Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer unresponsive in normal mode Having problem scanning in safe mode


  • This topic is locked This topic is locked
16 replies to this topic

#1 SomersetGuy

SomersetGuy

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 06 January 2009 - 08:55 PM

[attachment=10992:Attach.txt]

Original sad post here: Original post

I am only able to get these logs in SAFE mode. In Normal Mode Windows Installer is running...the message on the screen says Preparing to install.. the cancel button as well a everything else is unresponsive. Thanks in advance!

Edited to correct post - Reading is fundamental


DDS (Version 1.1.0) - NTFSx86 MINIMAL
Run by Administrator at 18:30:26.95 on Tue 01/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.808 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://77.93.75.155/go//?cmp=vm_finance_cj_onlinecash911_h&nid=&uid=87572618CFD911DDA9A9166350CFFFFF&guid=AAE5675B7FA14CC1BCE2D43C885A0DD8&affid=166350&lid=winlogon.exe&rid=zdez&v=1176&m=irq4&edr=267c
mSearchAssistant = hxxp://www.google.com/ie
BHO: {180a45be-58f2-463e-a2c7-83e2dae73429} - c:\windows\system32\jkkKawvU.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\rqRKATLf.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: {B562ED35-5EAE-4694-9763-4E81FA2C700E} - No File
BHO: {B8D0B100-76E6-4E7E-B4D4-E5F45A146F09} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: amaena.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: musicmatch.com\online
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: rqRKATLf - rqRKATLf.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll kdornh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\rqRKATLf.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkKawvU

============= SERVICES / DRIVERS ===============

R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-6 97928]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-6 26824]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-7-27 29744]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 875288]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 231704]
S4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-6 76040]
S4 d1zdjxzkram.sys;d1zdjxzkram.sys;\??\c:\windows\system32\drivers\d1zdjxzkram.sys --> c:\windows\system32\drivers\d1zdjxzkram.sys [?]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-01-06 13:48 <DIR> --d----- c:\program files\Trend Micro
2009-01-06 07:06 <DIR> --d----- c:\docume~1\admini~1\applic~1\Safer Networking
2009-01-06 06:23 <DIR> --d----- c:\program files\Safer Networking
2009-01-06 03:37 <DIR> --d----- C:\VundoFix Backups
2009-01-06 02:02 <DIR> --d----- c:\program files\FreeCommander
2009-01-06 01:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 01:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 01:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-06 01:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 01:42 21,504 a------- c:\windows\system32\hidserv.dll
2009-01-06 01:42 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2008-12-27 08:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA
2008-12-27 08:05 <DIR> --d----- c:\program files\CA
2008-12-24 19:17 136,192 a------- c:\windows\system32\dxfvgwoy.dll
2008-12-24 00:17 384,000 a------- c:\windows\system32\winscenter.exe
2008-12-24 00:17 1,003,957 a------- c:\windows\sysexplorer.exe
2008-12-24 00:17 134,149 a------- c:\windows\reged.exe
2008-12-24 00:17 51,197 a------- c:\windows\spoolsystem.exe
2008-12-24 00:17 50,620 a------- c:\windows\sys.com
2008-12-24 00:17 47,872 a------- c:\windows\syscert.exe
2008-12-24 00:17 18,941 a------- c:\windows\vmreg.dll
2008-12-24 00:17 <DIR> --d----- c:\program files\Spyware Guard 2008
2008-12-24 00:16 29,189 a------- c:\docume~1\alluse~1\applic~1\svhost.exe
2008-12-24 00:13 1,661,209 ---sh--- c:\windows\system32\aexrowka.ini
2008-12-24 00:13 92,160 a------- c:\windows\system32\akworxea.dll
2008-12-24 00:07 130,048 a------- c:\windows\system32\kdornh.dll
2008-12-24 00:07 130,048 a------- c:\windows\system32\pfrunrsa.dll
2008-12-23 21:50 974,882 a--sh--- c:\windows\system32\UvwaKkkj.ini2
2008-12-23 18:15 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-23 18:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-23 00:12 92,160 a------- c:\windows\system32\nlwqhdwd.dll
2008-12-23 00:06 131,584 a------- c:\windows\system32\svzpjr.dll
2008-12-23 00:06 131,584 a------- c:\windows\system32\oxfobchk.dll
2008-12-22 18:11 0 a------- c:\windows\system32\winsrc.dll.tmp
2008-12-21 22:36 135,680 a------- c:\windows\system32\klgteb.dll
2008-12-21 22:36 135,680 a------- c:\windows\system32\gkbenwum.dll
2008-12-21 22:35 974,882 a--sh--- c:\windows\system32\UvwaKkkj.ini
2008-12-21 22:35 292,352 a------- c:\windows\system32\jkkKawvU.dll
2008-12-21 22:15 58,880 a------- c:\windows\system32\rqRKATLf.dll

