Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis logs provided for assistance


  • This topic is locked This topic is locked
12 replies to this topic

#1 whatisavailable

whatisavailable

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:05:03 AM

Posted 11 February 2009 - 05:03 PM

I've given up! After using NAV locally and several online scanners, Adaware and Spybot, this computer STILL has viruses that can not be cleaned. One example is listed below. I have provided my HighjackThis log. This is my first attempt at getting help from the outside so be kind :-)
Thanks
Jim

PS - CURSES to anyone that creates a program that is designed to harm or annoy another person's computer!!!! <GRRRRRRR!>


Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\WINDOWS\SYSTEM32\DPWSOCKk.dll
Location: C:\WINDOWS\SYSTEM32
Computer: MOM
User: terri
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wednesday, February 11, 2009 3:49:28 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:23 PM, on 2/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Cisco Media Hub\Linksys Media Importer\LinksysClient.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: (no name) - {AF63C7F6-BA07-4331-B388-76E128AF5FE5} - C:\WINDOWS\system32\DPWSOCKk.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Media Importer] "C:\Program Files\Cisco Media Hub\Linksys Media Importer\LinksysClient.exe" -boot
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1845EEB8-81A8-497F-9E81-130398D9AA52}: NameServer = 24.93.40.62,24.93.40.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{1845EEB8-81A8-497F-9E81-130398D9AA52}: NameServer = 24.93.40.62,24.93.40.75
O17 - HKLM\System\CS2\Services\Tcpip\..\{1845EEB8-81A8-497F-9E81-130398D9AA52}: NameServer = 24.93.40.62,24.93.40.75
O20 - AppInit_DLLs: C:\Program,Files\PremierOpinion\pmai.dll,C:\Program,Files\PremierOpinion\pmai.dll,C:\Program Files\PremierOpinion\pmai.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 7510 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:03 PM

Posted 12 February 2009 - 02:11 AM

Hi,

I notice from your log that there's more than 1 Antivirus installed. Kaspersky and Norton.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.

Then, I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:05:03 AM

Posted 12 February 2009 - 06:47 PM

Thank you.

I disabled the Antivirus and unloaded Kaspersky - it just won't die so feel free to tell me how to remove it entirely - I've tried for a long time.

Here is the output from ComboFix. FYI - I removed the View* programs as well so if they show up, let me know.

I appreciate the help!
Jim

PS - I uploaded the file as well - thought it might be easier - wasn't sure of the preferred method.

PSS - This is still coming up:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\WINDOWS\SYSTEM32\DPWSOCKk.dll
Location: C:\WINDOWS\SYSTEM32
Computer: MOM
User: terri
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Thursday, February 12, 2009 5:42:08 PM

ComboFix 09-02-12.03 - terri 2009-02-12 17:07:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.638.319 [GMT -6:00]
Running from: c:\documents and settings\terri\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus Personal Pro 5.0 *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\terri\Application Data\.#
c:\documents and settings\terri\Desktop\System Security.lnk
c:\documents and settings\terri\Start Menu\Programs\System Security
c:\recycler\ADAPT_Installer.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\_005938_.tmp.dll
c:\windows\system32\_005939_.tmp.dll
c:\windows\system32\_005940_.tmp.dll
c:\windows\system32\_005941_.tmp.dll
c:\windows\system32\_005948_.tmp.dll
c:\windows\system32\_005949_.tmp.dll
c:\windows\system32\_005950_.tmp.dll
c:\windows\system32\_005951_.tmp.dll
c:\windows\system32\_005953_.tmp.dll
c:\windows\system32\_005954_.tmp.dll
c:\windows\system32\_005957_.tmp.dll
c:\windows\system32\_005958_.tmp.dll
c:\windows\system32\_005960_.tmp.dll
c:\windows\system32\_005961_.tmp.dll
c:\windows\system32\_005962_.tmp.dll
c:\windows\system32\_005964_.tmp.dll
c:\windows\system32\_005967_.tmp.dll
c:\windows\system32\_005968_.tmp.dll
c:\windows\system32\_005970_.tmp.dll
c:\windows\system32\_005972_.tmp.dll
c:\windows\system32\_005973_.tmp.dll
c:\windows\system32\_005975_.tmp.dll
c:\windows\system32\_005976_.tmp.dll
c:\windows\system32\_005978_.tmp.dll
c:\windows\system32\_005981_.tmp.dll
c:\windows\system32\_005982_.tmp.dll
c:\windows\system32\_005983_.tmp.dll
c:\windows\system32\_005984_.tmp.dll
c:\windows\system32\_005985_.tmp.dll
c:\windows\system32\_005988_.tmp.dll
c:\windows\system32\_005989_.tmp.dll
c:\windows\system32\_005990_.tmp.dll
c:\windows\system32\_005991_.tmp.dll
c:\windows\system32\_005992_.tmp.dll
c:\windows\system32\_005997_.tmp.dll
c:\windows\system32\_005999_.tmp.dll
c:\windows\system32\_006000_.tmp.dll
c:\windows\system32\appcert
c:\windows\system32\drivers\fad.sys
c:\windows\twain_16.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-12 13:42 . 2009-02-12 13:42 <DIR> d-------- c:\documents and settings\LocalService\Application Data\PeerNetworking
2009-02-12 13:38 . 2009-02-12 13:38 2,067,968 --a------ c:\windows\SYSTEM32\SET6AF6.tmp
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\SYSTEM32\en
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\l2schemas
2009-02-11 21:53 . 2007-06-13 04:23 1,033,216 --a------ c:\windows\SET642C.tmp
2009-02-11 21:53 . 2004-08-03 23:56 194,048 --a------ c:\windows\SYSTEM32\SET6AB8.tmp
2009-02-11 21:53 . 2004-08-03 23:56 143,360 --a------ c:\windows\SYSTEM32\SET6ABC.tmp
2009-02-11 21:53 . 2006-08-16 05:58 100,352 --a------ c:\windows\SYSTEM32\SET6AB4.tmp
2009-02-11 21:51 . 2008-09-15 05:57 1,846,016 --a------ c:\windows\SYSTEM32\win32k.sys
2009-02-11 21:50 . 2008-08-14 04:00 2,180,352 --a------ c:\windows\SYSTEM32\ntoskrnl.exe
2009-01-19 23:04 . 2009-01-19 22:51 102,664 --a------ c:\windows\SYSTEM32\DRIVERS\tmcomm.sys
2009-01-19 22:50 . 2009-01-19 23:08 <DIR> d-------- c:\documents and settings\terri\.housecall6.6
2009-01-18 08:31 . 2009-01-18 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\1992374312
2009-01-18 01:48 . 2009-01-18 01:48 250 --a------ c:\windows\gmer.ini
2009-01-18 00:58 . 2009-01-18 00:56 124,167 --a------ c:\windows\SYSTEM32\SYMEVNT.386
2009-01-18 00:58 . 2009-01-18 00:56 83,208 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-18 00:58 . 2009-01-18 00:56 73,496 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2009-01-18 00:57 . 2009-01-18 00:57 <DIR> d-------- c:\program files\Symantec_Client_Security
2009-01-18 00:57 . 2009-01-18 00:58 <DIR> d-------- c:\program files\Symantec
2009-01-18 00:28 . 2009-01-18 01:08 <DIR> d-------- c:\documents and settings\terri\NTI-Shadow
2009-01-18 00:27 . 2009-01-18 01:09 <DIR> d-------- c:\program files\Linksys
2009-01-18 00:27 . 2009-01-18 01:08 <DIR> d-------- c:\program files\Cisco Media Hub
2009-01-18 00:27 . 2009-01-18 00:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pure Networks
2009-01-12 14:32 . 2009-01-15 22:49 11,975 --a------ c:\documents and settings\All Users\Application Data\ustore.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 02:34 --------- d-----w c:\program files\Yahoo!
2009-02-12 02:33 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-11 22:21 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 22:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-06 16:11 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-26 05:46 --------- d-----w c:\program files\QuickTime
2009-01-26 05:41 --------- d-----w c:\program files\Trend Micro
2009-01-25 01:14 --------- d-----w c:\program files\Google
2009-01-22 00:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-18 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-18 06:41 --------- d-----w c:\documents and settings\terri\Application Data\Yahoo!
2009-01-18 06:38 --------- d-----w c:\program files\Common Files\AOL
2009-01-18 06:26 3 ----a-w c:\program files\option.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF63C7F6-BA07-4331-B388-76E128AF5FE5}]
2002-08-29 05:00 99840 --a------ c:\windows\system32\DPWSOCKk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]
"Media Importer"="c:\program files\Cisco Media Hub\Linksys Media Importer\LinksysClient.exe" [2008-11-21 6324224]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-12-18 278528]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"KAV50"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" [2004-10-11 426118]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KLBLMain]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"8buuif4l"=c:\windows\system32\8buuif4l.exe
"AON"=c:\program files\Apserver\AON.EXE
"Road Runner PhotoShow Media Manager"=c:\progra~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KAV50"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2005\pccguide.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"b2"=c:\documents and settings\terri\Local Settings\Temp\b2.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"dla"=c:\windows\system32\dla\tfswctrl.exe
"HotKeysCmds"=c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\8buuif4l.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Klmc;Klmc;c:\windows\SYSTEM32\DRIVERS\Klmc.sys [2004-08-19 9939]
R0 whlqekkt;whlqekkt;c:\windows\SYSTEM32\DRIVERS\whlqekkt.sys [2002-08-29 23424]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-07-30 161064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-01-12 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\InstallSeagateManager.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe []

