Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No taskbar, no shortcuts, only background, no internet


  • This topic is locked This topic is locked
38 replies to this topic

#1 bri2k

bri2k

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 01 September 2009 - 03:27 PM

Hello,

I am hoping one of you great people can help me out. A few days ago, I got the system security virus and system protection virus. It seemed to get progressively worse as I tried to clean it to the point where it restarted and the taskbar, shortcuts were gone, only the background would load. It does not matter how I boot up, nothing is there. I was able to run programs from the task bar, but could not until today, run Malware or Avira or HJT. Finally I got it to run and it has seemed to clean up many of the item, but still no shortcuts or taskbar. I cannot see if I am connected to the internet with my wireless, so I don't know of that is the problem. Attached are my logs for malware and hjt and will try to run anything else you suggest. I also tried kelly's tricks and tips for taskbar repair, but it did not work. