Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijacked problem with computer


  • This topic is locked This topic is locked
39 replies to this topic

#1 dahone4u

dahone4u

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 24 February 2009 - 08:03 PM

I have done my DDS scan and attached it., I did not follow correct protocol earlier and had to start over., I hope it works this time.,

ps. thank you for your help,

PSS., i already downloaded the combofix file before learning not to., so I just wanted to let you know that it is on my desktop already and I did run the program before I ran the DDS listed below., I hope that makes sense. thank you again.,


DDS (Ver_09-02-01.01) - NTFSx86
Run by Darce at 16:55:37.78 on 02/24/09
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.550 [GMT -8:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\moffice.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\MOUSE32A.DAT
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Darce\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnnfn.com/
uInternet Connection Wizard,ShellNext = iexplore
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SetDefPrt] c:\program files\brother\brmfl04b\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [FLMOFFICE4DMOUSE] c:\program files\micro innovations\wireless laser mouse\moffice.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\expres~1.lnk - c:\program files\day-timer organizer sharp edition\xserv2k.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: SEAGULL J Walk Java Client 4_0C5-E474 - hxxp://elkocountynv.net/jwalk/jwalk/jwalk_ie.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} - hxxp://pucweb1.state.nv.us/wx/client/IrcViewer.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.taylorbeanonline.com/scriptx/smsx.cab
DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} - hxxps://quicken.ehosts.net/netagent/objects/custappx3.CAB
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {34C2EB81-F806-41B1-BCE2-E6CA37322DBF} - hxxps://net3.creditworkbench.com/cab/xPoint50.cab
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://www2.xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.propertypanorama.com/tourmanager/ImageUploader5.cab
DPF: {66960E23-DE25-11CF-876F-444553540000} - hxxp://www.usrealnet.com/public/realnet/rrprview.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://las.mlxchange.com/5.0.03.26/Control/IRCSharc.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs2b.instantservice.com/jars/customerxsigned34.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://www.loanwrighter.com/Tsweb/msrdp.cab
DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} - hxxp://las.mlxchange.com/4.2.10.33/Control/WebDog.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} - hxxps://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://countrywide.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\winfax\WfxSeh32.Dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-11-11 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-11-11 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-11-11 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-11-11 10760]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2006-11-11 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2006-11-11 49664]
R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2003-1-5 94208]
R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2003-1-5 225375]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-1-5 23296]
S2 SamSsNtmsSvc;Security Accounts Manager SamSsNtmsSvc;c:\windows\system32\3com_dmid.exe srv --> c:\windows\system32\3COM_DMId.exe srv [?]
S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\Bulk503.sys [2003-1-19 10599]
S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\ISO503.SYS [2003-1-19 526885]
S3 XIRLINK;eVision 123 digital camera;c:\windows\system32\drivers\ucdnt.sys [2003-1-9 880008]

=============== Created Last 30 ================

2009-02-24 16:14 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-24 11:46 <DIR> a-dshr-- C:\cmdcons
2009-02-24 11:43 161,792 a------- c:\windows\SWREG.exe
2009-02-24 11:43 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-07-30 08:51 1,305,088 a------- c:\program files\NF_Movie_Player_211.msi
2008-07-03 21:53 7,271,832 a------- c:\program files\PokerStarsInstall.exe
2008-02-27 09:01 1,040,980 a------- c:\program files\WellsFargoCommercialTraining_Feb.pdf
2008-02-27 08:58 11,700,240 a------- c:\program files\ConfAddins_Setup.exe
2007-04-26 11:56 14,993,976 a------- c:\program files\Google_Earth_AZXV.exe
2005-03-01 17:58 43,480 a------- c:\docume~1\darce\applic~1\GDIPFONTCACHEV1.DAT
2003-04-24 19:44 338,800 a------- c:\program files\efxsetup.exe
2003-01-09 16:40 3,478,096 a------- c:\program files\efax reader.exe
2008-10-23 11:58 42,496 ---shr-- c:\windows\system32\3COM_DMId.exe
2008-10-11 09:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101120081012\index.dat

============= FINISH: 16:56:29.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:18 AM

Posted 03 March 2009 - 07:31 AM

Hello dahone4u,

Welcome to Bleeping Computer.

My name mas_pogi and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Attention!

Please do not run any other tool untill instructed to do so.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.
Please reply to this thread, do not start another.




You might want to save this page on your bookmark, so you can find it again when you return.

Firefox: Posted Image Then click on Done.

IExplorer: Posted Image Then click on Add.


