Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Alert Message


  • This topic is locked This topic is locked
8 replies to this topic

#1 WeRtheBorg

WeRtheBorg

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:35 AM

Posted 21 April 2009 - 05:21 PM

Hello, I have been trying to use combofix to clean a computer that I am working on. I have never had a problem with this program till today. When I try to run the program, I get an alert saying,

"!! ALERT !! It is NOT SAFE to continue!
The contents of the ComboFix package has been compromised.
Please download a fresh copy from:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus (Virut)"

I am not sure what to make of this. I have downloaded fresh copies of the program as it has suggested but, keep getting the same error. I have removed all antivirus and antispyware programs, cleared temp files, turned off Windows Restore, deleted cookies and temp internet files, ran through and uninstalled any programs that were not needed or spyware applications, and I am running in safe mode. Any suggestions?

Thanks,

BC AdBot (Login to Remove)

 


#2 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,835 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:01:35 AM

Posted 21 April 2009 - 05:32 PM

Was this on a Vista machine, by any chance?

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 WeRtheBorg

WeRtheBorg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:35 AM

Posted 21 April 2009 - 05:45 PM

Sorry, this is on a Laptop:

Make: Toshiba Satellite A105
OS: Windows XP Media Center w/SP3
CPU: Intel 1.6Ghz
Memory: 1Gig of RAM

I am running on a small LAN setup of 5-7 PC's and have downloaded the program for atleast 2 other pc's just to make sure I was not getting a bad copy because of the machine.

Edited by Nightowltech, 21 April 2009 - 05:47 PM.


#4 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,835 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:01:35 AM

Posted 21 April 2009 - 05:48 PM

I'll pass the message along to the creator of combofix. Please be patient and you should get a reply to this thread soon.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#5 WeRtheBorg

WeRtheBorg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:35 AM

Posted 23 April 2009 - 02:44 PM

Update... I still have not found a solution to why I am getting the error but I will add that I have tried the same download from my computer of ComboFix and ran it on another PC to see if I get the same error and I do not. Only seems to be on the laptop in question.

I have tried to run Rootkitrevealer, and AVG just to see what they come up with... Nothing found with Rootkitrevealer and AVG says that there is another Antivirus installed and it is recommended not to have more than one (I knew that). I ran the removal tools for McAfee as it was what was installed before and it found some things that did not get removed when I uninstalled it. I did not notice anything left from any other anti-virus software in registry or under Program Files but AVG still says that there is a anti-virus program installed. I am going to assume that it may be related to my problem. As far as I could tell, McAfee, Adaware, and Spybot S&D were the installed programs before I removed them to clean the laptop.

I am probably just going to wipe the drive (after I back up their data) and reinstall fresh as I need to return the laptop soon. I was hopping to figure this prob without wiping the OS out but the owner needs her laptop back for work.
"We are the Borg. Lower you shields and prepare to be assimilated. Your biological and technological distinctiveness will be added to our own. Resistance is futile."

#6 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,835 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:01:35 AM

Posted 23 April 2009 - 07:50 PM

This is the reply I got from someone on the authors team. 'Today' that is mentioned is the date that you posted. Please excuse the delay in getting this reply back to you.

I haven't heard of any recent issues with CF today, as such, that message means exactly what it is telling him--the machine may be infected with Virut. If so, a reformat would be the best course of action. He should not backup any .exe's, .scr, htm, or html files. Any backups he makes of .doc, jpg, etc, should be burned to a CD or DVD - not a flash drive or another hdd as those may become compromised in the process as well.

He'd need to post a dds.txt, or rsit log so we can take a look.


The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#7 WeRtheBorg

WeRtheBorg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:35 AM

Posted 27 April 2009 - 01:27 PM

Thanks for the info. I have backed up only the mentioned safe files to a DVD. I figured that was going to be the best course of action.

Thanks,
"We are the Borg. Lower you shields and prepare to be assimilated. Your biological and technological distinctiveness will be added to our own. Resistance is futile."

#8 blackxmod

blackxmod

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 30 April 2009 - 08:56 AM

Well I got the same message as the person above. I then decieded to download a tool from Symantec (http://www.symantec.com/norton/security_response/writeup.jsp?docid=2009-022016-4444-99), and I ran it. After it scanned it came back with 2 infections that were terminated and then I could run Combofix. However Combofix could not remove some files that were still located on the machine and that would be terminated on the reboot of the machine.However that obviously did not occur and when ever I boot up to normal mode I get a few error messages that could be caused because of these infected files.