==================== Find3M ====================

2009-01-06 14:47 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-08-27 14:48 56 ---shr-- c:\windows\system32\1E5CA4B2F0.sys
2008-06-01 14:40 88 ---shr-- c:\windows\system32\F0B2A45C1E.sys
2008-06-01 14:40 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-13 22:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091320080914\index.dat

============= FINISH: 18:32:36.89 ===============

Edited by SomersetGuy, 06 January 2009 - 09:41 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:02 AM

Posted 06 January 2009 - 11:17 PM

Hello SomersetGuy,

Posted Image

I would have like the HijackThis log better, so in future posts, please use that. :thumbsup: In fact, if you cannot get this next tool to go, then go ahead and post a new HijackThis log and we'll see how much we can get out manually so we can make the tools run. :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 SomersetGuy

SomersetGuy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 07 January 2009 - 08:01 AM

Hi Tea,

Thanks for the quick reply!

I downloaded ComboFix on my PC and copied it to my sister's PC via thumbdrive. I double clicked the ComboFix.exe icon on her desktop and nothing happens. I have Systinternals Process Explorer installed on her machine. I tried to run ComboFix.exe again with Process Explorer running and ComboFix.exe appears under Explorer.exe for a couple of minutes then disappears. I do not get the program to open. This is the same thing that is happening to HiJackThis. It seems like the program just times out.

Any other ideas?

Edited by SomersetGuy, 07 January 2009 - 08:14 AM.


#4 SomersetGuy

SomersetGuy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 07 January 2009 - 10:40 AM

Hi Tea,

I was able to boot my sister's machine in Normal Mode and run HiJackThis. Here is the log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:21 AM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\RunOnce: [tdss] C:\DOCUME~1\Steve\LOCALS~1\Temp\39834437.exe
O4 - HKLM\..\RunOnce: [caaspydelayedscan] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CaAntiSpyware.exe" /delayscan
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [77539384706336739702748381187382] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll kdornh.dll vqxsur.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9404 bytes

#5 SomersetGuy

SomersetGuy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 07 January 2009 - 05:31 PM

Hi Tea,

Here is the Log file from ComboFix.

ComboFix 09-01-07.01 - Steve 2009-01-07 17:11:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.582 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Spyware Guard 2008
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\aexrowka.ini
c:\windows\system32\Drivers\TDSSpqlt.sys
c:\windows\system32\ehgehbps.ini
c:\windows\system32\jkkKawvU.dll
c:\windows\system32\kdornh.dll
c:\windows\system32\rqRKATLf.dll
c:\windows\system32\spbheghe.dll
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSSkkdu.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\UvwaKkkj.ini
c:\windows\system32\UvwaKkkj.ini2
c:\windows\system32\vqxsur.dll
c:\windows\system32\winsrc.dll.tmp
c:\windows\system32\wmkluilp.dll
c:\windows\Temp\00012304.exe
c:\windows\vmreg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-07 12:47 . 2009-01-07 12:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\CA
2009-01-06 20:32 . 2009-01-07 17:15 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-06 13:48 . 2009-01-06 13:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 07:06 . 2009-01-06 07:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Safer Networking
2009-01-06 06:23 . 2009-01-06 06:23 <DIR> d-------- c:\program files\Safer Networking
2009-01-06 03:37 . 2009-01-06 03:37 <DIR> d-------- C:\VundoFix Backups
2009-01-06 03:35 . 2009-01-06 03:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-01-06 02:02 . 2009-01-06 04:41 <DIR> d-------- c:\program files\FreeCommander
2009-01-06 01:53 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 01:52 . 2009-01-07 10:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 01:52 . 2009-01-06 01:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 01:52 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 01:42 . 2008-04-13 14:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-01-06 01:42 . 2008-04-13 20:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-27 08:08 . 2008-12-27 08:08 <DIR> d-------- c:\documents and settings\Steve\Application Data\CallingID
2008-12-27 08:05 . 2008-12-27 08:05 <DIR> d-------- c:\program files\CA
2008-12-27 07:52 . 2008-12-27 07:57 <DIR> d-------- c:\documents and settings\Steve\Application Data\GetRightToGo
2008-12-24 00:16 . 2009-01-07 14:26 2,712 --a------ c:\windows\system32\TDSSlxwp.dll
2008-12-23 18:15 . 2008-12-23 19:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 18:15 . 2008-12-23 21:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 21:46 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-07 18:10 --------- d-----w c:\program files\Google
2009-01-07 18:08 --------- d-----w c:\program files\Hewlett-Packard
2009-01-07 17:47 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-06 19:47 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-12-27 01:36 --------- d-----w c:\program files\Common Files\Real
2008-12-23 00:29 --------- d-----w c:\program files\Coupons
2008-12-22 03:37 --------- d-----w c:\program files\Common Files\Adobe
2008-12-11 01:04 --------- d---a-w c:\documents and setti

