Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicking a link for a web site takes me to unknown site instead


  • This topic is locked This topic is locked
14 replies to this topic

#1 LarryAndLorri

LarryAndLorri

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 30 April 2009 - 10:05 PM

Whenever I click on a link, even if it is a link presented by Google as a result of a search, I am often taken to various different web sites I never heard of before. My husband is very computer literate but does not feel comfortable fixing this without your advice.

When I tried updating my PC-cillin information I got an error saying, "Update unsuccessful. Check your Internet connection, and then try again. Consult the Online Help for additional instructions. (-1)"

We think this could be a result of being highjacked. We do have internet connectivity. For example this message is being sent from the computer that is having the problem.

Thanks in advance for your help!

Here's my DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Lorri qwert at 19:38:37.81 on Thu 04/30/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.151 [GMT -7:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Outdated)
FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\WINDOWS\system32\DL32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE
C:\Documents and Settings\Lorri qwert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080105
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080105
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: : {e8c92051-1f8b-4713-b7e1-058070e95934} - c:\windows\system32\tktudkv.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [DL32] DL32
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229204474687
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229204451093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: yxswwzvn - tktudkv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 jhckokxj;jhckokxj;c:\windows\system32\drivers\jhckokxj.sys [2004-8-11 23424]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-8-23 5376]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-18 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-8-29 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-11 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-8-29 566872]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2008-1-5 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-1-5 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-1-5 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-29 280392]
S2 qkatgxrw;Floppy Disk Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]

=============== Created Last 30 ================

2009-04-30 10:18 <DIR> --d----- c:\windows\system32\appmgmt
2009-04-30 06:51 2,158 a------- C:\Appdata.re
2009-04-29 22:04 <DIR> --d----- c:\docume~1\lorrik~1\applic~1\Malwarebytes
2009-04-29 22:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-29 22:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 22:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 22:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-29 16:41 14,848 a------- c:\windows\system32\DL32.exe
2009-04-26 18:19 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-04-26 18:19 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-04-26 18:18 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-04-25 12:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-04-25 12:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-25 12:01 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-04-25 11:56 465,920 -------- c:\windows\system32\imapi2fs.dll
2009-04-25 11:56 465,920 -------- c:\windows\system32\dllcache\imapi2fs.dll
2009-04-25 11:56 317,952 -------- c:\windows\system32\imapi2.dll
2009-04-25 11:56 317,952 -------- c:\windows\system32\dllcache\imapi2.dll
2009-04-25 11:56 62,976 -------- c:\windows\system32\dllcache\cdrom.sys
2009-04-14 16:53 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-14 16:53 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-14 16:53 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-14 16:53 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-14 16:53 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-14 16:53 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 16:53 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 16:53 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 16:53 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-14 16:53 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-14 11:25 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 11:25 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 11:25 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-03 12:42 <DIR> --d----- c:\program files\PopCap Games

==================== Find3M ====================

2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-10 18:37 81 a------- C:\CTX.DAT
2009-03-08 19:17 323,072 a------- C:\netsetup.exe
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 17:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 21:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 03:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 03:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-19 22:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 04:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 04:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 03:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 03:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 12:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-01-05 07:45 76 ---shr-- c:\windows\CT4CET.bin
2008-12-21 18:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122120081222\index.dat
2008-12-28 13:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122820081229\index.dat

============= FINISH: 19:39:37.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:10:46 PM

Posted 13 May 2009 - 11:18 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 LarryAndLorri

LarryAndLorri
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 14 May 2009 - 09:14 PM

OK, here is the follow-up DDS scan log. Thanks in advance for your help.