  • Since you already ran combofix.exe, could you post the log? You can find here,

    C:\combofix.txt


  • Also, please rerun DDS.scr. I need to have the latest log :thumbup2:
    Disable any script blocker then double click dds.scr to run the tool.
    • When done, DDS.txt will open.
    • Click Yes at the next prompt for Optional Scan.
    • Save both reports to your desktop.
    Please post the content of DDS.txt in your next reply.
    Please upload the file attach.txt using this Posted Image

  • Download GMER from here:
    http://www.gmer.net/files.php

    Unzip it to the desktop.

    Rename GMER.exe to G-mir.exe.
    Open the program and click on the Rootkit tab.
    Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
    Click on Scan.
    When the scan has run click Copy and paste the results (if any) into this thread.

  • What is the situation of your computer now?

In your reply, please post

C:\combofix.txt
DDS.txt and attach.txt
GMER log
Answer to my questions


Mark

Edited by mas_pogi, 03 March 2009 - 07:33 AM.


#3 dahone4u

dahone4u
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 03 March 2009 - 01:03 PM

Hello there and thank you very much for the response, I am happy to hear from you.,

here is the combofix.txt., log you asked for in questions number 1
file is attached, too.

thank you again,., I will work on the other items and post them as I get them completed.,

ComboFix 09-02-24.01 - Darce 2009-02-24 11:51:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.538 [GMT -8:00]
Running from: c:\documents and settings\Darce\Desktop\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Darce\LOCALS~1\Temp\tmp2.tmp
c:\program files\INSTALL.LOG
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\fad.sys
c:\windows\Temp\1908972630.exe
c:\windows\Temp\2760769625.exe
c:\windows\Temp\2963125960.exe
c:\windows\Temp\3879044169.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MDHSH
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 19:30 --------- d-----w c:\documents and settings\Darce\Application Data\AVG7
2009-02-24 06:55 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-22 01:01 --------- d-----w c:\program files\PokerStars
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-22 22:35 --------- d-----w c:\program files\ZipForm Desktop
2008-07-30 16:51 1,305,088 ----a-w c:\program files\NF_Movie_Player_211.msi
2008-07-04 05:53 7,271,832 ----a-w c:\program files\PokerStarsInstall.exe
2008-02-27 17:01 1,040,980 ----a-w c:\program files\WellsFargoCommercialTraining_Feb.pdf
2008-02-27 16:58 11,700,240 ----a-w c:\program files\ConfAddins_Setup.exe
2007-04-26 19:56 14,993,976 ----a-w c:\program files\Google_Earth_AZXV.exe
2005-03-02 01:58 43,480 ----a-w c:\documents and settings\Darce\Application Data\GDIPFONTCACHEV1.DAT
2003-04-25 03:44 338,800 ----a-w c:\program files\efxsetup.exe
2003-01-10 00:40 3,478,096 ----a-w c:\program files\efax reader.exe
2008-10-23 19:58 42,496 --sh--r c:\windows\SYSTEM32\3COM_DMId.exe
2008-10-11 17:09 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008101120081012\index.dat
.

------- Sigcheck -------

2005-05-25 11:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 09:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 04:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 02:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-25 11:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 18:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 03:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 09:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 11:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\SYSTEM32\DRIVERS\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-05-15 245760]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2009-02-24 590848]
"FLMOFFICE4DMOUSE"="c:\program files\Micro Innovations\Wireless Laser Mouse\moffice.exe" [2006-12-29 806912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2000-02-14 c:\windows\SYSTEM32\WFXSNT40.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-01-05 45056]
ExpressServices 2000.lnk - c:\program files\Day-Timer Organizer SHARP Edition\xserv2k.exe [2003-01-19 49218]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Palo Alto Software Update Manager 8.0.lnk
backup=c:\windows\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=c:\windows\pss\Status Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 11:07 496752 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2004-04-14 14:04 40960 c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 18:05 257088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2002-09-06 16:15 192512 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2002-09-04 08:28 151552 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2004-04-14 13:46 57393 c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 09:54 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2003-01-05 10:29 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2002-10-04 13:09 139264 c:\progra~1\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SCardSvr"=3 (0x3)
"RDSessMgr"=3 (0x3)
"Netlogon"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"Browser"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22004

R3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [2003-01-05 23296]
S2 SamSsNtmsSvc;Security Accounts Manager SamSsNtmsSvc;c:\windows\system32\3COM_DMId.exe srv --> c:\windows\system32\3COM_DMId.exe srv [?]
S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\SYSTEM32\DRIVERS\Bulk503.sys [2003-01-19 10599]
S3 ISO503;Chameleon Mega Video Camera;c:\windows\SYSTEM32\DRIVERS\ISO503.SYS [2003-01-19 526885]
S3 XIRLINK;eVision 123 digital camera;c:\windows\SYSTEM32\DRIVERS\ucdnt.sys [2003-01-09 880008]
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]