2009-02-12 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe []

2009-02-12 c:\windows\Tasks\{3AEE6415-01E6-4BDF-9CC0-42C0B51D1831}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]

2009-01-30 c:\windows\Tasks\{5830F115-9FB9-4ED8-8598-E944108142A7}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]

2009-02-12 c:\windows\Tasks\{D5AD00CE-6856-4B97-A8FA-0F095ED84F25}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-Sonic RecordNow! - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6711
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: {1845EEB8-81A8-497F-9E81-130398D9AA52} = 24.93.40.62,24.93.40.75
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 17:14:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3321130872-145808096-2722530444-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,90,35,61,db,7d,
41,c6,78,c8,28,51,af,b0,29,a3,98,4c,83,ca,d9,1e,1c,10,10,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,bd,fa,31,50,9a,
04,49,68,71,3b,04,66,8b,46,0d,96,ac,e9,5c,7f,3b,7f,67,c4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,05,d2,5d,b5,6c,
6f,a3,98,25,da,ec,7e,55,20,c9,26,35,9e,98,6a,62,df,43,06,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,75,23,4f,c8,7a,
17,0b,7c,3e,1e,9e,e0,57,5a,93,61,6a,d6,cb,72,c5,da,47,86,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,d7,f8,06,84,32,
16,7a,46,cd,44,cd,b9,a6,33,6c,cd,22,df,c6,49,e7,d9,83,5e,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,aa,b8,5a,40,5a,
94,a2,dd,b0,18,ed,a7,3f,8d,37,a4,47,13,96,cf,ff,f6,43,36,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,8e,35,da,fb,13,
3a,0f,34,31,77,e1,ba,b1,f8,68,02,78,57,c6,8e,c1,a8,32,e2,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,63,11,8b,6d,62,
7c,1f,cc,83,6c,56,8b,a0,85,96,ab,4c,e4,46,11,a2,74,7f,d4,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,0c,30,c9,8d,07,
a6,1d,a9,51,fa,6e,91,28,9e,14,cc,71,6e,48,b9,12,46,57,01,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,56,a2,f9,8e,1c,
0a,98,d7,b1,cd,45,5a,a8,c4,f8,b9,d7,c7,c5,d6,dd,90,f1,bc,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,6c,db,46,55,4a,
ba,38,9c,e3,0e,66,d5,eb,bc,2f,6b,aa,ed,b6,6d,6c,e0,08,47,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,b8,cd,87,a8,82,
eb,12,de,fa,ea,66,7f,d4,3b,6b,70,ff,ca,0d,40,8b,ce,d6,cd,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\BCM V.92 56K Modem]
@DACL=(02 0000)
"UninstallString"="c:\\WINDOWS\\BCMSMU.exe quiet"
"QuietUninstallString"="c:\\WINDOWS\\BCMSMU.exe silent"
"DisplayName"="BCM V.92 56K Modem"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information\{3CB41017-F5CA-4C56-934C-ED02156251E6}]
@DACL=(02 0000)
"LogFile"="c:\\Program Files\\InstallShield Installation Information\\{3CB41017-F5CA-4C56-934C-ED02156251E6}\\Setup.ilg"
"StatusText"="iTunes Setup is preparing the InstallShield Wizard, which will guide you through the program setup process. Please wait."