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:02 AM

Posted 07 January 2009 - 05:36 PM

Hi there,

What I can see is good! :thumbsup: The rootkit was shaken loose, for sure. The report got cut off though. Could you please post the whole thing?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 SomersetGuy

SomersetGuy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 07 January 2009 - 05:38 PM

ComboFix 09-01-07.01 - Steve 2009-01-07 17:11:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.582 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Spyware Guard 2008
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\aexrowka.ini
c:\windows\system32\Drivers\TDSSpqlt.sys
c:\windows\system32\ehgehbps.ini
c:\windows\system32\jkkKawvU.dll
c:\windows\system32\kdornh.dll
c:\windows\system32\rqRKATLf.dll
c:\windows\system32\spbheghe.dll
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSSkkdu.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\UvwaKkkj.ini
c:\windows\system32\UvwaKkkj.ini2
c:\windows\system32\vqxsur.dll
c:\windows\system32\winsrc.dll.tmp
c:\windows\system32\wmkluilp.dll
c:\windows\Temp\00012304.exe
c:\windows\vmreg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-07 12:47 . 2009-01-07 12:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\CA
2009-01-06 20:32 . 2009-01-07 17:15 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-06 13:48 . 2009-01-06 13:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 07:06 . 2009-01-06 07:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Safer Networking
2009-01-06 06:23 . 2009-01-06 06:23 <DIR> d-------- c:\program files\Safer Networking
2009-01-06 03:37 . 2009-01-06 03:37 <DIR> d-------- C:\VundoFix Backups
2009-01-06 03:35 . 2009-01-06 03:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-01-06 02:02 . 2009-01-06 04:41 <DIR> d-------- c:\program files\FreeCommander
2009-01-06 01:53 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 01:52 . 2009-01-07 10:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 01:52 . 2009-01-06 01:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 01:52 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 01:42 . 2008-04-13 14:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-01-06 01:42 . 2008-04-13 20:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-27 08:08 . 2008-12-27 08:08 <DIR> d-------- c:\documents and settings\Steve\Application Data\CallingID
2008-12-27 08:05 . 2008-12-27 08:05 <DIR> d-------- c:\program files\CA
2008-12-27 07:52 . 2008-12-27 07:57 <DIR> d-------- c:\documents and settings\Steve\Application Data\GetRightToGo
2008-12-24 00:16 . 2009-01-07 14:26 2,712 --a------ c:\windows\system32\TDSSlxwp.dll
2008-12-23 18:15 . 2008-12-23 19:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 18:15 . 2008-12-23 21:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 21:46 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-07 18:10 --------- d-----w c:\program files\Google
2009-01-07 18:08 --------- d-----w c:\program files\Hewlett-Packard
2009-01-07 17:47 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-06 19:47 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-12-27 01:36 --------- d-----w c:\program files\Common Files\Real
2008-12-23 00:29 --------- d-----w c:\program files\Coupons
2008-12-22 03:37 --------- d-----w c:\program files\Common Files\Adobe
2008-12-11 01:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-17 01:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-17 00:59 --------- d-----w c:\program files\Lavasoft
2008-11-17 00:59 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-11 01:08 --------- d-----w c:\program files\MSECache
2007-08-27 19:48 56 --sh--r c:\windows\system32\1E5CA4B2F0.sys
2008-06-01 19:40 88 --sh--r c:\windows\system32\F0B2A45C1E.sys
2008-06-01 19:40 4,704 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-14 03:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-27 98304]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-04-04 335872]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-04-04 49152]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-07-27 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\d1zdjxzkram.sys]