2009-02-24 c:\windows\Tasks\McAfee.com Update Check (D8QXF821-Owner).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 08:28]

2009-02-24 c:\windows\Tasks\McAfee.com Update Check (D8QXF821-Owner).job
- c:\progra~1\McAfee.com\Agent [2004-06-12 18:21]

2009-02-24 c:\windows\Tasks\McAfee.com Update Check (DARCEDESKTOP-Darce).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 08:28]

2009-02-24 c:\windows\Tasks\McAfee.com Update Check (DARCEDESKTOP-Darce).job
- c:\progra~1\McAfee.com\Agent [2004-06-12 18:21]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ei6s6qr2wtdg7k81969z - c:\windows\TEMP\jhuvvmr3ba2hi.exe
HKCU-Run-gngku24bnq - c:\windows\TEMP\pmxd0r9ll.exe
HKCU-Run-np2xyfysfm4p8yzcjaupxeqf4rxxu - c:\windows\TEMP\hbux7e8heiwz.exe
HKCU-Run-sxrd1n9gj1z4bz52o0dedjvctti - c:\windows\TEMP\kx2y5v4jcqr1q.exe
HKCU-Run-s2b9bp8rqt2ovqcyrj2jrav6j86w352 - c:\windows\TEMP\ozanjgg.exe
SafeBoot-mdhsh.sys
SafeBoot-wATV03nt.sys
MSConfigStartUp-AdaptecDirectCD - c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnnfn.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: SEAGULL J Walk Java Client 4_0C5-E474 - hxxp://elkocountynv.net/jwalk/jwalk/jwalk_ie.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} - hxxp://pucweb1.state.nv.us/wx/client/IrcViewer.cab
DPF: {34C2EB81-F806-41B1-BCE2-E6CA37322DBF} - hxxps://net3.creditworkbench.com/cab/xPoint50.cab
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://www2.xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB
DPF: {66960E23-DE25-11CF-876F-444553540000} - hxxp://www.usrealnet.com/public/realnet/rrprview.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://las.mlxchange.com/5.0.03.26/Control/IRCSharc.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 12:02:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???`???X??? ???????`???P???? ?w? ?w)??p????????(???}????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\brss01a.exe
c:\windows\SYSTEM32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe
c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\windows\SYSTEM32\Brmfrmps.exe
c:\progra~1\McAfee.com\VSO\mcvsrte.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\windows\SYSTEM32\WFXSVC.EXE
c:\program files\Symantec\WinFax\WFXMOD32.EXE
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\program files\Micro Innovations\Wireless Laser Mouse\mouse32a.dat
.
**************************************************************************
.
Completion time: 2009-02-24 12:10:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 20:09:51

Pre-Run: 31,741,272,064 bytes free
Post-Run: 34,317,148,160 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

264 --- E O F --- 2009-02-12 06:36:27

Attached Files



#4 dahone4u

dahone4u
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 03 March 2009 - 01:14 PM

:thumbup2:

here are the items you requested in number 2 of your instruction.,

thanks.,


DDS (Ver_09-02-01.01) - NTFSx86
Run by Darce at 10:08:00.43 on 03/03/09
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.510 [GMT -8:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\moffice.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\MOUSE32A.DAT
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Darce\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnnfn.com/
uInternet Connection Wizard,ShellNext = iexplore
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SetDefPrt] c:\program files\brother\brmfl04b\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [FLMOFFICE4DMOUSE] c:\program files\micro innovations\wireless laser mouse\moffice.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\expres~1.lnk - c:\program files\day-timer organizer sharp edition\xserv2k.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: SEAGULL J Walk Java Client 4_0C5-E474 - hxxp://elkocountynv.net/jwalk/jwalk/jwalk_ie.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} - hxxp://pucweb1.state.nv.us/wx/client/IrcViewer.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.taylorbeanonline.com/scriptx/smsx.cab
DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} - hxxps://quicken.ehosts.net/netagent/objects/custappx3.CAB
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {34C2EB81-F806-41B1-BCE2-E6CA37322DBF} - hxxps://net3.creditworkbench.com/cab/xPoint50.cab
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://www2.xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.propertypanorama.com/tourmanager/ImageUploader5.cab
DPF: {66960E23-DE25-11CF-876F-444553540000} - hxxp://www.usrealnet.com/public/realnet/rrprview.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://las.mlxchange.com/5.0.03.26/Control/IRCSharc.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs2b.instantservice.com/jars/customerxsigned34.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://www.loanwrighter.com/Tsweb/msrdp.cab
DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} - hxxp://las.mlxchange.com/4.2.10.33/Control/WebDog.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} - hxxps://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://countrywide.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\winfax\WfxSeh32.Dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-11-11 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-11-11 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-11-11 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-11-11 10760]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2006-11-11 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2006-11-11 49664]
R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2003-1-5 94208]
R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2003-1-5 225375]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-1-5 23296]
S2 SamSsNtmsSvc;Security Accounts Manager SamSsNtmsSvc;c:\windows\system32\3com_dmid.exe srv --> c:\windows\system32\3COM_DMId.exe srv [?]
S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\Bulk503.sys [2003-1-19 10599]
S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\ISO503.SYS [2003-1-19 526885]
S3 XIRLINK;eVision 123 digital camera;c:\windows\system32\drivers\ucdnt.sys [2003-1-9 880008]