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{89EE857B-8970-4F9F-AB58-A1C873AC72B3}]
@DACL=(02 0000)
"UninstallString"="c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\Driver\\7\\INTEL3~1\\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033 "
"DisplayName"="Broadcom Management Programs"
"LogFile"="c:\\Program Files\\InstallShield Installation Information\\{89EE857B-8970-4F9F-AB58-A1C873AC72B3}\\Setup.ilg"
"Comments"="Broadcom Advanced Control Suite(BACS) "
"Contact"="Dell Customer Support"
"DisplayVersion"="4.01.0000"
"HelpTelephone"="..."
"InstallDate"="20031103"
"InstallLocation"=""
"InstallSource"=""
"ProductID"=""
"Publisher"="Broadcom"
"Readme"="c:\\Program Files\\Broadcom Management Programs\\Readme.txt "
"URLInfoAbout"="www.broadcom.com"
"URLUpdateInfo"="http://www.support.dell.com"
"HelpLink"=expand:"http://www.support.dell.com"
"EstimatedSize"=dword:00000000
"Language"=dword:00000000
"Version"=dword:04010000
"VersionMajor"=dword:00000004
"VersionMinor"=dword:00000001
"DisplayIcon"=""
"RegOwner"=" "
"RegCompany"=" "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Shockwave]
@DACL=(02 0000)
"DisplayName"="Shockwave"
"UninstallString"="c:\\WINDOWS\\SYSTEM32\\Macromed\\SHOCKW~1\\UNWISE.EXE c:\\WINDOWS\\SYSTEM32\\Macromed\\SHOCKW~1\\Install.log"
"QuietDisplayName"="Shockwave Director 8.5.1"
"QuietUninstallString"="RunDll32 advpack.dll,LaunchINFSection c:\\WINDOWS\\\\INF\\\\swdir.inf,DefaultUninstall,5"
"RequiresIESysFile"="4.70.0.1155"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash]
@DACL=(02 0000)
"QuietDisplayName"="Shockwave Flash"
"QuietUninstallString"="RunDll32 advpack.dll,LaunchINFSection c:\\WINDOWS\\INF\\swflash.inf,DefaultUninstall,5"
"RequiresIESysFile"="4.70.0.1155"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer]
@DACL=(02 0000)
"DisplayName"="Viewpoint Media Player"
"UninstallString"="c:\\Program Files\\Viewpoint\\Viewpoint Media Player\\mtsAxInstaller.exe /u"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{2637C347-9DAD-11D6-9EA2-00055D0CA761}]
@DACL=(02 0000)
"UninstallString"="RunDll32 c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\engine\\6\\INTEL3~1\\Ctor.dll,LaunchSetup \"c:\\Program Files\\InstallShield Installation Information\\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\\setup.exe\" -uninstall"
"DisplayName"="Dell Media Experience"
"LogFile"="c:\\Program Files\\InstallShield Installation Information\\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\\setup.ilg"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}]
@DACL=(02 0000)
"DisplayIcon"=expand:"c:\\Program Files\\Classic PhoneTools\\PhonTool.exe"
"HelpLink"=expand:"http://www.bvrp.com"
"Publisher"="BVRP Software"
"DisplayVersion"="4.16"
"VersionMajor"=dword:00000004
"VersionMinor"=dword:00000010
"InstallLocation"="c:\\Program Files\\Classic PhoneTools"
"Language"=dword:00000009
"DisplayName"="Classic PhoneTools"
"UninstallString"="RunDll32 c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\engine\\6\\INTEL3~1\\Ctor.dll,LaunchSetup \"c:\\Program Files\\InstallShield Installation Information\\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\\setup.exe\" -l0x9 ControlPanel"
"LogFile"="c:\\Program Files\\InstallShield Installation Information\\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\\setup.ilg"
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\SYSTEM32\TCPSVCS.EXE
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-02-12 17:21:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 23:20:42

Pre-Run: 825,589,760 bytes free
Post-Run: 775,753,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

373 --- E O F --- 2009-02-12 19:37:46

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:03 PM

Posted 13 February 2009 - 01:51 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then,

Please uninstall your Antivirus. It's an older version of Kaspersky and outdated, so it's useless anyway.
Reboot afterwards. I'll give intructions afterwards for another Antivirus.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
c:\windows\SYSTEM32\DRIVERS\whlqekkt.sys
c:\WINDOWS\SYSTEM32\8buuif4l.exe
c:\windows\system32\DPWSOCKk.dll
Filelook::
c:\windows\SYSTEM32\ntoskrnl.exe
Driver::
Viewpoint Manager Service
whlqekkt
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF63C7F6-BA07-4331-B388-76E128AF5FE5}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"8buuif4l"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"b2"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\8buuif4l.exe"=-
reglock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\BCM V.92 56K Modem]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information\{3CB41017-F5CA-4C56-934C-ED02156251E6}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{89EE857B-8970-4F9F-AB58-A1C873AC72B3}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Shockwave]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{2637C347-9DAD-11D6-9EA2-00055D0CA761}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}]
Regnull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:05:03 AM

Posted 14 February 2009 - 04:33 AM

Thanks. I tried to remove Teatimer but it won't go away all that well. Hopefully it didn't affect what was supposed to happen. Here is the output from ComboFix.
Also, Kapersky can be uninstalled any more - any way to do it by brute force?
Jim


This is still happening, fyi:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\WINDOWS\SYSTEM32\DPWSOCKk.dll
Location: C:\WINDOWS\SYSTEM32
Computer: MOM
User: terri
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Saturday, February 14, 2009 3:32:06 AM