L&L

DDS (Ver_09-05-14.01) - NTFSx86
Run by Lorri Qwert at 18:47:31.62 on Thu 05/14/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.334 [GMT -7:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\DL32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Lorri Qwert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080105
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080105
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: : {e8c92051-1f8b-4713-b7e1-058070e95934} - c:\windows\system32\tktudkv.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DL32] DL32
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229204474687
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229204451093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
Notify: yxswwzvn - tktudkv.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 jhckokxj;jhckokxj;c:\windows\system32\drivers\jhckokxj.sys [2004-8-11 23424]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-8-23 5376]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-18 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-8-29 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-11 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-8-29 566872]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2008-1-5 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-1-5 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-1-5 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-29 280392]

=============== Created Last 30 ================

2009-05-08 22:38 <DIR> --d----- C:\LRK
2009-05-05 19:04 <DIR> --d----- c:\program files\alot
2009-05-05 19:04 <DIR> --d----- c:\docume~1\lorrik~1\applic~1\alot
2009-04-30 06:51 2,158 a------- C:\Appdata.re
2009-04-29 22:04 <DIR> --d----- c:\docume~1\lorrik~1\applic~1\Malwarebytes
2009-04-29 22:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-29 22:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 22:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 22:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-29 16:41 14,848 a------- c:\windows\system32\DL32.exe
2009-04-26 18:19 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-04-26 18:19 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-04-26 18:18 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-04-25 12:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-04-25 12:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-25 12:01 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-04-25 11:56 465,920 -------- c:\windows\system32\imapi2fs.dll
2009-04-25 11:56 465,920 -------- c:\windows\system32\dllcache\imapi2fs.dll
2009-04-25 11:56 317,952 -------- c:\windows\system32\imapi2.dll
2009-04-25 11:56 317,952 -------- c:\windows\system32\dllcache\imapi2.dll
2009-04-25 11:56 62,976 -------- c:\windows\system32\dllcache\cdrom.sys

==================== Find3M ====================

2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-10 18:37 81 a------- C:\CTX.DAT
2009-03-08 19:17 323,072 a------- C:\netsetup.exe
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 07:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 17:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 21:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 03:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 03:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-19 22:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-01-05 07:45 76 ---shr-- c:\windows\CT4CET.bin
2008-12-21 18:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122120081222\index.dat
2008-12-28 13:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122820081229\index.dat

============= FINISH: 18:47:59.31 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 15 May 2009 - 03:22 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 LarryAndLorri

LarryAndLorri
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 15 May 2009 - 11:38 PM

Hi Panda!

Thanks for your help to this point. I have attached the two log files you requested to this message. Log.txt was output from ComboFix and GMERLog.log was output from GMER.

By the way, when ComboFix was about to reboot, I got a dialog that said, "Unable to create a backup of the current registry file C:\WINDOWS\system32\config\SOFTWARE ! Continue restoration of this file?" The title bar of the window did not mention any program name; it simply said, "Warning". I clicked on "No". What do you think about that?

After reboot, Lorri's wallpaper was replaced by some icon stretched to full screen size. It looks like a bouquet of roses. I don't know where that came from. Maybe it has to do with that registry issue.

One other thing I should mention: This is on a shared laptop where both Larry and Lorri have their own account. For the sake of simplicity I have been doing everything while logged in as Lorri, but this question just occurred to me: Do I need to repeat these steps while logged in as Larry?

To answer your question: I have not intentionally installed any new software on this machine since the original posting here 2 weeks ago. To the best of my knowledge, Lorri has not installed anything either as we are both trying to avoid unnecessarily complicating things. We have been making use of this computer to retrieve email and play a few games.