Combo fix log:
ComboFix 09-04-25.A3 - Monica 04/28/2009 23:33.6 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1635 [GMT -4:00]
Running from: d:\my tools\adware\ComboFix.exe
AV: *On-access scanning disabled* (Updated)
AV: AVG *On-access scanning enabled* (Outdated)
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: *disabled*
FW: Windows Live OneCare Firewall *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ejcocesv.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 01:46 . 2009-04-29 01:46 4128 ----a-w C:\INFCACHE.1
2009-04-29 00:49 . 2009-04-29 00:49 0 ----a-w C:\8F.tmp
2009-04-29 00:49 . 2009-04-29 00:49 0 ----a-w C:\8E.tmp
2009-04-29 00:45 . 2009-04-29 00:45 0 ----a-w C:\82.tmp
2009-04-29 00:43 . 2009-04-29 05:34 246272 ----a-w c:\windows\system32\tpsaxyd.exe
2009-04-28 17:56 . 2009-04-28 17:56 0 ----a-w C:\7.tmp
2009-04-28 17:56 . 2009-04-28 17:56 0 ----a-w C:\6.tmp
2009-04-28 17:56 . 2009-04-28 17:56 0 ----a-w C:\5.tmp
2009-04-28 17:56 . 2009-04-28 17:56 0 ----a-w C:\4.tmp
2009-04-28 17:56 . 2009-04-28 17:56 54784 ----a-w C:\3.tmp
2009-04-28 17:51 . 2009-04-28 17:51 136224 ----a-w c:\windows\system32\drivers\ethaolsu.sys
2009-04-27 04:11 . 2009-04-27 04:11 61440 ----a-w c:\windows\system32\13.tmp
2009-04-27 04:11 . 2009-04-27 04:11 152064 ----a-w c:\windows\system32\11.tmp
2009-04-27 04:11 . 2009-04-27 04:11 124 ----a-w c:\windows\system32\F.tmp
2009-04-27 04:06 . 2009-04-27 04:06 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-04-26 20:26 . 2009-04-26 20:26 61440 ----a-w c:\windows\system32\10.tmp
2009-04-26 20:25 . 2009-04-26 20:25 0 ----a-w c:\windows\system32\E.tmp
2009-04-26 20:25 . 2009-04-26 20:25 124 ----a-w c:\windows\system32\B.tmp
2009-04-26 20:01 . 2009-04-26 20:01 136192 ----a-w c:\windows\system32\drivers\btaudio.sys
2009-04-26 20:00 . 2009-04-26 20:00 61440 ----a-w c:\windows\system32\C.tmp
2009-04-26 19:59 . 2009-04-26 20:00 152064 ----a-w c:\windows\system32\A.tmp
2009-04-26 19:59 . 2009-04-26 19:59 124 ----a-w c:\windows\system32\8.tmp
2009-04-26 19:45 . 2009-04-26 19:45 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-04-26 19:44 . 2009-04-26 19:44 -------- d-----w c:\documents and settings\Monica\Local Settings\Application Data\gplawplx
2009-04-26 19:44 . 2009-04-26 19:44 -------- d-----w c:\documents and settings\Monica\Application Data\gplawplx
2009-04-26 19:40 . 2009-04-26 19:40 153088 ----a-w c:\windows\system32\3.tmp
2009-04-26 19:40 . 2009-04-26 19:40 124 ----a-w c:\windows\system32\2.tmp
2009-04-26 16:24 . 2009-04-26 16:24 0 ----a-w c:\windows\system32\7.tmp
2009-04-26 16:24 . 2009-04-26 16:24 0 ----a-w c:\windows\system32\6.tmp
2009-04-26 16:23 . 2009-04-26 16:23 0 ----a-w c:\windows\system32\5.tmp
2009-04-26 16:23 . 2009-04-26 16:23 124 ----a-w c:\windows\system32\4.tmp
2009-04-23 00:06 . 2009-04-23 00:06 44 ----a-w c:\windows\system32\31.tmp
2009-04-22 22:53 . 2009-04-22 22:53 -------- d-----w C:\aacd9ae83d96e3cd3bdfe2
2009-04-22 22:05 . 2009-04-22 22:05 44 ----a-w c:\windows\system32\D.tmp
2009-04-22 22:00 . 2009-04-22 22:00 15000 ----a-w c:\windows\system32\hsfiun3487dll
2009-04-22 21:44 . 2009-04-22 21:57 -------- d-----w c:\windows\system32\3361
2009-04-22 21:44 . 2009-04-22 21:44 108336 ----a-w c:\windows\system32\MSWINSCK.OCX
2009-04-22 21:44 . 2009-04-28 02:43 -------- d-----w c:\windows\dhcp
2009-04-22 21:43 . 2009-04-22 21:43 0 ----a-w c:\windows\system32\34.tmp
2009-04-22 21:43 . 2009-04-22 21:43 44 ----a-w c:\windows\system32\32.tmp
2009-04-22 21:43 . 2009-04-22 21:43 -------- d-----w c:\documents and settings\Monica\Local Settings\Application Data\{915CA882-8CAF-484B-95DE-AFD4FD027C9B}
2009-04-22 21:43 . 2009-04-29 00:35 103036 ----a-w c:\windows\system32\drivers\87bfbdbb.sys
2009-04-22 21:43 . 2009-04-26 19:40 213120 ----a-w c:\windows\system32\dllcache\ndis.sys