@="\??\c:\windows\system32\drivers\d1zdjxzkram.sys"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-06 97928]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 231704]
S4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-06 76040]
S4 d1zdjxzkram.sys;d1zdjxzkram.sys;\??\c:\windows\system32\drivers\d1zdjxzkram.sys --> c:\windows\system32\drivers\d1zdjxzkram.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\BBSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\CAAntiSpywareScan_Daily as Steve at 8 07 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{69bdb1be-0b6f-47a6-8fe1-0d955ed196cb} - c:\windows\system32\vqxsur.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
BHO-{B562ED35-5EAE-4694-9763-4E81FA2C700E} - (no file)
BHO-{B8D0B100-76E6-4E7E-B4D4-E5F45A146F09} - (no file)
BHO-{C43149FE-15AC-450F-BC43-444C28453BBF} - (no file)
BHO-{CA1FF635-21EC-48FC-979D-D93EB0E3FC84} - c:\windows\system32\jkkKawvU.dll
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optonline.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 17:16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\B*NULL*u*NULL*r*NULL*g*NULL*e*NULL*r*NULL* *NULL*I*NULL*s*NULL*l*NULL*a*NULL*n*NULL*d*NULL*"!]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,f0,69,02,00,00,00,00,de,56,98,\
ee,07,c7,c8,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,68,00,6f,00,63,\
00,6b,00,77,00,61,00,76,00,65,00,2e,00,63,00,6f,00,6d,00,5c,00,42,00,75,00,\
72,00,67,00,65,00,72,00,20,00,49,00,73,00,6c,00,61,00,6e,00,64,00,5c,00,70,\
00,72,00,6f,00,64,00,75,00,63,00,74,00,5c,00,62,00,69,00,2e,00,65,00,78,00,\
65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\S*NULL*n*NULL*a*NULL*i*NULL*l*NULL* *NULL*M*NULL*a*NULL*i*NULL*l*NULL*"!]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,30,ce,01,00,00,00,00,b6,9f,6e,\
f2,07,c7,c8,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,68,00,6f,00,63,\
00,6b,00,77,00,61,00,76,00,65,00,2e,00,63,00,6f,00,6d,00,5c,00,53,00,6e,00,\
61,00,69,00,6c,00,20,00,4d,00,61,00,69,00,6c,00,5c,00,70,00,72,00,6f,00,64,\
00,75,00,63,00,74,00,5c,00,53,00,6e,00,61,00,69,00,6c,00,4d,00,61,00,69,00,\
6c,00,2e,00,65,00,78,00,65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\B*NULL*u*NULL*r*NULL*g*NULL*e*NULL*r*NULL* *NULL*I*NULL*s*NULL*l*NULL*a*NULL*n*NULL*d*NULL*"!]
"DisplayName"="Burger Island™"
"UninstallString"="c:\\PROGRA~1\\SHOCKW~1.COM\\BURGER~1\\UNWISE.EXE c:\\PROGRA~1\\SHOCKW~1.COM\\BURGER~1\\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\S*NULL*n*NULL*a*NULL*i*NULL*l*NULL* *NULL*M*NULL*a*NULL*i*NULL*l*NULL*"!]
"DisplayName"="Snail Mail™"
"UninstallString"="c:\\PROGRA~1\\SHOCKW~1.COM\\SNAILM~1\\UNWISE.EXE c:\\PROGRA~1\\SHOCKW~1.COM\\SNAILM~1\\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-01-07 17:20:52 - machine was rebooted [Steve]
ComboFix-quarantined-files.txt 2009-01-07 22:20:32

Pre-Run: 201,924,538,368 bytes free
Post-Run: 201,886,957,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

278 --- E O F --- 2008-12-18 08:00:37

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:02 AM

Posted 07 January 2009 - 05:56 PM

Yay! We're getting moving now! :thumbsup:

Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
http://www.mvps.org/winhelp2002/DelDomains.inf
Save the file to the desktop. Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal. Then please restart your computer.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\drivers\d1zdjxzkram.sys

Driver::
d1zdjxzkram

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\d1zdjxzkram.sys]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 SomersetGuy

SomersetGuy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 07 January 2009 - 06:20 PM

Woooo Hooooo! You are the BEST!!!! :thumbsup: The PC is running great!

Here is the new log :

ComboFix 09-01-07.01 - Steve 2009-01-07 18:11:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.621 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\d1zdjxzkram.sys
c:\windows\system32\TDSSlxwp.dll
.

