat=44.727917&blat=44.065417&smap=1&mp=1&map.x=110&map.y=88 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-03 07:56 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F57B7ED0-D8AB-11D1-85DFˆÿÿÿnk *fPvŸ!t\TypeLib] @="{0002E157-0000-0000-C000-000000000046}" "Version"="5.3" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1428) c:\winnt\system32\WININET.dll c:\winnt\system32\ieframe.dll c:\winnt\system32\webcheck.dll c:\winnt\system32\WPDShServiceObj.dll c:\winnt\system32\PortableDeviceTypes.dll c:\winnt\system32\PortableDeviceApi.dll . Completion time: 2009-07-03 7:59 ComboFix-quarantined-files.txt 2009-07-03 11:59 Pre-Run: 11,869,106,176 bytes free Post-Run: 11,911,168,000 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5 299 --- E O F --- 2009-06-27 03:02 |
|
|
|
|
Jul 3 2009, 07:20 AM
Post
#12
|
|
|
New Member Group: Members Posts: 10 Joined: 30-June 09 From: Vermont Member No.: 346,844 |
Hi again Tea.
I forgot to run HijackThis before for my lasy reply. Here's the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:14:19 AM, on 7/3/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINNT\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINNT\system32\SK9910DM.EXE C:\WINNT\GWMDMMSG.exe C:\WINNT\system32\RUNDLL32.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\system32\ctfmon.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINNT\system32\SearchIndexer.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\WINNT\explorer.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINNT\system32\SearchProtocolHost.exe C:\Documents and Settings\Owner\Desktop\Security\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?s...10&map.y=88 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file) O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1] C:\WINNT\system32\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Startup: Seagate 2GEVZBMW Product Registration.lnk = C:\Documents and Settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228674274203 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228674255953 O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: awtuuVop - C:\WINNT\ O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Update Service (gupdate1c9cfd6ade0b7ca) (gupdate1c9cfd6ade0b7ca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 12937 bytes |
|
|
|
|
Jul 3 2009, 05:07 PM
Post
#13
|
|
|
Bleepin' Texan! Group: Malware Response Instructor Posts: 14,170 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846 |
Hello,
Those look much better. No sign of the rootkit, and AWF is gone. I didn't see it, but do you use AOL, or at least AIM? If not :I see Viewpoint installed. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we knew before; read this article: http://www.clickz.com/news/article.php/3561546 I suggest you remove the program now, if you did not install it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present. * Viewpoint * Viewpoint Manager * Viewpoint Media Player Please run HijackThis! and click "Scan." Place checks next to the following entries, if present: O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file) O20 - Winlogon Notify: awtuuVop - C:\WINNT\ O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe Close all browsers and other windows except for HijackThis!, and click "Fix checked". Reboot your computer. I see you have MBAM already, so please make sure it's updated and have a scan with it. Post the report in your reply, if there is anything to post. How is it running now please? Yes, it's fascinating stuff.....every day it's something new, and something new to learn. Thanks, tea -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3 |
|
|
|
|
Jul 4 2009, 01:32 PM
Post
#14
|
|
|
New Member Group: Members Posts: 10 Joined: 30-June 09 From: Vermont Member No.: 346,844 |
Hello Tea. Happy 4th of July!
 Thanks for the Viewpoint tip. I found and removed the Viewpoint Media Player (I removed AIM years ago). I then ran the HJT scan and found and checked all of the entries you posted, except for the Viewpoint entry, which wasn't there. Then a reboot and updated MBAM scan, which ended up with no malware detected. The computer seems to be running fine, except that the Add/Remove Programs window is taking much longer to load the program list than it used to. By the way, I found a Vol_Toolbar folder in C:\Program Files, but it doesn't show up in Add/Remove Programs. There are 3 files in this folder: install.ico, toolbar.ini and uninstall.exe. Could this be related to "O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)" that I checked and deleted earlier? Based on negative reports about this toolbar (which I have never seen onscreen), I want to remove it. Would this be as simple as deleting that folder and files? Thanks, Salar |
|
|
|
|
Jul 4 2009, 08:22 PM
Post
#15
|
|
|
Bleepin' Texan! Group: Malware Response Instructor Posts: 14,170 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846 |
Hello,
The toolbar is all right, and yes they are related......the CLSID and the file name go with Verizon Broadband. You can do away with it if you like, especially if you don't use Verizon any more. But I do see entries for it in your logs, so I don't know.Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Any other questions? Happy 4th to you as well. tea -------------------- Please make a donation so I can keep helping people just like you. Every little bit helps! :) You can even use your credit card! Thank you! Error reading poptart in Drive A: Delete kids y/n? PopTartFixIt2 ============= POPTART ================ Poptart successfully found and removed. ================ KIDS ================ Kid ... Maxwell O'Neal deleted successfully. Kid ... Billy O'Neal deleted successfully. ========== FINISHED! TERMINATE! ========== Tool by Billy3 |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 20th March 2010 - 11:19 PM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.