ComboFix 09-02-12.03 - terri 2009-02-13 19:38:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.638.359 [GMT -6:00]
Running from: c:\combofix\ComboFix.exe
Command switches used :: c:\combofix\CFScript.txt
AV: Kaspersky Anti-Virus Personal Pro 5.0 *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-13 19:34 . 2009-02-13 19:34 <DIR> d-------- C:\New Folder (2)
2009-02-13 19:05 . 2009-02-13 19:05 9,123 --a------ C:\ResetTeaTimer.bat
2009-02-12 13:42 . 2009-02-12 13:42 <DIR> d-------- c:\documents and settings\LocalService\Application Data\PeerNetworking
2009-02-12 13:38 . 2009-02-12 13:38 2,067,968 --a------ c:\windows\SYSTEM32\SET6AF6.tmp
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\SYSTEM32\en
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\l2schemas
2009-02-11 21:53 . 2007-06-13 04:23 1,033,216 --a------ c:\windows\SET642C.tmp
2009-02-11 21:53 . 2004-08-03 23:56 194,048 --a------ c:\windows\SYSTEM32\SET6AB8.tmp
2009-02-11 21:53 . 2004-08-03 23:56 143,360 --a------ c:\windows\SYSTEM32\SET6ABC.tmp
2009-02-11 21:53 . 2006-08-16 05:58 100,352 --a------ c:\windows\SYSTEM32\SET6AB4.tmp
2009-02-11 21:51 . 2008-09-15 05:57 1,846,016 --a------ c:\windows\SYSTEM32\win32k.sys
2009-02-11 21:50 . 2008-08-14 04:00 2,180,352 --a------ c:\windows\SYSTEM32\ntoskrnl.exe
2009-01-19 23:04 . 2009-01-19 22:51 102,664 --a------ c:\windows\SYSTEM32\DRIVERS\tmcomm.sys
2009-01-19 22:50 . 2009-01-19 23:08 <DIR> d-------- c:\documents and settings\terri\.housecall6.6
2009-01-18 08:31 . 2009-01-18 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\1992374312
2009-01-18 01:48 . 2009-01-18 01:48 250 --a------ c:\windows\gmer.ini
2009-01-18 00:58 . 2009-01-18 00:56 124,167 --a------ c:\windows\SYSTEM32\SYMEVNT.386
2009-01-18 00:58 . 2009-01-18 00:56 83,208 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-18 00:58 . 2009-01-18 00:56 73,496 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2009-01-18 00:57 . 2009-01-18 00:57 <DIR> d-------- c:\program files\Symantec_Client_Security
2009-01-18 00:57 . 2009-01-18 00:58 <DIR> d-------- c:\program files\Symantec
2009-01-18 00:28 . 2009-01-18 01:08 <DIR> d-------- c:\documents and settings\terri\NTI-Shadow
2009-01-18 00:27 . 2009-01-18 01:09 <DIR> d-------- c:\program files\Linksys
2009-01-18 00:27 . 2009-01-18 01:08 <DIR> d-------- c:\program files\Cisco Media Hub
2009-01-18 00:27 . 2009-01-18 00:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pure Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 02:34 --------- d-----w c:\program files\Yahoo!
2009-02-12 02:33 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-11 22:21 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 22:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-06 16:11 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-26 05:46 --------- d-----w c:\program files\QuickTime
2009-01-26 05:41 --------- d-----w c:\program files\Trend Micro
2009-01-25 01:14 --------- d-----w c:\program files\Google
2009-01-22 00:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-18 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-18 06:41 --------- d-----w c:\documents and settings\terri\Application Data\Yahoo!
2009-01-18 06:38 --------- d-----w c:\program files\Common Files\AOL
2009-01-18 06:26 3 ----a-w c:\program files\option.txt
2009-01-17 03:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2009-01-16 04:49 11,975 ----a-w c:\documents and settings\All Users\Application Data\ustore.dat
2008-12-19 09:10 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-12_17.18.24.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\SYSTEM32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\SYSTEM32\advpack.dll
- 2008-10-16 20:38:34 124,928 ------w c:\windows\SYSTEM32\DLLCACHE\advpack.dll
+ 2008-12-20 23:15:11 124,928 ------w c:\windows\SYSTEM32\DLLCACHE\advpack.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
- 2008-10-16 20:38:35 63,488 ------w c:\windows\SYSTEM32\DLLCACHE\icardie.dll
+ 2008-12-20 23:15:13 63,488 ------w c:\windows\SYSTEM32\DLLCACHE\icardie.dll
- 2008-10-16 20:38:35 153,088 ------w c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ------w c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll
- 2008-10-16 20:38:35 383,488 ------w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ------w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ------w c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
- 2008-10-16 20:38:37 44,544 ------w c:\windows\SYSTEM32\DLLCACHE\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w c:\windows\SYSTEM32\DLLCACHE\iernonce.dll
- 2008-10-16 20:38:37 267,776 ------w c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ------w c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
- 2008-10-16 20:38:37 459,264 ------w c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ------w c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ------w c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ------w c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\SYSTEM32\DLLCACHE\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\SYSTEM32\DLLCACHE\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2008-10-16 20:38:39 102,912 ------w c:\windows\SYSTEM32\DLLCACHE\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w c:\windows\SYSTEM32\DLLCACHE\occache.dll
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll
- 2008-10-16 20:38:39 105,984 ------w c:\windows\SYSTEM32\DLLCACHE\url.dll
+ 2008-12-20 23:15:39 105,984 ------w c:\windows\SYSTEM32\DLLCACHE\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
- 2008-10-16 20:38:39 233,472 ------w c:\windows\SYSTEM32\DLLCACHE\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ------w c:\windows\SYSTEM32\DLLCACHE\webcheck.dll
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\SYSTEM32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\SYSTEM32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\SYSTEM32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\SYSTEM32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\SYSTEM32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\SYSTEM32\extmgr.dll
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\SYSTEM32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\SYSTEM32\icardie.dll
- 2008-10-16 13:11:09 70,656 ----a-w c:\windows\SYSTEM32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\SYSTEM32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ----a-w c:\windows\SYSTEM32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ----a-w c:\windows\SYSTEM32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ----a-w c:\windows\SYSTEM32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ----a-w c:\windows\SYSTEM32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ----a-w c:\windows\SYSTEM32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\SYSTEM32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\SYSTEM32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\SYSTEM32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ----a-w c:\windows\SYSTEM32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ----a-w c:\windows\SYSTEM32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\SYSTEM32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\SYSTEM32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ----a-w c:\windows\SYSTEM32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ----a-w c:\windows\SYSTEM32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\SYSTEM32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\SYSTEM32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\SYSTEM32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\SYSTEM32\ieudinit.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\SYSTEM32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\SYSTEM32\jsproxy.dll
- 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\SYSTEM32\MRT.exe
+ 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\SYSTEM32\MRT.exe
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\SYSTEM32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\SYSTEM32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\SYSTEM32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\SYSTEM32\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\SYSTEM32\mshtml.dll
+ 2009-01-17 03:35:14 3,594,752 ----a-w c:\windows\SYSTEM32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\SYSTEM32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\SYSTEM32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\SYSTEM32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\SYSTEM32\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\SYSTEM32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\SYSTEM32\mstime.dll
- 2008-10-16 20:38:39 102,912 ----a-w c:\windows\SYSTEM32\occache.dll
+ 2008-12-20 23:15:38 102,912 ----a-w c:\windows\SYSTEM32\occache.dll
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\SYSTEM32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\SYSTEM32\pngfilt.dll
- 2007-08-11 01:46:18 17,272 ------w c:\windows\SYSTEM32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\SYSTEM32\spmsg.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\SYSTEM32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\SYSTEM32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\SYSTEM32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\SYSTEM32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\SYSTEM32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\SYSTEM32\webcheck.dll
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\SYSTEM32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\SYSTEM32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF63C7F6-BA07-4331-B388-76E128AF5FE5}]
2002-08-29 05:00 99840 --a------ c:\windows\system32\DPWSOCKk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]
"Media Importer"="c:\program files\Cisco Media Hub\Linksys Media Importer\LinksysClient.exe" [2008-11-21 6324224]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-12-18 278528]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"KAV50"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" [2004-10-11 426118]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KLBLMain]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"8buuif4l"=c:\windows\system32\8buuif4l.exe
"AON"=c:\program files\Apserver\AON.EXE
"Road Runner PhotoShow Media Manager"=c:\progra~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KAV50"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2005\pccguide.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"b2"=c:\documents and settings\terri\Local Settings\Temp\b2.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"dla"=c:\windows\system32\dla\tfswctrl.exe
"HotKeysCmds"=c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\8buuif4l.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Klmc;Klmc;c:\windows\SYSTEM32\DRIVERS\Klmc.sys [2004-08-19 9939]
R0 whlqekkt;whlqekkt;c:\windows\SYSTEM32\DRIVERS\whlqekkt.sys [2002-08-29 23424]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-07-30 161064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-01-12 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\InstallSeagateManager.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe []

2009-02-12 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe []

2009-02-13 c:\windows\Tasks\{3AEE6415-01E6-4BDF-9CC0-42C0B51D1831}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]

2009-02-13 c:\windows\Tasks\{5830F115-9FB9-4ED8-8598-E944108142A7}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]

2009-02-13 c:\windows\Tasks\{D5AD00CE-6856-4B97-A8FA-0F095ED84F25}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6711
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: {1845EEB8-81A8-497F-9E81-130398D9AA52} = 24.93.40.62,24.93.40.75
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 19:43:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3321130872-145808096-2722530444-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,90,35,61,db,7d,
41,c6,78,c8,28,51,af,b0,29,a3,98,4c,83,ca,d9,1e,1c,10,10,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,bd,fa,31,50,9a,
04,49,68,71,3b,04,66,8b,46,0d,96,ac,e9,5c,7f,3b,7f,67,c4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,05,d2,5d,b5,6c,
6f,a3,98,25,da,ec,7e,55,20,c9,26,35,9e,98,6a,62,df,43,06,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,75,23,4f,c8,7a,
17,0b,7c,3e,1e,9e,e0,57,5a,93,61,6a,d6,cb,72,c5,da,47,86,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,d7,f8,06,84,32,
16,7a,46,cd,44,cd,b9,a6,33,6c,cd,22,df,c6,49,e7,d9,83,5e,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,aa,b8,5a,40,5a,
94,a2,dd,b0,18,ed,a7,3f,8d,37,a4,47,13,96,cf,ff,f6,43,36,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,8e,35,da,fb,13,
3a,0f,34,31,77,e1,ba,b1,f8,68,02,78,57,c6,8e,c1,a8,32,e2,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,63,11,8b,6d,62,
7c,1f,cc,83,6c,56,8b,a0,85,96,ab,4c,e4,46,11,a2,74,7f,d4,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,0c,30,c9,8d,07,
a6,1d,a9,51,fa,6e,91,28,9e,14,cc,71,6e,48,b9,12,46,57,01,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,56,a2,f9,8e,1c,
0a,98,d7,b1,cd,45,5a,a8,c4,f8,b9,d7,c7,c5,d6,dd,90,f1,bc,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,6c,db,46,55,4a,
ba,38,9c,e3,0e,66,d5,eb,bc,2f,6b,aa,ed,b6,6d,6c,e0,08,47,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,b8,cd,87,a8,82,
eb,12,de,fa,ea,66,7f,d4,3b,6b,70,ff,ca,0d,40,8b,ce,d6,cd,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\BCM V.92 56K Modem]
@DACL=(02 0000)
"UninstallString"="c:\\WINDOWS\\BCMSMU.exe quiet"
"QuietUninstallString"="c:\\WINDOWS\\BCMSMU.exe silent"
"DisplayName"="BCM V.92 56K Modem"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information\{3CB41017-F5CA-4C56-934C-ED02156251E6}]
@DACL=(02 0000)
"LogFile"="c:\\Program Files\\InstallShield Installation Information\\{3CB41017-F5CA-4C56-934C-ED02156251E6}\\Setup.ilg"
"StatusText"="iTunes Setup is preparing the InstallShield Wizard, which will guide you through the program setup process. Please wait."