=============== Created Last 30 ================

2009-02-24 16:14 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-24 11:46 <DIR> a-dshr-- C:\cmdcons
2009-02-24 11:43 161,792 a------- c:\windows\SWREG.exe
2009-02-24 11:43 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-07-30 08:51 1,305,088 a------- c:\program files\NF_Movie_Player_211.msi
2008-07-03 21:53 7,271,832 a------- c:\program files\PokerStarsInstall.exe
2008-02-27 09:01 1,040,980 a------- c:\program files\WellsFargoCommercialTraining_Feb.pdf
2008-02-27 08:58 11,700,240 a------- c:\program files\ConfAddins_Setup.exe
2007-04-26 11:56 14,993,976 a------- c:\program files\Google_Earth_AZXV.exe
2005-03-01 17:58 43,480 a------- c:\docume~1\darce\applic~1\GDIPFONTCACHEV1.DAT
2003-04-24 19:44 338,800 a------- c:\program files\efxsetup.exe
2003-01-09 16:40 3,478,096 a------- c:\program files\efax reader.exe
2008-10-23 11:58 42,496 ---shr-- c:\windows\system32\3COM_DMId.exe
2008-10-11 09:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101120081012\index.dat

============= FINISH: 10:10:11.48 ===============

Attached Files



#5 dahone4u

dahone4u
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 03 March 2009 - 01:29 PM

Hello mas_pogi

I am having a bit of trouble getting the g-mir.exe to run., i click on the icon and a small black screen opens and then closes., I do not get anything to work with.

any advise/suggestons.

thank you very much., :thumbup2:

I re-downloaded the gmer program and was able to get to the screen to hit the rootkit button, however, the three buttons "scan, copy, save" covered the show all box and I was not able to see if it was unchecked., I could see part of the bottom box on the checklist and tried to get around the three buttons, and clicked the copy button by mistake., I closed the program and reopened it and still have the same issue, could not see the show all checkbox., so I tried to click the scan button and it was not functioning., did not run the scan,

sorry for the trouble., any suggestions., ???

thank you.,

I GOT IT TO WORK., HERE IS THE RESULT.,

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-03 16:22:53
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EEA6016D
INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EEA5FFC2

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
AttachedDevice \FileSystem\Ntfs \Ntfs NaiFiltr.sys
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat NaiFiltr.sys

---- EOF - GMER 1.0.14 ----

Edited by dahone4u, 03 March 2009 - 07:26 PM.


#6 dahone4u

dahone4u
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 03 March 2009 - 07:41 PM

OKAY, POSTED THE RESULTS OF THE G-MIR IN MY PRIOR POST.,

HERE IS MY ANSWERS TO QUESTION NUMBER 4

the computer is running pretty good., no interrupting virus has stopped my computer, when I boot up in the morning I sometimes get an error that has some type of file similar to ex7pp879.exe. unable to run not enough memory available. but I click okay and move forward, I will write it down next time., Everything else is running fine., knock knock on wood., I have not ran anti virus or malware or ad-aware since posting, so I am not sure if anything else will come up.

I wonder, after everything checks out okay, if i should remove the file/programs I have downloaded or leave them on my desktop.

thank you mas_pogi, (mark) for your help, I look forward to your response after reviewing my activities from today..,

:thumbup2:

oh yeah, my screen saver is not working properly, it does not come on it just leaves my desktop up.,

Edited by dahone4u, 03 March 2009 - 07:46 PM.


