Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log file


  • Please log in to reply
11 replies to this topic

#1 Mobear

Mobear

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:04:12 PM

Posted 11 January 2009 - 12:34 PM

I am posting my log file after having a problem with a IE7 virus. I am still infected and was instructed to post a log after running recovery console.



ComboFix 09-01-10.03 - Chris Schuehler 2009-01-11 10:19:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1265 [GMT -7:00]
Running from: c:\documents and settings\Chris Schuehler\Desktop\ComboFix.exe
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mfcans32.DLL
c:\windows\system32\mfcuia32.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\rdocurs.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-04 12:39 . 2009-01-04 12:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 12:39 . 2009-01-04 12:39 <DIR> d-------- c:\documents and settings\Chris Schuehler\Application Data\Malwarebytes
2009-01-04 12:39 . 2009-01-04 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 12:39 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 12:39 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 18:35 . 2008-10-15 18:00 1,499,136 --------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-03 15:17 . 2009-01-03 15:17 230 --a------ c:\windows\system32\spupdsvc.inf
2009-01-02 21:08 . 2009-01-03 18:53 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-02 21:08 . 2009-01-03 18:53 <DIR> d-------- c:\documents and settings\Chris Schuehler\Application Data\SUPERAntiSpyware.com
2009-01-02 21:08 . 2009-01-02 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-02 21:07 . 2009-01-02 21:07 0 --a------ C:\LOG4F.tmp
2009-01-02 17:44 . 2009-01-02 17:44 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-02 17:44 . 2009-01-02 17:44 1,152 --a------ c:\windows\system32\windrv.sys
2009-01-02 17:38 . 2009-01-02 17:38 0 --a------ C:\LOG1F.tmp
2009-01-01 20:20 . 2009-01-01 20:43 <DIR> d-------- c:\program files\RegCure
2009-01-01 14:15 . 2009-01-01 14:15 0 --a------ C:\LOG31.tmp
2009-01-01 11:17 . 2009-01-01 11:17 74 --a------ c:\windows\st_affiliate.ini
2009-01-01 10:55 . 2009-01-04 12:56 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-01 10:55 . 2009-01-01 10:55 1,409 --a------ c:\windows\QTFont.for
2009-01-01 09:26 . 2009-01-01 09:26 0 --a------ C:\LOG36.tmp
2009-01-01 08:56 . 2009-01-01 08:56 64 --a------ c:\windows\av_affiliate.ini
2009-01-01 08:56 . 2009-01-01 08:56 64 --a------ c:\windows\as_affiliate.ini
2009-01-01 08:53 . 2009-01-01 09:01 <DIR> d-------- c:\program files\CyberDefender
2009-01-01 08:53 . 2009-01-01 08:52 67,424 --a------ c:\windows\system32\drivers\CDAVFS.sys
2009-01-01 08:52 . 2009-01-01 08:52 0 --a------ C:\LOG20.tmp
2009-01-01 08:14 . 2009-01-03 18:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-01 08:14 . 2009-01-03 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 22:56 . 2009-01-02 22:00 <DIR> d-------- c:\program files\VS Revo Group
2008-12-31 22:56 . 2008-12-31 22:56 0 --a------ C:\LOG1E.tmp
2008-12-31 22:37 . 2008-09-16 18:09 30,080 --a------ c:\windows\system32\drivers\RKHit.sys
2008-12-31 22:37 . 2008-12-31 22:37 42 --a------ c:\windows\system32\AK083E209605E394C.lie
2008-12-31 22:36 . 2008-12-31 22:36 0 --a------ C:\LOG1A.tmp
2008-12-31 22:00 . 2008-12-31 22:00 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 22:00 . 2008-12-31 22:00 0 --a------ C:\LOGC.tmp

.

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 21 January 2009 - 04:12 PM

Mobear

The Combofix log you posted is incomplete. Please repost the entire C:\Combofix.txt log
Posted Image
Microsoft MVP - Windows Security

#3 Mobear

Mobear
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:04:12 PM

Posted 21 January 2009 - 11:07 PM

ComboFix 09-01-10.03 - Chris Schuehler 2009-01-11 10:19:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1265 [GMT -7:00]
Running from: c:\documents and settings\Chris Schuehler\Desktop\ComboFix.exe
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mfcans32.DLL
c:\windows\system32\mfcuia32.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\rdocurs.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-04 12:39 . 2009-01-04 12:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 12:39 . 2009-01-04 12:39 <DIR> d-------- c:\documents and settings\Chris Schuehler\Application Data\Malwarebytes
2009-01-04 12:39 . 2009-01-04 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 12:39 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 12:39 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 18:35 . 2008-10-15 18:00 1,499,136 --------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-03 15:17 . 2009-01-03 15:17 230 --a------ c:\windows\system32\spupdsvc.inf
2009-01-02 21:08 . 2009-01-03 18:53 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-02 21:08 . 2009-01-03 18:53 <DIR> d-------- c:\documents and settings\Chris Schuehler\Application Data\SUPERAntiSpyware.com
2009-01-02 21:08 . 2009-01-02 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-02 21:07 . 2009-01-02 21:07 0 --a------ C:\LOG4F.tmp
2009-01-02 17:44 . 2009-01-02 17:44 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-02 17:44 . 2009-01-02 17:44 1,152 --a------ c:\windows\system32\windrv.sys
2009-01-02 17:38 . 2009-01-02 17:38 0 --a------ C:\LOG1F.tmp
2009-01-01 20:20 . 2009-01-01 20:43 <DIR> d-------- c:\program files\RegCure
2009-01-01 14:15 . 2009-01-01 14:15 0 --a------ C:\LOG31.tmp
2009-01-01 11:17 . 2009-01-01 11:17 74 --a------ c:\windows\st_affiliate.ini
2009-01-01 10:55 . 2009-01-04 12:56 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-01 10:55 . 2009-01-01 10:55 1,409 --a------ c:\windows\QTFont.for
2009-01-01 09:26 . 2009-01-01 09:26 0 --a------ C:\LOG36.tmp
2009-01-01 08:56 . 2009-01-01 08:56 64 --a------ c:\windows\av_affiliate.ini
2009-01-01 08:56 . 2009-01-01 08:56 64 --a------ c:\windows\as_affiliate.ini
2009-01-01 08:53 . 2009-01-01 09:01 <DIR> d-------- c:\program files\CyberDefender
2009-01-01 08:53 . 2009-01-01 08:52 67,424 --a------ c:\windows\system32\drivers\CDAVFS.sys
2009-01-01 08:52 . 2009-01-01 08:52 0 --a------ C:\LOG20.tmp
2009-01-01 08:14 . 2009-01-03 18:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-01 08:14 . 2009-01-03 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 22:56 . 2009-01-02 22:00 <DIR> d-------- c:\program files\VS Revo Group
2008-12-31 22:56 . 2008-12-31 22:56 0 --a------ C:\LOG1E.tmp
2008-12-31 22:37 . 2008-09-16 18:09 30,080 --a------ c:\windows\system32\drivers\RKHit.sys
2008-12-31 22:37 . 2008-12-31 22:37 42 --a------ c:\windows\system32\AK083E209605E394C.lie
2008-12-31 22:36 . 2008-12-31 22:36 0 --a------ C:\LOG1A.tmp
2008-12-31 22:00 . 2008-12-31 22:00 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 22:00 . 2008-12-31 22:00 0 --a------ C:\LOGC.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 17:23 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-11 04:14 --------- d-----w c:\program files\Google
2009-01-08 05:12 75,480 ----a-w c:\documents and settings\Chris Schuehler\Application Data\GDIPFONTCACHEV1.DAT
2009-01-01 22:41 --------- d-----w c:\program files\Norton Ghost
2009-01-01 16:26 --------- d-----w c:\documents and settings\Chris Schuehler\Application Data\U3
2008-12-30 12:54 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-12-12 17:01 3,067,904 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 21:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 63,488 ------w c:\windows\system32\dllcache\icardie.dll
2008-10-16 20:38 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-10-16 20:38 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
2008-10-16 20:38 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
2008-10-16 20:38 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2008-10-16 20:38 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ----a-w c:\windows\system32\dllcache\urlmon.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2006-08-07 01:16 1,164 ----a-w c:\program files\launch.ica
2006-08-07 01:11 1,551,360 ----a-w c:\program files\AGE40-AGC.msi
2001-12-04 00:09 90,112 ----a-w c:\program files\internet explorer\plugins\DjVuControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-26 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-13 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-14 7323648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MediaLifeService"="c:\program files\Logitech\MediaLife\MediaLifeService.exe" [2005-05-12 110739]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-02 267048]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2007-04-10 1537640]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-07-19 24576]
Logitech Harmony Remote Software 7.lnk - c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe [2006-09-24 86112]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-07-25 450560]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-13 20:26 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2006-08-18 03:15 471040 c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 01:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 12:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-07-19 16:59 169984 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 08:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 08:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 18:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
--a------ 2007-04-10 12:01 1537640 c:\program files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2007-10-22 17:47 360448 c:\program files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-09-10 06:00 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-09 22:28 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 14:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"c:\\Program Files\\CyberDefender\\AntiSpyware\\cdas22.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-07 99376]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-01-25 149352]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-01-01 67424]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - GUSVC
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-10 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (OFFICE-Chris Schuehler).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2009-01-06 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Chris Schuehler.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 05:05]