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{89EE857B-8970-4F9F-AB58-A1C873AC72B3}]
@DACL=(02 0000)
"UninstallString"="c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\Driver\\7\\INTEL3~1\\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033 "
"DisplayName"="Broadcom Management Programs"
"LogFile"="c:\\Program Files\\InstallShield Installation Information\\{89EE857B-8970-4F9F-AB58-A1C873AC72B3}\\Setup.ilg"
"Comments"="Broadcom Advanced Control Suite(BACS) "
"Contact"="Dell Customer Support"
"DisplayVersion"="4.01.0000"
"HelpTelephone"="..."
"InstallDate"="20031103"
"InstallLocation"=""
"InstallSource"=""
"ProductID"=""
"Publisher"="Broadcom"
"Readme"="c:\\Program Files\\Broadcom Management Programs\\Readme.txt "
"URLInfoAbout"="www.broadcom.com"
"URLUpdateInfo"="http://www.support.dell.com"
"HelpLink"=expand:"http://www.support.dell.com"
"EstimatedSize"=dword:00000000
"Language"=dword:00000000
"Version"=dword:04010000
"VersionMajor"=dword:00000004
"VersionMinor"=dword:00000001
"DisplayIcon"=""
"RegOwner"=" "
"RegCompany"=" "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Shockwave]
@DACL=(02 0000)
"DisplayName"="Shockwave"
"UninstallString"="c:\\WINDOWS\\SYSTEM32\\Macromed\\SHOCKW~1\\UNWISE.EXE c:\\WINDOWS\\SYSTEM32\\Macromed\\SHOCKW~1\\Install.log"
"QuietDisplayName"="Shockwave Director 8.5.1"
"QuietUninstallString"="RunDll32 advpack.dll,LaunchINFSection c:\\WINDOWS\\\\INF\\\\swdir.inf,DefaultUninstall,5"
"RequiresIESysFile"="4.70.0.1155"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash]
@DACL=(02 0000)
"QuietDisplayName"="Shockwave Flash"
"QuietUninstallString"="RunDll32 advpack.dll,LaunchINFSection c:\\WINDOWS\\INF\\swflash.inf,DefaultUninstall,5"
"RequiresIESysFile"="4.70.0.1155"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer]
@DACL=(02 0000)
"DisplayName"="Viewpoint Media Player"
"UninstallString"="c:\\Program Files\\Viewpoint\\Viewpoint Media Player\\mtsAxInstaller.exe /u"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{2637C347-9DAD-11D6-9EA2-00055D0CA761}]
@DACL=(02 0000)
"UninstallString"="RunDll32 c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\engine\\6\\INTEL3~1\\Ctor.dll,LaunchSetup \"c:\\Program Files\\InstallShield Installation Information\\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\\setup.exe\" -uninstall"
"DisplayName"="Dell Media Experience"
"LogFile"="c:\\Program Files\\InstallShield Installation Information\\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\\setup.ilg"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}]
@DACL=(02 0000)
"DisplayIcon"=expand:"c:\\Program Files\\Classic PhoneTools\\PhonTool.exe"
"HelpLink"=expand:"http://www.bvrp.com"
"Publisher"="BVRP Software"
"DisplayVersion"="4.16"
"VersionMajor"=dword:00000004
"VersionMinor"=dword:00000010
"InstallLocation"="c:\\Program Files\\Classic PhoneTools"
"Language"=dword:00000009
"DisplayName"="Classic PhoneTools"
"UninstallString"="RunDll32 c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\engine\\6\\INTEL3~1\\Ctor.dll,LaunchSetup \"c:\\Program Files\\InstallShield Installation Information\\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\\setup.exe\" -l0x9 ControlPanel"
"LogFile"="c:\\Program Files\\InstallShield Installation Information\\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\\setup.ilg"
.
Completion time: 2009-02-13 19:49:54
ComboFix-quarantined-files.txt 2009-02-14 01:48:37
ComboFix2.txt 2009-02-12 23:21:15

Pre-Run: 554,336,256 bytes free
Post-Run: 603,889,664 bytes free

452 --- E O F --- 2009-02-13 09:07:02

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:03 PM

Posted 14 February 2009 - 04:55 AM

Hi,

You have not really performed the steps as I asked.

First of all, Kaspersky is still installed while it's outdated / older version.
Not sure why you are saying that you tried to remove Teatimer, because I didn't ask you to remove it, I asked you to disable it and even posted a link with screenshots how to do this.

Second, I see Combofix is not present on your desktop, the same applies for cfscript.
And, not sure either what was inside your cfscript, because Combofix didn't perform any of the instructions that was in cfscript.
So please reread my instructions again and start with placing Combofix.exe on your desktop.
Then create the cfscript also on your desktop, exactly the way I described.
Then post the new log in your next reply.

In anyway, it is important that you read all instructions and follow them. This is the only way to get rid of the malware.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:05:03 AM

Posted 15 February 2009 - 12:35 AM

Thanks but the Kaspersky program will not go way and there is no "uninstall" available for it. I've even tried to remove it using other programs. I am open to suggestions on how to get read of it.

After uninstalling and restalling S&D, I can finally prevent Teatimer from running - I'll re-engage it after the system is cleaned.

Here is the output of Combofix.
Thank you for the help.
Jim

ComboFix 09-02-12.03 - terri 2009-02-14 23:03:18.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.638.284 [GMT -6:00]
Running from: c:\documents and settings\terri\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\terri\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus Personal Pro 5.0 *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Legacy_WHLQEKKT
-------\Service_Viewpoint Manager Service
-------\Service_whlqekkt


((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-13 19:34 . 2009-02-13 19:34 <DIR> d-------- C:\New Folder (2)
2009-02-13 19:05 . 2009-02-13 19:05 9,123 --a------ C:\ResetTeaTimer.bat
2009-02-12 13:42 . 2009-02-12 13:42 <DIR> d-------- c:\documents and settings\LocalService\Application Data\PeerNetworking
2009-02-12 13:38 . 2009-02-12 13:38 2,067,968 --a------ c:\windows\SYSTEM32\SET6AF6.tmp
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\SYSTEM32\en
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\l2schemas
2009-02-11 21:53 . 2007-06-13 04:23 1,033,216 --a------ c:\windows\SET642C.tmp
2009-02-11 21:53 . 2004-08-03 23:56 194,048 --a------ c:\windows\SYSTEM32\SET6AB8.tmp
2009-02-11 21:53 . 2004-08-03 23:56 143,360 --a------ c:\windows\SYSTEM32\SET6ABC.tmp
2009-02-11 21:53 . 2006-08-16 05:58 100,352 --a------ c:\windows\SYSTEM32\SET6AB4.tmp
2009-02-11 21:51 . 2008-09-15 05:57 1,846,016 --a------ c:\windows\SYSTEM32\win32k.sys
2009-02-11 21:50 . 2008-08-14 04:00 2,180,352 --a------ c:\windows\SYSTEM32\ntoskrnl.exe
2009-01-19 23:04 . 2009-01-19 22:51 102,664 --a------ c:\windows\SYSTEM32\DRIVERS\tmcomm.sys
2009-01-19 22:50 . 2009-01-19 23:08 <DIR> d-------- c:\documents and settings\terri\.housecall6.6
2009-01-18 08:31 . 2009-01-18 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\1992374312
2009-01-18 01:48 . 2009-01-18 01:48 250 --a------ c:\windows\gmer.ini
2009-01-18 00:58 . 2009-01-18 00:56 124,167 --a------ c:\windows\SYSTEM32\SYMEVNT.386
2009-01-18 00:58 . 2009-01-18 00:56 83,208 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-18 00:58 . 2009-01-18 00:56 73,496 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2009-01-18 00:57 . 2009-01-18 00:57 <DIR> d-------- c:\program files\Symantec_Client_Security
2009-01-18 00:57 . 2009-01-18 00:58 <DIR> d-------- c:\program files\Symantec
2009-01-18 00:28 . 2009-01-18 01:08 <DIR> d-------- c:\documents and settings\terri\NTI-Shadow
2009-01-18 00:27 . 2009-01-18 01:09 <DIR> d-------- c:\program files\Linksys
2009-01-18 00:27 . 2009-01-18 01:08 <DIR> d-------- c:\program files\Cisco Media Hub
2009-01-18 00:27 . 2009-01-18 00:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pure Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 05:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-15 04:58 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-12 02:34 --------- d-----w c:\program files\Yahoo!
2009-02-12 02:33 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-06 16:11 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-26 05:46 --------- d-----w c:\program files\QuickTime
2009-01-26 05:41 --------- d-----w c:\program files\Trend Micro
2009-01-25 01:14 --------- d-----w c:\program files\Google
2009-01-22 00:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-18 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-18 06:41 --------- d-----w c:\documents and settings\terri\Application Data\Yahoo!
2009-01-18 06:38 --------- d-----w c:\program files\Common Files\AOL
2009-01-18 06:26 3 ----a-w c:\program files\option.txt
2009-01-16 04:49 11,975 ----a-w c:\documents and settings\All Users\Application Data\ustore.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- c:\windows\SYSTEM32\ntoskrnl.exe ----
Company: Microsoft Corporation
File Description: NT Kernel & System
File Version: 5.1.2600.3427 (xpsp_sp2_gdr.080814-1233)
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: ntoskrnl.exe
MD5: 21c91da9cb53aa8a37041ba9684a8458


((((((((((((((((((((((((((((( SnapShot_2009-02-13_19.45.07.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-15 05:23:42 16,384 ----atw c:\windows\temp\Perflib_Perfdata_67c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF63C7F6-BA07-4331-B388-76E128AF5FE5}]
2002-08-29 05:00 99840 --a------ c:\windows\system32\DPWSOCKk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Media Importer"="c:\program files\Cisco Media Hub\Linksys Media Importer\LinksysClient.exe" [2008-11-21 6324224]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-12-18 278528]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"KAV50"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" [2004-10-11 426118]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KLBLMain]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AON"=c:\program files\Apserver\AON.EXE
"Road Runner PhotoShow Media Manager"=c:\progra~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KAV50"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2005\pccguide.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"dla"=c:\windows\system32\dla\tfswctrl.exe
"HotKeysCmds"=c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Klmc;Klmc;c:\windows\SYSTEM32\DRIVERS\Klmc.sys [2004-08-19 9939]
R0 whlqekkt;whlqekkt;c:\windows\SYSTEM32\DRIVERS\whlqekkt.sys [2002-08-29 23424]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-07-30 161064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WHLQEKKT

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\InstallSeagateManager.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe []

2009-02-14 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe []

2009-02-13 c:\windows\Tasks\{3AEE6415-01E6-4BDF-9CC0-42C0B51D1831}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]

2009-02-13 c:\windows\Tasks\{5830F115-9FB9-4ED8-8598-E944108142A7}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]

2009-02-13 c:\windows\Tasks\{D5AD00CE-6856-4B97-A8FA-0F095ED84F25}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6711
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: {1845EEB8-81A8-497F-9E81-130398D9AA52} = 24.93.40.62,24.93.40.75
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 23:22:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3321130872-145808096-2722530444-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\SYSTEM32\TCPSVCS.EXE
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-14 23:29:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-15 05:28:32
ComboFix2.txt 2009-02-14 01:50:00
ComboFix3.txt 2009-02-12 23:21:15

Pre-Run: 2,816,872,448 bytes free
Post-Run: 2,884,784,128 bytes free

198 --- E O F --- 2009-02-14 09:01:53

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:03 PM

Posted 15 February 2009 - 04:51 AM

Hi,

It looks like you didn't include the File:: on top of the cfscript.
So, we'll have to do this again....

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
c:\windows\SYSTEM32\DRIVERS\whlqekkt.sys
c:\WINDOWS\SYSTEM32\8buuif4l.exe
c:\windows\system32\DPWSOCKk.dll
Driver::
whlqekkt
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF63C7F6-BA07-4331-B388-76E128AF5FE5}]



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Also; see here how to uninstall your version of Kaspersky:
http://support.kaspersky.com/faq/?qid=193238580
Edit, I've found the Kaspersky removal tool for version 5 here: ftp://ftp.kaspersky.com/utils/klremover/K...istry_Clean.zip
Unzip it and run the exe inside that folder.