#7 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:18 AM

Posted 05 March 2009 - 07:07 AM

hi dahone4u.

We will check first your computer and run the instruction below. We will take care of other issue like screensaver afterwards.
  • Your Mcafee is still running. I guess you are using now an AVG. Having two AV could pose a problem.

    Which antivirus you are using right now, AVG or Mcafee? Are you still paying for Mcafee license?
    Definitely, one of them should go. Let me know so that I could give you an instruction.

  • Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

  • Okay, let's do some searches:

    please go to http://www.billsway.com/vbspage/ and scroll down (the downloaded programs are in alphabetical order) to:

    Registry Search Tool
    Download, unzip and run RegSrch.vbs
    Copy and paste this numerical string into the dialog box: ex7pp879.exe

    After a while a prompt will come up. Click OK to write the results to wordpad/notepad and post the log which is generated. (if there are any results)

  • Please download ATF Cleaner by Atribune & save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

  • Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
  • Disable any script blocker then double click dds.scr at your desktop.
    • When done, DDS.txt will open.
    • Click Yes at the next prompt for Optional Scan.
    • Save both reports to your desktop.
    Please post the content of DDS.txt in your next reply.
    Please upload the file attach.txt using this Posted Image

In your reply, please post


DDS.txt and attach.txt
Kaspersky scan result
Result of regsearch
Answer to my question


Mark

#8 dahone4u

dahone4u
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 06 March 2009 - 10:33 AM

Hello mas_pogi

thank you again for your assitance.,

answer to #1 I would like to keep AVG as my AV software.,

#2 - all viewpoint programs removed.,

#3 there were no results a pop up screen came up after the scan that said " search completed in 63 seconds, no instances of ex7pp879.exe found" with a ok button and that was it.,

#4 ATF cleaner completed

#5 results posted here
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 6, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 06, 2009 05:26:37
Records in database: 1873141


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 132611
Threat name 2
Infected objects 5
Suspicious objects 0
Duration of the scan 02:56:13

File name Threat name Threats count
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.f 1

C:\Qoobox\Quarantine\C\WINDOWS\Temp\1908972630.exe.vir Infected: Trojan-Downloader.Win32.Agent.bivi 1

C:\Qoobox\Quarantine\C\WINDOWS\Temp\2760769625.exe.vir Infected: Trojan-Downloader.Win32.Agent.bivi 1

C:\Qoobox\Quarantine\C\WINDOWS\Temp\2963125960.exe.vir Infected: Trojan-Downloader.Win32.Agent.bivi 1

C:\Qoobox\Quarantine\C\WINDOWS\Temp\3879044169.exe.vir Infected: Trojan-Downloader.Win32.Agent.bivi 1

The selected area was scanned.


#6 results here.,


DDS (Ver_09-02-01.01) - NTFSx86
Run by Darce at 7:29:58.92 on 03/06/09
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.479 [GMT -8:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
svchost.exe "C:\WINDOWS\system32\3COM_DMId.exe"
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\moffice.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\MOUSE32A.DAT
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Darce\Local Settings\temp\jkos-Darce\binaries\ScanningProcess.exe
C:\Documents and Settings\Darce\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnnfn.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SetDefPrt] c:\program files\brother\brmfl04b\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [FLMOFFICE4DMOUSE] c:\program files\micro innovations\wireless laser mouse\moffice.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\expres~1.lnk - c:\program files\day-timer organizer sharp edition\xserv2k.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: SEAGULL J Walk Java Client 4_0C5-E474 - hxxp://elkocountynv.net/jwalk/jwalk/jwalk_ie.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} - hxxp://pucweb1.state.nv.us/wx/client/IrcViewer.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.taylorbeanonline.com/scriptx/smsx.cab
DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} - hxxps://quicken.ehosts.net/netagent/objects/custappx3.CAB
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {34C2EB81-F806-41B1-BCE2-E6CA37322DBF} - hxxps://net3.creditworkbench.com/cab/xPoint50.cab
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://www2.xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.propertypanorama.com/tourmanager/ImageUploader5.cab
DPF: {66960E23-DE25-11CF-876F-444553540000} - hxxp://www.usrealnet.com/public/realnet/rrprview.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://las.mlxchange.com/5.0.03.26/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1236317279285&h=f64ee7c0de4801909a6c2344290042ef/&filename=jinstall-6u12-windows-i586-jc.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs2b.instantservice.com/jars/customerxsigned34.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://www.loanwrighter.com/Tsweb/msrdp.cab
DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} - hxxp://las.mlxchange.com/4.2.10.33/Control/WebDog.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} - hxxps://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://countrywide.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\winfax\WfxSeh32.Dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-11-11 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-11-11 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-11-11 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-11-11 10760]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2006-11-11 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2006-11-11 49664]
R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2003-1-5 94208]
R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2003-1-5 225375]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-1-5 23296]
S2 SamSsNtmsSvc;Security Accounts Manager SamSsNtmsSvc;c:\windows\system32\3com_dmid.exe srv --> c:\windows\system32\3COM_DMId.exe srv [?]
S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\Bulk503.sys [2003-1-19 10599]
S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\ISO503.SYS [2003-1-19 526885]
S3 XIRLINK;eVision 123 digital camera;c:\windows\system32\drivers\ucdnt.sys [2003-1-9 880008]