Thanks,

Larry

ComboFix 09-05-15.01 - Lorri qwert 05/15/2009 19:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.435 [GMT -7:00]
Running from: c:\documents and settings\Lorri qwert\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dl32.exe
c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-15 07:38 . 2008-04-13 23:11 21504 ----a-w c:\windows\system32\dllcache\hidserv.dll
2009-05-15 07:38 . 2008-04-13 23:11 21504 ----a-w c:\windows\system32\hidserv.dll
2009-05-15 07:37 . 2009-05-15 08:45 -------- d-----w c:\documents and settings\Larry\Application Data\U3
2009-05-09 05:38 . 2009-05-14 20:13 -------- d-----w C:\LRK
2009-05-06 15:42 . 2009-05-06 15:42 -------- d-----w c:\documents and settings\Larry\Local Settings\Application Data\SupportSoft
2009-05-06 14:56 . 2009-05-06 14:56 -------- d-----w c:\documents and settings\Larry\Application Data\alot
2009-05-06 02:04 . 2009-05-06 02:04 -------- d-----w c:\documents and settings\Lorri qwert\Application Data\alot
2009-05-06 02:04 . 2009-05-06 02:04 -------- d-----w c:\program files\alot
2009-04-30 05:04 . 2009-04-30 05:04 -------- d-----w c:\documents and settings\Lorri qwert\Application Data\Malwarebytes
2009-04-30 05:04 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-30 05:04 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 05:04 . 2009-04-30 05:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-30 05:04 . 2009-04-30 05:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 19:01 . 2008-03-21 20:57 14640 ------w c:\windows\system32\spmsgXP_2k3.dll
2009-04-25 19:00 . 2009-04-25 19:03 -------- d-----w c:\program files\Zune
2009-04-25 18:56 . 2008-05-02 10:49 62976 ------w c:\windows\system32\dllcache\cdrom.sys
2009-04-25 18:56 . 2008-05-02 13:25 465920 ------w c:\windows\system32\dllcache\imapi2fs.dll
2009-04-25 18:56 . 2008-05-02 13:25 465920 ------w c:\windows\system32\imapi2fs.dll
2009-04-25 18:56 . 2008-05-02 13:25 317952 ------w c:\windows\system32\dllcache\imapi2.dll
2009-04-25 18:56 . 2008-05-02 13:25 317952 ------w c:\windows\system32\imapi2.dll
2009-04-25 18:54 . 2009-04-27 01:16 -------- d-----w c:\windows\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 14:56 . 2009-05-06 14:54 84680 ----a-w c:\documents and settings\Larry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 12:48 . 2008-12-28 20:50 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-01 01:58 . 2008-01-09 20:41 -------- d-----w c:\program files\Trend Micro
2009-04-30 22:52 . 2008-01-05 15:00 -------- d-----w c:\program files\Google
2009-04-30 17:20 . 2008-01-05 14:44 -------- d-----w c:\program files\Dell
2009-04-27 01:19 . 2009-04-27 01:19 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-04-27 01:19 . 2009-04-27 01:19 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-04-27 01:18 . 2009-04-27 01:18 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-04-25 19:01 . 2009-04-25 19:01 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-04-25 19:01 . 2009-04-25 19:01 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-03 19:42 . 2009-04-03 19:42 -------- d-----w c:\program files\PopCap Games
2009-03-11 01:37 . 2009-03-11 01:37 81 ----a-w C:\CTX.DAT
2009-03-09 02:17 . 2009-03-09 02:17 323072 ----a-w C:\netsetup.exe
2009-03-06 14:22 . 2004-08-11 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 23:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 23:00 78336 ----a-w c:\windows\system32\ieencode.dll
2008-01-05 14:45 . 2008-01-05 14:45 76 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8C92051-1F8B-4713-B7E1-058070E95934}]
2004-08-04 11:00 103936 ----a-w c:\windows\system32\tktudkv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"="DL32" [X]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-05 321040]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-10 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-10 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-10 137752]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-05 1838592]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-07-10 405504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-5 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yxswwzvn]
2004-08-04 11:00 103936 ----a-w c:\windows\system32\tktudkv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 jhckokxj;jhckokxj;c:\windows\system32\drivers\jhckokxj.sys [8/11/2004 4:00 PM 23424]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [8/23/2007 5:29 PM 5376]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/18/2006 2:50 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/29/2006 1:54 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 4:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/29/2006 1:55 PM 566872]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [1/5/2008 7:20 AM 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [1/5/2008 7:20 AM 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [1/5/2008 7:20 AM 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 1:54 PM 280392]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qkatgxrw

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2588ab90-c13a-11dc-af3f-001e4c04df5d}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52da4152-c7f2-11dd-aff6-001e4c04df5d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52da4153-c7f2-11dd-aff6-001e4c04df5d}]
\Shell\AutoRun\command - F:\LinksysConnectPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5c7bea5-0fc4-11dd-afb8-001e4c04df5d}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-16 c:\windows\Tasks\User_Feed_Synchronization-{ECE877BF-CA36-4529-99CF-AA173FA3D199}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080105
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 19:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2952)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2009-05-16 19:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 02:33

Pre-Run: 97,243,000,832 bytes free
Post-Run: 97,913,753,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

192 --- E O F --- 2009-05-13 00:12

Attached Files


Edited by PropagandaPanda, 16 May 2009 - 08:18 AM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 16 May 2009 - 08:23 AM

Hello.

