Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having Trouble Removing Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 jston80

jston80

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 15 January 2008 - 12:37 PM

Windows Defender keeps finding BrowserModifer:Win32/E404 and Norton Antivirus 2007 keeps finding various Trojan downloader viruses. Random IE screens are poping up and Norton is blocking multiple random emails which my computer is sending on its own. I ran the ComboFix.exe tool which seemed to help at first but has not completely solved the problem. I have posted the ComboFix log as well as a current HiJackThis log file below. PLEASE HELP!

ComboFix 08-01-14.4 - 2008-01-15 8:18:50.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.94 [GMT -6:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\Program Files\Helper\superfindout.dll
C:\Program Files\smss.exe
C:\Program Files\spoolsv.exe
C:\WINNT\avp.exe
C:\WINNT\Casino.ico
C:\WINNT\Free Online Dating.ico
C:\WINNT\mgrs.exe
C:\WINNT\Spyware Remover.ico
C:\WINNT\system32\cbcdd.ini
C:\WINNT\system32\cbcdd.ini2
C:\WINNT\system32\ctfmon.exe.tmp

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 08:17 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-14 21:18 . 2008-01-14 21:18 <DIR> d--hs---- C:\FOUND.003
2008-01-12 20:05 . 2007-05-29 13:55 22,112 --a------ C:\WINNT\system32\drivers\COH_Mon.sys
2008-01-12 20:05 . 2007-05-29 13:55 10,592 --a------ C:\WINNT\system32\drivers\COH_Mon.cat
2008-01-12 20:05 . 2007-05-29 13:55 705 --a------ C:\WINNT\system32\drivers\COH_Mon.inf
2008-01-12 12:49 . 2008-01-12 12:55 10,740 --a------ C:\WINNT\system32\drivers\SYMEVENT.CAT
2008-01-12 12:49 . 2008-01-12 12:55 805 --a------ C:\WINNT\system32\drivers\SYMEVENT.INF
2008-01-12 12:40 . 2008-01-12 12:40 <DIR> d-------- C:\Documents and Settings\The Johnstons\.java
2008-01-12 12:26 . 2008-01-12 12:55 123,952 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2008-01-12 12:26 . 2008-01-12 12:55 60,800 --a------ C:\WINNT\system32\S32EVNT1.DLL
2008-01-12 09:58 . 2008-01-14 21:20 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-12 09:58 . 2008-01-12 09:58 1,409 --a------ C:\WINNT\QTFont.for
2008-01-12 09:35 . 2008-01-12 13:07 18,944 --a------ C:\WINNT\avp .exe
2008-01-12 09:35 . 2008-01-12 13:03 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-01-12 09:34 . 2008-01-12 09:34 106 --a------ C:\temp.bat
2008-01-12 09:25 . 2008-01-12 09:25 58,880 --a------ C:\ysxl.exe
2008-01-12 09:25 . 54,764 C:\WINNT\system32\dxdss.sys
2008-01-12 09:25 . 2008-01-12 09:25 2 --a------ C:\3600
2008-01-12 08:15 . 2008-01-12 08:15 <DIR> d-------- C:\Norton.AntiVirus.2007.RETAIL.ISO-ScK
2008-01-10 16:32 . 2008-01-10 16:32 <DIR> d-------- C:\Office 2007 Enterprise Full ++
2007-12-19 14:15 . 2007-12-19 14:15 <DIR> d-------- C:\Documents and Settings\The Johnstons\Application Data\CoreFTP
2007-12-19 14:14 . 2007-12-19 14:14 <DIR> d-------- C:\Program Files\CoreFTP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 16:20 82,208 ----a-w C:\Documents and Settings\The Johnstons\Application Data\GDIPFONTCACHEV1.DAT
2007-12-01 05:57 43,696 ----a-w C:\WINNT\system32\drivers\srtspx.sys
2007-12-01 05:57 317,616 ----a-w C:\WINNT\system32\drivers\srtspl.sys
2007-12-01 05:57 279,088 ----a-w C:\WINNT\system32\drivers\srtsp.sys
2007-12-01 05:57 10,549 ----a-w C:\WINNT\system32\drivers\srtspx.cat
2007-12-01 05:57 10,549 ----a-w C:\WINNT\system32\drivers\srtspl.cat
2007-12-01 05:57 10,545 ----a-w C:\WINNT\system32\drivers\srtsp.cat
2007-12-01 05:57 1,430 ----a-w C:\WINNT\system32\drivers\srtspl.inf
2007-12-01 05:57 1,421 ----a-w C:\WINNT\system32\drivers\srtspx.inf
2007-12-01 05:57 1,415 ----a-w C:\WINNT\system32\drivers\srtsp.inf
2007-11-26 16:28 --------- d-----w C:\Program Files\iTunes
2007-11-26 16:26 --------- d-----w C:\Program Files\QuickTime
2007-11-07 09:26 721,920 ----a-w C:\WINNT\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINNT\system32\dllcache\lsasrv.dll
2007-10-31 11:12 3,590,656 ------w C:\WINNT\system32\dllcache\mshtml.dll
2007-10-31 01:55 625,032 ----a-w C:\WINNT\system32\SymNeti.dll
2007-10-31 01:55 242,056 ----a-w C:\WINNT\system32\SymRedir.dll
2007-10-30 17:20 360,064 ------w C:\WINNT\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINNT\system32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINNT\system32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINNT\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINNT\system32\dllcache\shell32.dll
2007-03-26 20:59 28,672 ----a-w C:\Documents and Settings\The Johnstons\atwbxdet.dll
2005-06-18 08:16 271 --sh--w C:\Program Files\desktop.ini
2005-06-18 08:16 21,952 ---h--w C:\Program Files\folder.htt
2004-07-22 00:48 94,784 --sh--w C:\WINNT\twain.dll
2004-08-04 08:56 50,688 --sh--w C:\WINNT\twain_32.dll
2004-08-04 08:56 1,028,096 --sh--w C:\WINNT\system32\mfc42.dll
2004-08-04 08:56 343,040 --sh--w C:\WINNT\system32\msvcrt.dll
2004-08-04 08:56 413,696 --sh--w C:\WINNT\system32\msvcp60.dll
2004-08-04 08:56 54,784 --sh--w C:\WINNT\system32\msvcirt.dll
2007-05-17 12:28 549,376 --sh--w C:\WINNT\system32\oleaut32.dll
2004-08-04 08:56 11,776 --sh--w C:\WINNT\system32\regsvr32.exe
2004-08-04 08:56 83,456 --sh--w C:\WINNT\system32\olepro32.dll
.
<pre>
----a-w			18,944 2008-01-12 19:07:04  C:\WINNT\avp .exe
----a-w			15,360 2008-01-12 19:03:36  C:\WINNT\system32\ctfmon .exe
----a-w			39,792 2008-01-12 19:03:28  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		 1,232,384 2008-01-12 19:03:30  C:\Program Files\Windows Defender\MSASCui .exe
----a-w		   286,720 2008-01-12 19:03:30  C:\Program Files\QuickTime\qttask  .exe
----a-w		   286,720 2008-01-12 19:06:40  C:\Program Files\QuickTime\qttask   .exe
----a-w		   286,720 2008-01-12 19:06:36  C:\Program Files\QuickTime\qttask	.exe
----a-w		   286,720 2008-01-12 19:06:34  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   286,720 2008-01-12 19:06:32  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   286,720 2008-01-12 23:38:08  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   286,720 2008-01-12 19:06:44  C:\Program Files\QuickTime\qttask .exe
----a-w		   697,344 2008-01-12 19:03:32  C:\Program Files\iTunes\iTunesHelper .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2002-09-27 14:38 4214784]
"nwiz"="nwiz.exe" [2002-09-27 14:38 446464 C:\WINNT\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 11:59 88107 C:\WINNT\AGRSMMSG.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-12 13:06 1597952]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 13:05 379904]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-12 13:06 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-12 13:05 1127936]
"Winupdate Engine"="C:\WINNT\system32\wupeng.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-02 20:04 84640]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 14:22 26248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 05:53 34880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 02:56 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-04 00:59 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlzh32]
winlzh32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINNT\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Newell Rubbermaid, Inc. Newell VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Newell Rubbermaid, Inc. Newell VPN Client.lnk
backup=C:\WINNT\pss\Newell Rubbermaid, Inc. Newell VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
--a------ 2001-08-27 10:52 45056 C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 14:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-08-11 03:07 188416 C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-12 13:05 1127936 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINNT\system32\ddcbc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-16 16:21 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-12 13:06 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-04 02:56 143360 C:\WINNT\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