=============== Created Last 30 ================

2009-03-05 21:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 21:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-03 10:38 <DIR> --d-h--- c:\windows\PIF
2009-02-24 16:14 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-24 11:46 <DIR> a-dshr-- C:\cmdcons
2009-02-24 11:43 161,792 a------- c:\windows\SWREG.exe
2009-02-24 11:43 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-07-30 08:51 1,305,088 a------- c:\program files\NF_Movie_Player_211.msi
2008-07-03 21:53 7,271,832 a------- c:\program files\PokerStarsInstall.exe
2008-02-27 09:01 1,040,980 a------- c:\program files\WellsFargoCommercialTraining_Feb.pdf
2008-02-27 08:58 11,700,240 a------- c:\program files\ConfAddins_Setup.exe
2007-04-26 11:56 14,993,976 a------- c:\program files\Google_Earth_AZXV.exe
2005-03-01 17:58 43,480 a------- c:\docume~1\darce\applic~1\GDIPFONTCACHEV1.DAT
2003-04-24 19:44 338,800 a------- c:\program files\efxsetup.exe
2003-01-09 16:40 3,478,096 a------- c:\program files\efax reader.exe
2008-10-23 11:58 42,496 ---shr-- c:\windows\system32\3COM_DMId.exe
2008-10-11 09:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101120081012\index.dat

============= FINISH: 7:30:41.00 ===============

:thumbup2: thank you again

Attached Files



#9 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:18 AM

Posted 06 March 2009 - 10:49 AM

hi.

ofex7pp879.exe

Do you still have error with this? As you mentioned before.

Kaspersky founds some of the malwares that are already quarantined by Combofix. They don't pose any
threat unless we will restore them :thumbup2:

What is the current state of your computer?

Mark

Edited by mas_pogi, 06 March 2009 - 10:49 AM.


#10 dahone4u

dahone4u
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 06 March 2009 - 05:31 PM

hello mas_pogi, my computer guru,

I do not get the error when booting up my computer, it does seem to be running a bit slow, but that could just be from having two AV programs., Right? I think things are running pretty good right now.,

screen saver is still inactive, I have been turning the monitor off so it does not burn an image in my screen, by staying on to long., (if that even happens anymore with these new flat screen monitors)

So, you think my computer is healed?

Darce

#11 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:18 AM

Posted 07 March 2009 - 06:30 AM

hi

I do not get the error when booting up my computer, it does seem to be running a bit slow, but that could just be from having two AV programs., Right? I think things are running pretty good right now.,

Yes. We will deal with it now. :thumbup2:

screen saver is still inactive, I have been turning the monitor off so it does not burn an image in my screen, by staying on to long., (if that even happens anymore with these new flat screen monitors)

I have an instruction below. Try it :step4:

  • Using more than one anti-virus program is not advisable. The primary concern with using more than one anti-virus program is due to conflicts that can arise when they are running in real-time mode simultaneously. Even when one of them is disabled for use as a stand-alone scanner, it can affect the other. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

    Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

    Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. However, some anti-virus vendors do not encrypt their definitions and will trigger false alarms if used while another resident anti-virus program is active.

    To avoid these problems, use only one anti-virus solution.

    Please uninstall the following. Using windows ADD/REMOVE program at the control panel.

    McAfee.com SecurityCenter
    McAfee.com VirusScan Online


    After you uninstalled them. Please download this mcafee uninstaller to completely remove all remnants of the programs
    Go to this link: http://service.mcafee.com/FAQDocument.aspx?id=TS100507
    And follow step #2 only.
    :)

    Restart your computer if it didn't restart.

  • Backup Your Registry with ERUNT
    • Please use the following link and scroll down to ERUNT and download it.
      http://aumha.org/freeware/freeware.php
    • For version with the Installer:
      Use the setup program to install ERUNT on your computer
    • For the zipped version:
      Unzip all the files into a folder of your choice.
    Click Erunt.exe to backup your registry to the folder of your choice.