There is still an infection remaining.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\system32\tktudkv.dll
    c:\windows\system32\drivers\jhckokxj.sys
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8C92051-1F8B-4713-B7E1-058070E95934}]
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DL32"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yxswwzvn]
    
    Driver::
    jhckokxj
    
    NetSvc::
    qkatgxrw
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simply double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
Please give me an update on the symptoms at this point.

With Regards,
The Panda

#7 LarryAndLorri

LarryAndLorri
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 16 May 2009 - 12:45 PM

Hi Panda!

OK, I ran the two scans you described, and I am attaching the resulting log files to this message. Please let me know if you detect any remaining infections in these log files.

Update on symtpoms:
1. The main symptom from my original post is no long happening! Thank you so much!! I can now Google something, click on one of the links and actually go to the page pointed at by the link! Woo hoo!

Thanks and regards!

Larry

ComboFix 09-05-15.08 - Lorri qwert 05/16/2009 9:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.393 [GMT -7:00]
Running from: c:\documents and settings\Lorri qwert\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lorri qwert\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
c:\windows\system32\drivers\jhckokxj.sys
c:\windows\system32\tktudkv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\jhckokxj.sys
c:\windows\system32\tktudkv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JHCKOKXJ
-------\Service_jhckokxj


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-15 07:38 . 2008-04-13 23:11 21504 ----a-w c:\windows\system32\dllcache\hidserv.dll
2009-05-15 07:38 . 2008-04-13 23:11 21504 ----a-w c:\windows\system32\hidserv.dll
2009-05-15 07:37 . 2009-05-15 08:45 -------- d-----w c:\documents and settings\Larry\Application Data\U3
2009-05-09 05:38 . 2009-05-14 20:13 -------- d-----w C:\LRK
2009-05-06 15:42 . 2009-05-06 15:42 -------- d-----w c:\documents and settings\Larry\Local Settings\Application Data\SupportSoft
2009-05-06 14:56 . 2009-05-06 14:56 -------- d-----w c:\documents and settings\Larry\Application Data\alot
2009-05-06 02:04 . 2009-05-06 02:04 -------- d-----w c:\documents and settings\Lorri qwert\Application Data\alot
2009-05-06 02:04 . 2009-05-06 02:04 -------- d-----w c:\program files\alot
2009-04-30 05:04 . 2009-04-30 05:04 -------- d-----w c:\documents and settings\Lorri qwert\Application Data\Malwarebytes
2009-04-30 05:04 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-30 05:04 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 05:04 . 2009-04-30 05:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-30 05:04 . 2009-04-30 05:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 19:01 . 2008-03-21 20:57 14640 ------w c:\windows\system32\spmsgXP_2k3.dll
2009-04-25 19:00 . 2009-04-25 19:03 -------- d-----w c:\program files\Zune
2009-04-25 18:56 . 2008-05-02 10:49 62976 ------w c:\windows\system32\dllcache\cdrom.sys
2009-04-25 18:56 . 2008-05-02 13:25 465920 ------w c:\windows\system32\dllcache\imapi2fs.dll
2009-04-25 18:56 . 2008-05-02 13:25 465920 ------w c:\windows\system32\imapi2fs.dll
2009-04-25 18:56 . 2008-05-02 13:25 317952 ------w c:\windows\system32\dllcache\imapi2.dll
2009-04-25 18:56 . 2008-05-02 13:25 317952 ------w c:\windows\system32\imapi2.dll
2009-04-25 18:54 . 2009-04-27 01:16 -------- d-----w c:\windows\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 16:52 . 2004-08-11 23:00 23424 ----a-w c:\windows\system32\drivers\vgofyukq.sys
2009-05-06 14:56 . 2009-05-06 14:54 84680 ----a-w c:\documents and settings\Larry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 12:48 . 2008-12-28 20:50 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-01 01:58 . 2008-01-09 20:41 -------- d-----w c:\program files\Trend Micro
2009-04-30 22:52 . 2008-01-05 15:00 -------- d-----w c:\program files\Google
2009-04-30 17:20 . 2008-01-05 14:44 -------- d-----w c:\program files\Dell
2009-04-27 01:19 . 2009-04-27 01:19 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-04-27 01:19 . 2009-04-27 01:19 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-04-27 01:18 . 2009-04-27 01:18 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-04-25 19:01 . 2009-04-25 19:01 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-04-25 19:01 . 2009-04-25 19:01 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-03 19:42 . 2009-04-03 19:42 -------- d-----w c:\program files\PopCap Games
2009-03-11 01:37 . 2009-03-11 01:37 81 ----a-w C:\CTX.DAT
2009-03-09 02:17 . 2009-03-09 02:17 323072 ----a-w C:\netsetup.exe
2009-03-06 14:22 . 2004-08-11 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 23:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 23:00 78336 ----a-w c:\windows\system32\ieencode.dll
2008-01-05 14:45 . 2008-01-05 14:45 76 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-05 321040]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-10 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-10 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-10 137752]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-05 1838592]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-07-10 405504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-5 50688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [8/23/2007 5:29 PM 5376]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/18/2006 2:50 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/29/2006 1:54 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 4:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/29/2006 1:55 PM 566872]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [1/5/2008 7:20 AM 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [1/5/2008 7:20 AM 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [1/5/2008 7:20 AM 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 1:54 PM 280392]
.
Contents of the 'Scheduled Tasks' folder