Edited by miekiemoes, 15 February 2009 - 05:03 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:05:03 AM

Posted 15 February 2009 - 01:04 PM

Thanks. I ran the V5 uninstall for Kaspersky - looks like the program no longer installs but I do see it listed in your log.
The NAV notice doesn't come up anymore on that file - yeah!
Here's the ComboFix log - is it clean now? I'm open to any other suggestions.
Thanks again.
Jim



ComboFix 09-02-12.03 - terri 2009-02-15 11:47:05.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.638.269 [GMT -6:00]
Running from: c:\documents and settings\terri\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\terri\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus Personal Pro 5.0 *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\8buuif4l.exe
c:\windows\system32\DPWSOCKk.dll
c:\windows\SYSTEM32\DRIVERS\whlqekkt.sys
c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\8buuif4l.exe
c:\windows\system32\DPWSOCKk.dll
c:\windows\SYSTEM32\DRIVERS\whlqekkt.sys
c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WHLQEKKT
-------\Service_whlqekkt


((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-13 19:34 . 2009-02-13 19:34 <DIR> d-------- C:\New Folder (2)
2009-02-13 19:05 . 2009-02-13 19:05 9,123 --a------ C:\ResetTeaTimer.bat
2009-02-12 13:42 . 2009-02-12 13:42 <DIR> d-------- c:\documents and settings\LocalService\Application Data\PeerNetworking
2009-02-12 13:38 . 2009-02-12 13:38 2,067,968 --a------ c:\windows\SYSTEM32\SET6AF6.tmp
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\SYSTEM32\en
2009-02-11 22:14 . 2009-02-12 13:30 <DIR> d-------- c:\windows\l2schemas
2009-02-11 21:53 . 2007-06-13 04:23 1,033,216 --a------ c:\windows\SET642C.tmp
2009-02-11 21:53 . 2004-08-03 23:56 194,048 --a------ c:\windows\SYSTEM32\SET6AB8.tmp
2009-02-11 21:53 . 2004-08-03 23:56 143,360 --a------ c:\windows\SYSTEM32\SET6ABC.tmp
2009-02-11 21:53 . 2006-08-16 05:58 100,352 --a------ c:\windows\SYSTEM32\SET6AB4.tmp
2009-02-11 21:51 . 2008-09-15 05:57 1,846,016 --a------ c:\windows\SYSTEM32\win32k.sys
2009-02-11 21:50 . 2008-08-14 04:00 2,180,352 --a------ c:\windows\SYSTEM32\ntoskrnl.exe
2009-01-19 23:04 . 2009-01-19 22:51 102,664 --a------ c:\windows\SYSTEM32\DRIVERS\tmcomm.sys
2009-01-19 22:50 . 2009-01-19 23:08 <DIR> d-------- c:\documents and settings\terri\.housecall6.6
2009-01-18 08:31 . 2009-01-18 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\1992374312
2009-01-18 01:48 . 2009-01-18 01:48 250 --a------ c:\windows\gmer.ini
2009-01-18 00:58 . 2009-01-18 00:56 124,167 --a------ c:\windows\SYSTEM32\SYMEVNT.386
2009-01-18 00:58 . 2009-01-18 00:56 83,208 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-18 00:58 . 2009-01-18 00:56 73,496 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2009-01-18 00:57 . 2009-01-18 00:57 <DIR> d-------- c:\program files\Symantec_Client_Security
2009-01-18 00:57 . 2009-01-18 00:58 <DIR> d-------- c:\program files\Symantec
2009-01-18 00:28 . 2009-01-18 01:08 <DIR> d-------- c:\documents and settings\terri\NTI-Shadow
2009-01-18 00:27 . 2009-01-18 01:09 <DIR> d-------- c:\program files\Linksys
2009-01-18 00:27 . 2009-01-18 01:08 <DIR> d-------- c:\program files\Cisco Media Hub
2009-01-18 00:27 . 2009-01-18 00:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pure Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 05:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-15 04:58 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-12 02:34 --------- d-----w c:\program files\Yahoo!
2009-02-12 02:33 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-06 16:11 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-26 05:46 --------- d-----w c:\program files\QuickTime
2009-01-26 05:41 --------- d-----w c:\program files\Trend Micro
2009-01-25 01:14 --------- d-----w c:\program files\Google
2009-01-22 00:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-18 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-18 06:41 --------- d-----w c:\documents and settings\terri\Application Data\Yahoo!
2009-01-18 06:38 --------- d-----w c:\program files\Common Files\AOL
2009-01-18 06:26 3 ----a-w c:\program files\option.txt
2009-01-16 04:49 11,975 ----a-w c:\documents and settings\All Users\Application Data\ustore.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Media Importer"="c:\program files\Cisco Media Hub\Linksys Media Importer\LinksysClient.exe" [2008-11-21 6324224]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-12-18 278528]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AON"=c:\program files\Apserver\AON.EXE
"Road Runner PhotoShow Media Manager"=c:\progra~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KAV50"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2005\pccguide.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"dla"=c:\windows\system32\dla\tfswctrl.exe
"HotKeysCmds"=c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-07-30 161064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WHLQEKKT

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\InstallSeagateManager.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe []

2009-02-13 c:\windows\Tasks\{3AEE6415-01E6-4BDF-9CC0-42C0B51D1831}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]

2009-02-13 c:\windows\Tasks\{5830F115-9FB9-4ED8-8598-E944108142A7}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]

2009-02-13 c:\windows\Tasks\{D5AD00CE-6856-4B97-A8FA-0F095ED84F25}_MOM_terri.job
- c:\windows\System32\mobsync.exe [2008-04-13 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6711
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: {1845EEB8-81A8-497F-9E81-130398D9AA52} = 24.93.40.62,24.93.40.75
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 11:54:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3321130872-145808096-2722530444-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\SYSTEM32\TCPSVCS.EXE
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-02-15 12:00:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-15 17:59:38
ComboFix2.txt 2009-02-15 05:29:49
ComboFix3.txt 2009-02-14 01:50:00
ComboFix4.txt 2009-02-12 23:21:15

Pre-Run: 2,867,724,288 bytes free
Post-Run: 2,856,292,352 bytes free

183 --- E O F --- 2009-02-15 17:37:22

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:03 PM

Posted 15 February 2009 - 05:20 PM

Hi,

This looks OK again. The malware is gone. Please read my previous post how to delete Kaspersky with the removal tool.

[quote]I've found the Kaspersky removal tool for version 5 here: ftp://ftp.kaspersky.com/utils/klremover/K...istry_Clean.zip

Then * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:05:03 AM

Posted 16 February 2009 - 02:05 AM

Thanks! I sent $15 Euro to your account via paypal. I appreciate the the help.
What anti-virus program do you recommend?
Thanks
Jim

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:03 PM

Posted 16 February 2009 - 04:04 AM

Hi,

Thank you for the donation, much appreciated :thumbup2:
For Antivirus, look in my signature below under Antivirus for the ones I recommend. Only install one!

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:03 PM

Posted 17 February 2009 - 09:53 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users