    Note: to restore your registry, go to the folder and start ERDNT.exe

  • Copy and paste the following text into Notepad:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}"=-

    [-HKEY_CLASSES_ROOT\CLSID\{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{4982D40A-C53B-4615-B15B-B5B5E98D167C}"=-

    [-HKEY_CLASSES_ROOT\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{32683183-48a0-441b-a342-7c2a440a9478}"=-

    [-HKEY_CLASSES_ROOT\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}]


    Save this as "fixme.reg" . Choose to save as *all files and place it on your Desktop.
    Double-click fixme.reg

  • Run ESET Online Scan

    Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.
    • Check (tick) this box: YES, I accept the Terms of Use.
    • Click on the Start button next to it.
    • When prompted to run ActiveX. click Yes.
    • You will be asked to install an ActiveX. Click Install.
    • Once installed, the scanner will be initialized.
    • After the scanner is initialized, click Start.
    • Uncheck (untick) Remove found threats box.
    • Check (tick) Scan unwanted applications.
    • Click on Scan.
    • It will start scanning. Please be patient.
    • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.
  • Disable any script blocker then double click dds.scr in your desktop
    • When done, DDS.txt will open.
    • Click Yes at the next prompt for Optional Scan.
    • Save both reports to your desktop.
    Please post the content of DDS.txt in your next reply.
    Please upload the file attach.txt using this Posted Image


    oh yeah, my screen saver is not working properly, it does not come on it just leaves my desktop up.,

    Have your tried configuring that here?
    Right click on your desktop > Properties > Screen saver Tab
    Check if the screen saver is set to none.
    You can try to set it there. Let me know if it make a difference.

In your reply, please post

ESET scan result
DDS.txt and attach.txt


Mark

#12 dahone4u

dahone4u
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 07 March 2009 - 10:23 PM

Hello mas_pogi, that last one was a bit tricky,.

anyway, I made it here are the results.,

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3917 (20090307)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=39f429f9dede2043aacbb4eb4823d810
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-03-08 03:14:52
# local_time=2009-03-07 07:14:52 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=355917
# found=5
# scan_time=5114
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1908972630.exe.vir Win32/IRCBot.AMF trojan C7DCE923ECECFC0C8F5002D87C8051DD
C:\Qoobox\Quarantine\C\WINDOWS\Temp\2760769625.exe.vir Win32/IRCBot.AMF trojan C7DCE923ECECFC0C8F5002D87C8051DD
C:\Qoobox\Quarantine\C\WINDOWS\Temp\2963125960.exe.vir Win32/IRCBot.AMF trojan C7DCE923ECECFC0C8F5002D87C8051DD
C:\Qoobox\Quarantine\C\WINDOWS\Temp\3879044169.exe.vir Win32/IRCBot.AMF trojan C7DCE923ECECFC0C8F5002D87C8051DD
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\install[1].exe a variant of Win32/Kryptik.JU trojan 0396DF9C4F7CD6CFC96702D378E80578


dds.scr scan results., here,


DDS (Ver_09-02-01.01) - NTFSx86
Run by Darce at 19:20:17.90 on 03/07/09
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.482 [GMT -8:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\moffice.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\MOUSE32A.DAT
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
svchost.exe "C:\WINDOWS\system32\3COM_DMId.exe"
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Darce\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnnfn.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SetDefPrt] c:\program files\brother\brmfl04b\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [FLMOFFICE4DMOUSE] c:\program files\micro innovations\wireless laser mouse\moffice.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\expres~1.lnk - c:\program files\day-timer organizer sharp edition\xserv2k.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: SEAGULL J Walk Java Client 4_0C5-E474 - hxxp://elkocountynv.net/jwalk/jwalk/jwalk_ie.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} - hxxp://pucweb1.state.nv.us/wx/client/IrcViewer.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.taylorbeanonline.com/scriptx/smsx.cab
DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} - hxxps://quicken.ehosts.net/netagent/objects/custappx3.CAB
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {34C2EB81-F806-41B1-BCE2-E6CA37322DBF} - hxxps://net3.creditworkbench.com/cab/xPoint50.cab
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://www2.xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.propertypanorama.com/tourmanager/ImageUploader5.cab
DPF: {66960E23-DE25-11CF-876F-444553540000} - hxxp://www.usrealnet.com/public/realnet/rrprview.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://las.mlxchange.com/5.0.03.26/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1236317279285&h=f64ee7c0de4801909a6c2344290042ef/&filename=jinstall-6u12-windows-i586-jc.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs2b.instantservice.com/jars/customerxsigned34.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://www.loanwrighter.com/Tsweb/msrdp.cab
DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} - hxxp://las.mlxchange.com/4.2.10.33/Control/WebDog.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} - hxxps://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://countrywide.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\winfax\WfxSeh32.Dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-11-11 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-11-11 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-11-11 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-11-11 10760]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2006-11-11 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2006-11-11 49664]
S2 SamSsNtmsSvc;Security Accounts Manager SamSsNtmsSvc;c:\windows\system32\3com_dmid.exe srv --> c:\windows\system32\3COM_DMId.exe srv [?]
S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\Bulk503.sys [2003-1-19 10599]
S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\ISO503.SYS [2003-1-19 526885]
S3 XIRLINK;eVision 123 digital camera;c:\windows\system32\drivers\ucdnt.sys [2003-1-9 880008]