((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-07 17:33 . 2009-01-07 17:33 <DIR> d-------- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-01-07 12:47 . 2009-01-07 12:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\CA
2009-01-06 20:32 . 2009-01-07 18:05 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-06 13:48 . 2009-01-06 13:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 07:06 . 2009-01-06 07:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Safer Networking
2009-01-06 06:23 . 2009-01-06 06:23 <DIR> d-------- c:\program files\Safer Networking
2009-01-06 03:37 . 2009-01-06 03:37 <DIR> d-------- C:\VundoFix Backups
2009-01-06 03:35 . 2009-01-06 03:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-01-06 02:02 . 2009-01-06 04:41 <DIR> d-------- c:\program files\FreeCommander
2009-01-06 01:53 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 01:52 . 2009-01-07 10:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 01:52 . 2009-01-06 01:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 01:52 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 01:42 . 2008-04-13 14:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-01-06 01:42 . 2008-04-13 20:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-27 08:08 . 2008-12-27 08:08 <DIR> d-------- c:\documents and settings\Steve\Application Data\CallingID
2008-12-27 08:05 . 2008-12-27 08:05 <DIR> d-------- c:\program files\CA
2008-12-27 07:52 . 2008-12-27 07:57 <DIR> d-------- c:\documents and settings\Steve\Application Data\GetRightToGo
2008-12-23 18:15 . 2008-12-23 19:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 18:15 . 2008-12-23 21:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 21:46 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-07 18:10 --------- d-----w c:\program files\Google
2009-01-07 18:08 --------- d-----w c:\program files\Hewlett-Packard
2009-01-07 17:47 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-06 19:47 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-12-27 01:36 --------- d-----w c:\program files\Common Files\Real
2008-12-23 00:29 --------- d-----w c:\program files\Coupons
2008-12-22 03:37 --------- d-----w c:\program files\Common Files\Adobe
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 01:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-17 01:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-17 00:59 --------- d-----w c:\program files\Lavasoft
2008-11-17 00:59 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-11 01:08 --------- d-----w c:\program files\MSECache
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2007-08-27 19:48 56 --sh--r c:\windows\system32\1E5CA4B2F0.sys
2008-06-01 19:40 88 --sh--r c:\windows\system32\F0B2A45C1E.sys
2008-06-01 19:40 4,704 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-14 03:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-27 98304]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-04-04 335872]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-04-04 49152]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-07-27 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-06 97928]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 231704]
S4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-06 76040]
S4 d1zdjxzkram.sys;d1zdjxzkram.sys;\??\c:\windows\system32\drivers\d1zdjxzkram.sys --> c:\windows\system32\drivers\d1zdjxzkram.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\BBSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\CAAntiSpywareScan_Daily as Steve at 8 07 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{69bdb1be-0b6f-47a6-8fe1-0d955ed196cb} - (no file)
BHO-{B562ED35-5EAE-4694-9763-4E81FA2C700E} - (no file)
BHO-{B8D0B100-76E6-4E7E-B4D4-E5F45A146F09} - (no file)
BHO-{C43149FE-15AC-450F-BC43-444C28453BBF} - (no file)
BHO-{CA1FF635-21EC-48FC-979D-D93EB0E3FC84} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optonline.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 18:13:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\B*NULL*u*NULL*r*NULL*g*NULL*e*NULL*r*NULL* *NULL*I*NULL*s*NULL*l*NULL*a*NULL*n*NULL*d*NULL*"!]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,f0,69,02,00,00,00,00,de,56,98,\
ee,07,c7,c8,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,68,00,6f,00,63,\
00,6b,00,77,00,61,00,76,00,65,00,2e,00,63,00,6f,00,6d,00,5c,00,42,00,75,00,\
72,00,67,00,65,00,72,00,20,00,49,00,73,00,6c,00,61,00,6e,00,64,00,5c,00,70,\
00,72,00,6f,00,64,00,75,00,63,00,74,00,5c,00,62,00,69,00,2e,00,65,00,78,00,\
65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\S*NULL*n*NULL*a*NULL*i*NULL*l*NULL* *NULL*M*NULL*a*NULL*i*NULL*l*NULL*"!]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,30,ce,01,00,00,00,00,b6,9f,6e,\
f2,07,c7,c8,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,68,00,6f,00,63,\
00,6b,00,77,00,61,00,76,00,65,00,2e,00,63,00,6f,00,6d,00,5c,00,53,00,6e,00,\
61,00,69,00,6c,00,20,00,4d,00,61,00,69,00,6c,00,5c,00,70,00,72,00,6f,00,64,\
00,75,00,63,00,74,00,5c,00,53,00,6e,00,61,00,69,00,6c,00,4d,00,61,00,69,00,\
6c,00,2e,00,65,00,78,00,65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\B*NULL*u*NULL*r*NULL*g*NULL*e*NULL*r*NULL* *NULL*I*NULL*s*NULL*l*NULL*a*NULL*n*NULL*d*NULL*"!]
"DisplayName"="Burger Island™"
"UninstallString"="c:\\PROGRA~1\\SHOCKW~1.COM\\BURGER~1\\UNWISE.EXE c:\\PROGRA~1\\SHOCKW~1.COM\\BURGER~1\\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\S*NULL*n*NULL*a*NULL*i*NULL*l*NULL* *NULL*M*NULL*a*NULL*i*NULL*l*NULL*"!]
"DisplayName"="Snail Mail™"
"UninstallString"="c:\\PROGRA~1\\SHOCKW~1.COM\\SNAILM~1\\UNWISE.EXE c:\\PROGRA~1\\SHOCKW~1.COM\\SNAILM~1\\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""
.
Completion time: 2009-01-07 18:15:45
ComboFix-quarantined-files.txt 2009-01-07 23:14:52
ComboFix2.txt 2009-01-07 22:20:54