2009-01-11 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 11:55]

2009-01-11 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 11:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: www.isqft.com
Trusted Zone: *.turbotax.com
Trusted Zone: online.musicmatch.com

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://jeffco.us/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 10:23:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-11 10:25:10
ComboFix-quarantined-files.txt 2009-01-11 17:25:05
ComboFix2.txt 2009-01-04 01:41:36

Pre-Run: 111,673,565,184 bytes free
Post-Run: 111,804,657,664 bytes free

236 --- E O F --- 2008-12-19 10:00:47

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 22 January 2009 - 09:52 AM

Mobear

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
c:\windows\st_affiliate.ini
c:\windows\av_affiliate.ini
c:\windows\as_affiliate.ini


Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
2. Rerun Hijackthis and post a fresh Hijackthis log as well
Posted Image
Microsoft MVP - Windows Security

#5 Mobear

Mobear
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:04:12 PM

Posted 24 January 2009 - 12:53 AM

Here is my ComboFix log and Hijackthis log as well.




ComboFix 09-01-21.04 - Chris Schuehler 2009-01-23 22:35:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1340 [GMT -7:00]
Running from: c:\documents and settings\Chris Schuehler\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Schuehler\Desktop\CFScript.txt
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point

FILE ::
c:\windows\as_affiliate.ini
c:\windows\av_affiliate.ini
c:\windows\st_affiliate.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\as_affiliate.ini
c:\windows\av_affiliate.ini
c:\windows\st_affiliate.ini
c:\windows\system32\drivers\RKHit.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT


((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-04 12:39 . 2009-01-04 12:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 12:39 . 2009-01-04 12:39 <DIR> d-------- c:\documents and settings\Chris Schuehler\Application Data\Malwarebytes
2009-01-04 12:39 . 2009-01-04 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 12:39 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 12:39 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 18:35 . 2008-10-15 18:00 1,499,136 --------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-03 15:17 . 2009-01-03 15:17 230 --a------ c:\windows\system32\spupdsvc.inf
2009-01-02 21:08 . 2009-01-03 18:53 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-02 21:08 . 2009-01-03 18:53 <DIR> d-------- c:\documents and settings\Chris Schuehler\Application Data\SUPERAntiSpyware.com
2009-01-02 21:08 . 2009-01-02 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-02 21:07 . 2009-01-02 21:07 0 --a------ C:\LOG4F.tmp
2009-01-02 17:44 . 2009-01-02 17:44 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-02 17:44 . 2009-01-02 17:44 1,152 --a------ c:\windows\system32\windrv.sys
2009-01-02 17:38 . 2009-01-02 17:38 0 --a------ C:\LOG1F.tmp
2009-01-01 20:20 . 2009-01-01 20:43 <DIR> d-------- c:\program files\RegCure
2009-01-01 14:15 . 2009-01-01 14:15 0 --a------ C:\LOG31.tmp
2009-01-01 10:55 . 2009-01-23 22:41 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-01 10:55 . 2009-01-01 10:55 1,409 --a------ c:\windows\QTFont.for
2009-01-01 09:26 . 2009-01-01 09:26 0 --a------ C:\LOG36.tmp
2009-01-01 08:53 . 2009-01-01 09:01 <DIR> d-------- c:\program files\CyberDefender
2009-01-01 08:53 . 2009-01-01 08:52 67,424 --a------ c:\windows\system32\drivers\CDAVFS.sys
2009-01-01 08:52 . 2009-01-01 08:52 0 --a------ C:\LOG20.tmp
2009-01-01 08:14 . 2009-01-03 18:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-01 08:14 . 2009-01-03 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 22:56 . 2009-01-02 22:00 <DIR> d-------- c:\program files\VS Revo Group
2008-12-31 22:56 . 2008-12-31 22:56 0 --a------ C:\LOG1E.tmp
2008-12-31 22:37 . 2008-12-31 22:37 42 --a------ c:\windows\system32\AK083E209605E394C.lie
2008-12-31 22:36 . 2008-12-31 22:36 0 --a------ C:\LOG1A.tmp
2008-12-31 22:00 . 2008-12-31 22:00 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 22:00 . 2008-12-31 22:00 0 --a------ C:\LOGC.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 05:30 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-11 04:14 --------- d-----w c:\program files\Google
2009-01-08 05:12 75,480 ----a-w c:\documents and settings\Chris Schuehler\Application Data\GDIPFONTCACHEV1.DAT
2009-01-01 22:41 --------- d-----w c:\program files\Norton Ghost
2009-01-01 16:26 --------- d-----w c:\documents and settings\Chris Schuehler\Application Data\U3
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2006-08-07 01:16 1,164 ----a-w c:\program files\launch.ica
2006-08-07 01:11 1,551,360 ----a-w c:\program files\AGE40-AGC.msi
2001-12-04 00:09 90,112 ----a-w c:\program files\internet explorer\plugins\DjVuControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-26 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-13 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-14 7323648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MediaLifeService"="c:\program files\Logitech\MediaLife\MediaLifeService.exe" [2005-05-12 110739]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-02 267048]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2007-04-10 1537640]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-07-19 24576]
Logitech Harmony Remote Software 7.lnk - c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe [2006-09-24 86112]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-07-25 450560]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-13 20:26 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2006-08-18 03:15 471040 c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 01:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 12:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-07-19 16:59 169984 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 08:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 08:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 18:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
--a------ 2007-04-10 12:01 1537640 c:\program files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2007-10-22 17:47 360448 c:\program files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-09-10 06:00 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-09 22:28 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 14:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"c:\\Program Files\\CyberDefender\\AntiSpyware\\cdas22.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-07 99376]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-01-25 149352]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-01-01 67424]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-24 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (OFFICE-Chris Schuehler).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2009-01-20 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Chris Schuehler.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 05:05]

2009-01-24 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 11:55]

2009-01-23 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 11:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: isqft.com\www
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://jeffco.us/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 22:43:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\gearsec.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\CyberDefender\AntiSpyware\cdas22.exe
.
**************************************************************************
.
Completion time: 2009-01-23 22:47:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-24 05:47:13
ComboFix2.txt 2009-01-11 17:25:11
ComboFix3.txt 2009-01-04 01:41:36

Pre-Run: 111,379,288,064 bytes free
Post-Run: 111,443,992,576 bytes free

233 --- E O F --- 2009-01-14 10:02:07











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:36 PM, on 1/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas22.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Harmony Remote Software 7.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231033876765
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://jeffco.us/activex/AMC.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10809 bytes

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 25 January 2009 - 10:01 AM

Mobear

How is your PC running at this point?