=============== Created Last 30 ================

2009-03-07 17:41 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-03-05 21:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 21:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-03 10:38 <DIR> --d-h--- c:\windows\PIF
2009-02-24 16:14 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-24 11:46 <DIR> a-dshr-- C:\cmdcons
2009-02-24 11:43 161,792 a------- c:\windows\SWREG.exe
2009-02-24 11:43 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-07-30 08:51 1,305,088 a------- c:\program files\NF_Movie_Player_211.msi
2008-07-03 21:53 7,271,832 a------- c:\program files\PokerStarsInstall.exe
2008-02-27 09:01 1,040,980 a------- c:\program files\WellsFargoCommercialTraining_Feb.pdf
2008-02-27 08:58 11,700,240 a------- c:\program files\ConfAddins_Setup.exe
2007-04-26 11:56 14,993,976 a------- c:\program files\Google_Earth_AZXV.exe
2005-03-01 17:58 43,480 a------- c:\docume~1\darce\applic~1\GDIPFONTCACHEV1.DAT
2003-04-24 19:44 338,800 a------- c:\program files\efxsetup.exe
2003-01-09 16:40 3,478,096 a------- c:\program files\efax reader.exe
2008-10-23 11:58 42,496 ---shr-- c:\windows\system32\3COM_DMId.exe
2008-10-11 09:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101120081012\index.dat

============= FINISH: 19:20:52.87 ===============


thanks again, :thumbup2:

Attached Files



#13 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:18 AM

Posted 08 March 2009 - 07:05 AM

hi.

Hello mas_pogi, that last one was a bit tricky,.

:thumbup2:

We still have work to do.

  • Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      :Processes
      explorer.exe
      
      :Reg
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}"=-
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{4982D40A-C53B-4615-B15B-B5B5E98D167C}"=-
      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
      "{32683183-48a0-441b-a342-7c2a440a9478}"=-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF"=-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{4982D40A-C53B-4615-B15B-B5B5E98D167C}"=-
      [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
      "{32683183-48a0-441b-a342-7c2a440a9478}"=-
      [-HKEY_CLASSES_ROOT\CLSID\{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}]
      [-HKEY_CLASSES_ROOT\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}]
      [-HKEY_CLASSES_ROOT\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}]
      
      :Files
      C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\install[1].exe
      
      :Commands
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt3
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Disable any script blocker then double click dds.scr to run the tool.
    • When done, DDS.txt will open.
    • Click Yes at the next prompt for Optional Scan.
    • Save both reports to your desktop.
    Please post the content of DDS.txt in your next reply.
    Please upload the file attach.txt using this Posted Image

In your reply, please post the result of

DDS.txt and attach.txt
Otmovit log

Mark

#14 dahone4u

dahone4u
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 08 March 2009 - 10:47 PM

Hello mas_pogi,

I screwed something up., I did not copy the content under the green bar and the system rebooted., but when it rebooted it did not complete the reboot,.. my computer is still running but there is nothing on the screen, :thumbup2: :)

what do I do now? sorry, I hope I did not kill my computer.,

#15 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:18 AM

Posted 09 March 2009 - 07:38 AM

hi.

After you reach the screen.

press CTRL + ALT + DELETE simultaneously. Then start the TASK MANAGER. A new form will open,
Goto FILE > New Task run.. > then key in EXPLORER.EXE. Your desktop will be back again.

After the desktop returned, please look for the log file under this folder
C:\_OTMoveIt\MovedFiles

Post back the result. Don't forget the fresh DDS.txt and attach.txt.

Mark

Edited by mas_pogi, 09 March 2009 - 09:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users