2009-04-22 21:42 . 2009-04-22 21:42 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-04-22 21:42 . 2009-04-28 17:51 -------- d-sh--w c:\documents and settings\Monica\98FF0AA4AD168120
2009-04-22 01:48 . 2009-04-22 01:48 -------- d--h--w C:\$AVG8.VAULT$
2009-04-22 01:46 . 2009-04-22 21:36 -------- d-----w c:\documents and settings\Monica\Application Data\pidle
2009-04-16 00:30 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 00:30 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 00:30 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 00:30 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 00:30 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 00:30 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 00:30 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 00:30 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 00:30 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 00:30 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 00:30 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 00:30 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-03 19:08 . 2009-04-03 19:08 -------- d-----w c:\program files\iPod
2009-04-03 19:08 . 2009-04-03 19:09 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-03 19:05 . 2009-04-03 19:05 -------- d-----w c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 01:22 . 2009-01-10 03:37 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-29 00:33 . 2006-11-06 22:11 -------- d-----w c:\program files\AIM
2009-04-29 00:22 . 2008-10-26 08:33 -------- d-----w c:\documents and settings\Monica\Application Data\skypePM
2009-04-28 17:57 . 2009-04-28 17:57 0 ----a-w C:\F.tmp
2009-04-28 17:57 . 2009-04-28 17:57 0 ----a-w C:\E.tmp
2009-04-28 17:57 . 2009-04-28 17:57 0 ----a-w C:\10.tmp
2009-04-28 17:57 . 2009-04-28 17:57 0 ----a-w C:\D.tmp
2009-04-28 17:57 . 2009-04-28 17:57 0 ----a-w C:\C.tmp
2009-04-28 17:57 . 2009-04-28 17:57 0 ----a-w C:\B.tmp
2009-04-28 17:57 . 2009-04-28 17:57 0 ----a-w C:\A.tmp
2009-04-28 17:57 . 2009-04-28 17:56 38 ----a-w C:\8.tmp
2009-04-28 17:56 . 2009-04-28 17:56 0 ----a-w C:\9.tmp
2009-04-28 02:45 . 2004-08-10 18:51 143872 ----a-w c:\windows\system32\ejcocesv.dll
2009-04-28 02:44 . 2004-08-10 18:51 104960 ----a-w c:\windows\system32\vxzdfxx.dll
2009-04-28 01:02 . 2009-01-10 03:37 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 21:14 . 2009-01-19 04:27 -------- d-----w c:\documents and settings\Monica\Application Data\Skype
2009-04-26 20:32 . 2004-08-10 18:51 393216 ----a-w c:\windows\system32\ssflwbox.scr
2009-04-26 20:32 . 2004-08-10 18:51 610304 ----a-w c:\windows\system32\sspipes.scr
2009-04-26 20:32 . 2004-08-10 18:51 679936 ----a-w c:\windows\system32\sstext3d.scr
2009-04-26 20:32 . 2004-08-10 18:51 704512 ----a-w c:\windows\system32\ss3dfo.scr
2009-04-26 19:40 . 2004-08-10 18:51 213120 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-26 16:46 . 2009-04-26 16:43 294517 ----a-w C:\rapport.txt
2009-04-25 21:05 . 2004-08-10 18:57 15360 -c--a-w c:\windows\TASKMAN.EXE
2009-04-25 21:03 . 2004-08-10 18:50 7680 -c--a-w c:\windows\system32\ckcnv.exe
2009-04-25 21:02 . 2004-08-10 18:51 89600 ----a-w c:\windows\system32\smlogsvc.exe
2009-04-25 21:02 . 2004-08-10 18:51 8192 ----a-w c:\windows\system32\smbinst.exe
2009-04-25 21:02 . 2004-08-10 18:51 15872 ----a-w c:\windows\system32\perfmon.exe
2009-04-25 21:02 . 2004-08-10 18:51 6144 -c--a-w c:\windows\system32\lpq.exe
2009-04-25 21:02 . 2004-08-10 18:51 514560 ----a-w c:\windows\system32\logonui.exe
2009-04-25 21:02 . 2004-08-10 19:01 15360 -c--a-w c:\windows\system32\logoff.exe
2009-04-25 21:02 . 2004-08-10 18:51 14848 -c--a-w c:\windows\system32\fc.exe
2009-04-25 21:02 . 2004-08-10 18:51 24064 ----a-w c:\windows\system32\extrac32.exe
2009-04-25 21:01 . 2004-08-10 18:50 135168 ----a-w c:\windows\system32\cscript.exe
2009-04-25 20:59 . 2008-10-31 21:53 32768 ------w c:\windows\slrundll.exe
2009-04-25 20:59 . 2006-11-01 20:17 67736 -c--a-w c:\windows\setpwrcg.exe
2009-04-25 20:56 . 2006-11-01 20:49 98304 -c--a-w c:\windows\dla.exe
2009-04-25 20:56 . 2006-11-01 20:42 282624 ----a-w c:\windows\stsystra.exe
2009-04-25 20:29 . 2004-08-10 19:12 1077248 -c--a-w c:\windows\Help\SBSI\Training\orun32.exe
2009-04-25 20:29 . 2004-08-10 18:51 283648 ----a-w c:\windows\winhlp32.exe
2009-04-22 23:20 . 2009-01-10 03:41 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-22 21:42 . 2004-08-10 18:51 578560 ----a-w c:\windows\system32\user32.DLL
2009-04-22 21:42 . 2004-08-10 18:51 162304 ----a-w c:\windows\evekuvomuyixu.dll
2009-04-18 22:52 . 2009-01-21 18:42 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-04-10 04:05 . 2009-04-10 04:05 81 ----a-w C:\DVDPATH.TXT
2009-04-03 19:09 . 2007-03-18 07:17 -------- d-----w c:\program files\iTunes
2009-04-03 19:07 . 2008-08-16 02:43 -------- d-----w c:\program files\Bonjour
2009-04-03 19:07 . 2007-03-11 05:39 -------- d-----w c:\program files\QuickTime
2009-03-23 07:32 . 2007-02-10 02:14 -------- d-----w c:\documents and settings\Monica\Application Data\U3
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:22 . 2004-08-10 18:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2008-04-21 06:44 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-10 18:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2007-08-13 23:43 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2009-01-10 03:50 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2007-08-13 23:39 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2004-08-10 18:51 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2004-08-10 18:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 18:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 18:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 18:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-14 19:20 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-10 18:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-10-14 19:19 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-10 18:51 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-14 19:19 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 19:19 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-10 18:51 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 18:51 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-14 19:19 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-04 04:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-10 18:51 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-10 03:09 . 2006-11-06 20:13 67952 ----a-w c:\documents and settings\Monica\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-02-20 02:16 . 2006-11-07 00:59 4746 ----a-w c:\documents and settings\Monica\Application Data\wklnhst.dat
2006-11-01 21:04 . 2006-11-06 18:10 128 ----a-w c:\documents and settings\Monica\Local Settings\Application Data\fusioncache.dat
2006-05-20 10:42 . 2007-08-10 06:30 73728 ----a-w c:\program files\Common Files\IsLicense.dll
2006-11-06 23:36 . 2006-11-06 23:35 88 --sh--r c:\windows\system32\8748D09DE0.sys
2006-11-06 23:36 . 2006-11-06 23:35 2828 -csha-w c:\windows\system32\KGyGaAvL.sys
.
c:\windows\system32\user32.dll ... is infected !!
[-] 2009-04-22 21:42 578,560 c:\windows\system32\dllcache\user32.dll
[-] 2009-04-22 21:42 578,560 c:\windows\system32\user32.DLL
[7] 2008-04-14 00:12 578,560 c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 00:12 578,560 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
[-] 2007-03-08 15:48 578,048 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577,536 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 18:19 577,024 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 18:09 577,024 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 11:00 577,024 c:\windows\$NtUninstallKB890859$\user32.dll