And do you use a router?
Posted Image
Microsoft MVP - Windows Security

#7 Mobear

Mobear
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:04:12 PM

Posted 25 January 2009 - 11:32 AM

I do use a Linksys router. This computer is hard wired to the router although it has wireless capability. I do live in a rural area where my closest neithbor is a 1/4 mile away.

My problem started with what I believe was the EI7 virus (although I could be wrong) I have not tried to reinstall IE7 (I am running IE6) since I have been talking to you. The last time I tried to reinstall it my computer showed the same signs and was locking up. When my problems started I also tried to install Firefox. firefox was blocked and would not start. I have not tried to reinstall that yet either.

Let me know if I should try to reinstall either of these and what one is better for security?

I am also getting a warning from my Outlook that says someone is trying to access my address book. This is a new warning also since my computer problems.


For security I am running Norton Antivirus and have just started using Malwarebytes anti-balware.

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 26 January 2009 - 10:33 AM

Mobear

It is possible that you have a corrupted install of IE7, but lets clear the way for a clean install if needed.

1. I want you to do a hard reset on your router. There is a manual reset button, it's location varies depending on the make, but ususally is on the back of the router. Press that reset.

2. Flush the DNS cache
In the windows control panel (Click Start ->> Control Panel)
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns (that space between g and / is needed)
then hit enter, type exit hit enter

Reboot your PC ->> See if you are able to install IE7
Posted Image
Microsoft MVP - Windows Security

#9 Mobear

Mobear
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:04:12 PM

Posted 30 January 2009 - 10:27 PM

Just to provide some feedback, I did install IE7 again and after a few days things seem to be working normally. When I did install IE7 this time during installation a small window opened up and closed, this same thing happened after after my initial problems and I uninstalled IE7 and reinstalled it. I still think there is some virus in my computer.

Also since this problem has happened my outlook shuts down sometimes and I still get a message that program is trying to access my address book.

If you have any help or comments for these issues that would be great, if not I really appreciate all the help and support I have recieved from this web site.

Thank You.

Chris

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 03 February 2009 - 08:54 AM

Mobear

Glad to hear you got IE7 fixed

I don't see any signs of infection, let's take one more look

Run an online virus scan called Kaspersky from HERE.1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well
Posted Image
Microsoft MVP - Windows Security

#11 Mobear

Mobear
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:04:12 PM

Posted 03 February 2009 - 06:05 PM

Here is my scan.



KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 03, 2009 18:48:03
Records in database: 1740903
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 208566
Threat name: 4
Infected objects: 23
Suspicious objects: 1
Duration of the scan: 02:43:09


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Users\2\Front\1\M0000002035.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Chris Schuehler\Desktop\tightvnc-1.2.6_x86.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\TightVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\Program Files\vnc\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekabslpjwmk.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekacxrtcvwu.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekadbscthqf.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaecsexqby.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaehbbmurt.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaehevdpvc.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaexyrbcxk.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekafptbatmt.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekafuoqmita.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekagpvpqqhe.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekahosiuxex.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaiggdbxsf.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaitqlpbwq.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekanostikeg.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekanvppepmf.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekatntijlar.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekauidbymsp.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekavxxwvqib.sys.vir Infected: Rootkit.Win32.Agent.gjw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaxtqxxuxw.sys.vir Infected: Rootkit.Win32.Agent.gjw 1

The selected area was scanned.

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 05 February 2009 - 10:30 AM

Mobear

Nothing there of concern.

The items in C:\Qoobox\Quarantine can be deleted, but their location does not allow them to infect or afect the PC
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users