2009-05-16 c:\windows\Tasks\User_Feed_Synchronization-{ECE877BF-CA36-4529-99CF-AA173FA3D199}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080105
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3892)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2009-05-16 10:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 17:00
ComboFix2.txt 2009-05-16 02:34

Pre-Run: 97,886,879,744 bytes free
Post-Run: 97,847,382,016 bytes free

177 --- E O F --- 2009-05-13 00:12

Attached Files


Edited by PropagandaPanda, 16 May 2009 - 12:49 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 16 May 2009 - 12:57 PM

Hello Larry.

I don't see any further infections, though there are a couple files I want to take a look at.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/223626/clicking-a-link-for-a-web-site-takes-me-to-unknown-site-instead/
    
    Collect::[59]
    c:\windows\system32\drivers\vgofyukq.sys
    
    Suspect::[59]
    c:\windows\system32\spmsgXP_2k3.dll
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Upload Samples Collected by ComboFix
The script above had included directives to upload file samples. Ensure you are connected to the internet before clicking "OK" on the message box. After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

Update Java to Version 6 Update 13
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Please also take a new GMER scan log.

With Regards,
The Panda

Edited by PropagandaPanda, 16 May 2009 - 12:57 PM.


#9 LarryAndLorri

LarryAndLorri
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 17 May 2009 - 09:25 PM

Here are the most recent scan logs.

Thanks,

Larry

Attached Files



#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 18 May 2009 - 09:11 AM

Hello.

That looks good. Let's get an online scan off to check for anything we've missed.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Any problems at the moment?

Please take a new DDS.txt log too.

With Regards,
The Panda

#11 LarryAndLorri

LarryAndLorri
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 19 May 2009 - 03:15 AM