------- Sigcheck -------

[-] 2004-08-04 11:00 34816 8707549A697F0F499B8023BE70CE3922 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 34816 379E11BD405D3F62A371042A32076269 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 34816 16945BEC4E8C01C1052E7E412633DC0B c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[-] 2008-04-14 00:12 34816 EA829B9EA966488F4162035B45A99D2B c:\windows\system32\svchost.exe
[-] 2009-04-25 21:03 65536 617FE02B061764B79DA487CC4DAD516C c:\windows\system32\3361\SVCHOST.EXE

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-04 11:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
[-] 2009-04-22 21:42 578560 D20719A444D8B4C084FCEF0FA9DF4F3F c:\windows\system32\user32.DLL
[-] 2009-04-22 21:42 578560 D20719A444D8B4C084FCEF0FA9DF4F3F c:\windows\system32\dllcache\user32.dll

[7] 2004-08-04 11:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2009-04-22 22:01 182656 1DF7F42665C94B825322FAE71721130D c:\windows\Driver Cache\i386\ndis.sys
[7] 2009-04-22 22:01 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2009-04-22 22:01 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\ServicePackCache\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[-] 2009-04-26 19:40 213120 F822B76094D2F27EE01A4399A64EF934 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-26 19:40 213120 F822B76094D2F27EE01A4399A64EF934 c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 00:12 1054208 DAFFEF6C21BE52E56787C669E9508C7A c:\windows\explorer.exe
[-] 2007-06-13 11:26 1053696 3A25B40A24EB06BCAEABD28AA7875C47 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1053696 310CFEE27737C9F7A24AFB7B40FD310D c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 11:00 1052672 F4F89D59EA7D7216AAC1F24CCC128222 c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 00:12 1054208 65A1928FE77DFB383CE51F9CF0EA9CC0 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 00:12 1054208 1B2F4748A224981173B8BDBFC9E4F93D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe

[-] 2004-08-04 11:00 35840 52D595171E4A0806770AAF42F1A4C160 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 35840 061FC81EFBBBAEF9ABFEC9AFE383C6F5 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 35840 572192FF7A4EED2F473ACADD49678164 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
[-] 2008-04-14 00:12 35840 C37CFA3FFBD2F7F81F84124B2F9E5DFA c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 78336 E57BF4362BD95BE3B02CF4F00226272E c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 78336 28220E855EFE83F396D4AEBC23852BD0 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 00:12 78336 3D3FD2A70A27789AE74FF46FE99A01B5 c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 78336 033939EC2911AD4532477EEDAC5C4D77 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
[-] 2008-04-14 00:12 78336 C5373016ADFDFA1EA7D5D56850656816 c:\windows\system32\spoolsv.exe