R1 NEOFLTR_530_11339;Juniper Networks TDI Filter Driver (NEOFLTR_530_11339);C:\WINNT\system32\Drivers\NEOFLTR_530_11339.SYS [2006-11-20 21:00]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINNT\system32\DRIVERS\dsNcAdpt.sys [2006-04-19 03:59]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys [2004-07-21 18:42]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 00:24:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-13 14:46:54 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - The Johnstons.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2008-01-15 07:32:14 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 08:21:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 8:21:52
ComboFix-quarantined-files.txt 2008-01-15 14:21:50
.
2008-01-12 14:52:08 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:15 AM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Newell\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
D:\iPOD\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\superfindout.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Winupdate Engine] C:\WINNT\system32\wupeng.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=cd2b5b29-6989-4fb0-8a4c-1502f1c318c6
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129127637859
O16 - DPF: {91CDE0DF-1E69-4E97-B538-FA4E598881BA} (PaisleyDocumentTransfer.DownloadManager) - https://portal.assetacceptance.com/Focus/Cl...pt-001,CT=java+
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp...lls/Coupons.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-ps...bex/ieatgpc.cab
O20 - Winlogon Notify: winlzh32 - winlzh32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Newell\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\iPOD\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9172 bytes

BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:05 PM

Posted 30 January 2008 - 09:38 AM

Hi jston80

Delete your copy of Combofix, it's outdated.

After that:

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:05 PM

Posted 07 February 2008 - 06:15 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users