Pre-Run: 201,881,321,472 bytes free
Post-Run: 201,862,094,848 bytes free

234 --- E O F --- 2008-12-18 08:00:37

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:02 AM

Posted 07 January 2009 - 06:24 PM

HijackThis log please? I'd use the other one, but things will likely be different now. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 SomersetGuy

SomersetGuy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 07 January 2009 - 06:29 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:15 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {69bdb1be-0b6f-47a6-8fe1-0d955ed196cb} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {B562ED35-5EAE-4694-9763-4E81FA2C700E} - (no file)
O2 - BHO: (no name) - {B8D0B100-76E6-4E7E-B4D4-E5F45A146F09} - (no file)
O2 - BHO: (no name) - {C43149FE-15AC-450F-BC43-444C28453BBF} - (no file)
O2 - BHO: (no name) - {CA1FF635-21EC-48FC-979D-D93EB0E3FC84} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7889 bytes

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:02 AM

Posted 07 January 2009 - 06:36 PM

Hello,

Perfect, thanks. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {69bdb1be-0b6f-47a6-8fe1-0d955ed196cb} - (no file)
O2 - BHO: (no name) - {B562ED35-5EAE-4694-9763-4E81FA2C700E} - (no file)
O2 - BHO: (no name) - {B8D0B100-76E6-4E7E-B4D4-E5F45A146F09} - (no file)
O2 - BHO: (no name) - {C43149FE-15AC-450F-BC43-444C28453BBF} - (no file)
O2 - BHO: (no name) - {CA1FF635-21EC-48FC-979D-D93EB0E3FC84} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

The HijackThis log says you've removed McAfee firewall. Is that right? Fine by me, but it should not leave those traces like that if that's the case. :)

Let me know. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 SomersetGuy

SomersetGuy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 07 January 2009 - 06:52 PM

Hi Tea!

Done! I followed your instructions and he PC has rebooted.

I don't think I removed McAfee. I did uninstall some CA software that looked like it didn't properly install. Could they be connected? This was software that my sister downloaded from her ISP after she was infected. She tried to fix this for a week before she told me about it. I ws "the computer geek" in the family before this happened. I have been humbled!!!! I am extremely grateful for your help!

Ok, what should I do now? Run another HJT?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:02 AM

Posted 07 January 2009 - 07:08 PM

Hi,

You're welcome. :)

I asked because in the HijackThis log, in the Services section I see a (file missing) for the Firewall. O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)

If it is supposed to be running, well it can't without the appropriate files and will need to be reinstalled. If it's not supposed to be there at all, then we can tidy this up.

You've been dealing with this for so long that you won't believe me when I say we're done! And we are.....done! :thumbsup: Just let me know what you want to do about the firewall. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 SomersetGuy

SomersetGuy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 07 January 2009 - 07:19 PM

Hi Tea!

That is AWESOME! I run Zone Alarm on my PC and so far haven't had a problem. I was reading here yesterday that some people have experienced some problems with it. Do you have a recommendation?

Thank you So Much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users