[-] 2004-08-04 11:00 45056 90A52F206D1319909FF2FF4307B3951C c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 46592 FDD46882890DA2FFBBB4285D281E6170 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 46592 A64516C6D35CE508A11B8BF7AA911354 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2008-04-14 00:12 46592 B18C6E44F982D0BBC4C7E82DF8C56B1C c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-28_02.53.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 18:51 . 2009-04-29 00:46 72796 c:\windows\system32\perfc009.dat
- 2004-08-10 18:51 . 2009-04-27 04:05 72796 c:\windows\system32\perfc009.dat
+ 2004-08-04 11:00 . 2004-08-04 11:00 52736 c:\windows\system32\msncache.dll
+ 2006-11-06 18:06 . 2009-04-29 03:40 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-06 18:06 . 2009-04-28 02:50 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-06 18:06 . 2009-04-28 02:50 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-11-06 18:06 . 2009-04-29 03:40 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-11-06 18:06 . 2009-04-28 02:50 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-11-06 18:06 . 2009-04-29 03:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-10 01:56 . 2004-08-04 11:00 45056 c:\windows\$NtServicePackUninstall$\userinit.exe
+ 2009-01-10 01:56 . 2004-08-04 11:00 34816 c:\windows\$NtServicePackUninstall$\svchost.exe
+ 2009-01-10 01:56 . 2005-06-10 23:53 78336 c:\windows\$NtServicePackUninstall$\spoolsv.exe
+ 2009-01-10 01:57 . 2004-08-04 11:00 35840 c:\windows\$NtServicePackUninstall$\ctfmon.exe
- 2004-08-10 18:51 . 2009-04-27 04:05 428404 c:\windows\system32\perfh009.dat
+ 2004-08-10 18:51 . 2009-04-29 00:46 428404 c:\windows\system32\perfh009.dat
+ 2007-08-17 07:06 . 2004-08-04 11:00 1052672 c:\windows\$NtUninstallKB938828$\explorer.exe
+ 2009-01-10 01:57 . 2007-06-13 10:23 1053696 c:\windows\$NtServicePackUninstall$\explorer.exe
+ 2007-06-13 11:26 . 2007-06-13 11:26 1053696 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E87662F7-494E-46F4-8395-0F95EE2601B5}]
2004-08-04 11:00 104960 ----a-w c:\windows\system32\vfknfqs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 35840]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB4343"="command" [X]
"SpybotDeletingD7261"="del" [X]
"SpybotDeletingB320"="command" [X]
"SpybotDeletingD4277"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2009-04-25 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2009-04-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2009-04-25 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-25 1392640]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-04-25 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 204800]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1137664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\ThunMail\testabd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli proprf32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\QuickCam10\\QuickCam10.exe"=

R1 87bfbdbb;87bfbdbb;c:\windows\System32\drivers\87bfbdbb.sys [2009-04-29 103036]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-29 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-01-29 107272]
R1 ethaolsu;ethaolsu;c:\windows\system32\drivers\ethaolsu.sys [2009-04-28 136224]
R1 navigator;navigator; [x]
R2 98FF0AA4AD168120;98FF0AA4AD168120; [x]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-29 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
R2 msncache;msncache;c:\windows\system32\svchost.exe [2008-04-14 34816]
R2 ochealthmon;Windows Live OneCare Health Monitor; [x]
S0 rbtcsrvj;rbtcsrvj;c:\windows\system32\drivers\rbtcsrvj.sys [2004-08-04 23424]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
msncache

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e144b36-b8ac-11db-baed-0015c5a54fc7}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3edb69a-17d5-11dd-bcfc-0015c5a54fc7}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3efbd6c-8680-11dd-bd87-0015c5a54fc7}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d69dce2c-85ce-11dd-bd86-0015c5a54fc7}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db653fe3-b3fb-11dc-bc6d-0015c5a54fc7}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb14c6f2-5346-11dc-bbe6-0015c5a54fc7}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\18ezlrf5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 23:50
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\98FF0AA4AD168120]
"ImagePath"="\??\c:\documents and settings\Monica\98FF0AA4AD168120\98FF0AA4AD168120"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(300)
c:\windows\System32\BCMLogon.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-04-29 23:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 03:55
ComboFix2.txt 2009-04-29 02:00
ComboFix3.txt 2009-04-28 04:45
ComboFix4.txt 2009-04-28 02:59
ComboFix5.txt 2009-04-29 03:32

Pre-Run: 4,224,372,736 bytes free
Post-Run: 4,205,895,680 bytes free

362 --- E O F --- 2009-04-20 19:31



Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:51:57, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Monica\Desktop\Adware\HiJackThis 2.02.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {E87662F7-494E-46F4-8395-0F95EE2601B5} - c:\windows\system32\vfknfqs.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162837985546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163955938031
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Windows Live OneCare Health Monitor (ochealthmon) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7129 bytes


The specfic file that Combofix cannot delete I have personally tried deleting using unlocker, and another computer to access the computer's files and terminating them without worrying about the OS getting in my way. However unlocker did not delete any of these files. And when I reinstalled the HD into the laptop the file just reapeared.

Any help??

#9 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:35 AM

Posted 30 April 2009 - 01:33 PM

ComboFix logs should not to be posted or discussed outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic in the Am I Infected forum.
http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Explain the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

This topic is now closed.
The BC Staff
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users