OK, here are the logs you requested:
Scanning Report
Tuesday, May 19, 2009 23:11:45 - 00:07:50
Computer name: LORRIQWERT
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\
________________________________________
2 malware found
TrackingCookie.2o7 (spyware)
System (Disinfected)
Trojan.Win32.Agent2.iwh (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP33\A0001703.EXE (Renamed & Submitted)
________________________________________
Statistics
Scanned:
Files: 52797
System: 3839
Not scanned: 9
Actions:
Disinfected: 1
Renamed: 1
Deleted: 0
Not cleaned: 0
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\LORRI QWERT\LOCAL SETTINGS\TEMP\~ROMFN_00000370
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\TREND MICRO\PC-CILLIN\TEMP\SCAN_S-1-5-21-2778877464-3595961257-2729159961-1006.INI
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\TREND MICRO\PC-CILLIN\TEMP\SCAN_S-1-5-21-2778877464-3595961257-2729159961-1007.INI
________________________________________
Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.8.9080, 2009-05-19
F-Secure AVP: 7.0.171, 2009-05-18
F-Secure Pegasus: 1.20.0
F-Secure Blacklight
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics
________________________________________
Copyright 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Lorri Qwert at 1:03:37.59 on Tue 05/19/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.430 [GMT -7:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Lorri Qwert\Desktop\larry\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080105
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229204474687
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229204451093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-8-23 5376]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-18 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-8-29 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-11 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-8-29 566872]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2008-1-5 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-1-5 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-1-5 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-29 280392]

=============== Created Last 30 ================

2009-05-16 17:12 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-16 17:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-16 16:55 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-15 19:08 <DIR> a-dshr-- C:\cmdcons
2009-05-15 19:01 161,792 a------- c:\windows\SWREG.exe
2009-05-15 19:01 98,816 a------- c:\windows\sed.exe
2009-05-15 00:38 21,504 a------- c:\windows\system32\hidserv.dll
2009-05-15 00:38 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2009-05-08 22:38 <DIR> --d----- C:\LRK
2009-05-05 19:04 <DIR> --d----- c:\program files\alot
2009-05-05 19:04 <DIR> --d----- c:\docume~1\lorriq~1\applic~1\alot
2009-04-30 06:51 2,158 a------- C:\Appdata.re
2009-04-29 22:04 <DIR> --d----- c:\docume~1\lorriq~1\applic~1\Malwarebytes
2009-04-29 22:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-29 22:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 22:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 22:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-26 18:19 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-04-26 18:19 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-04-26 18:18 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-04-25 12:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-04-25 12:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-25 12:01 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-04-25 11:56 465,920 -------- c:\windows\system32\imapi2fs.dll
2009-04-25 11:56 465,920 -------- c:\windows\system32\dllcache\imapi2fs.dll
2009-04-25 11:56 317,952 -------- c:\windows\system32\imapi2.dll
2009-04-25 11:56 317,952 -------- c:\windows\system32\dllcache\imapi2.dll
2009-04-25 11:56 62,976 -------- c:\windows\system32\dllcache\cdrom.sys

==================== Find3M ====================

2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-10 18:37 81 a------- C:\CTX.DAT
2009-03-08 19:17 323,072 a------- C:\netsetup.exe
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 07:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 17:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 21:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 03:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 03:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-19 22:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-01-05 07:45 76 ---shr-- c:\windows\CT4CET.bin
2008-12-21 18:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122120081222\index.dat
2008-12-28 13:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122820081229\index.dat

============= FINISH: 1:04:57.98 ===============

Attached Files


Edited by PropagandaPanda, 19 May 2009 - 07:03 AM.


#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 19 May 2009 - 03:08 PM

Hello.

It looks good. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#13 LarryAndLorri

LarryAndLorri
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 20 May 2009 - 07:15 PM

Thanks, Panda, you have really helped us! Do you have any idea why the uninstaller for Combofix turns on the "hide known file extensions" option? One of the tips in this article (http://www.bleepingcomputer.com/forums/topic2520.html) is to avoid clicking on files with certain filename extensions. But if the hide known file extensions option is checked, a novice user is not likely to be able to figure out what the filename extension is. It seems like this feature is of more benefit to malware purveyors than it is to the rest of us, so I always turn it off.

Thanks and Regards,

Larry

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 21 May 2009 - 06:59 AM

Hello Larry.

Do you have any idea why the uninstaller for Combofix turns on the "hide known file extensions" option?

ComboFix will also hide the hidden and system files, which we often tell the users to unhide sometime during the removal process.

For safety purposes, all of these are hidden after.

The extension was questionable, but it was decided to hide them as they were in default.

With Regards,
The Panda

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 16 June 2009 - 07:42 AM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users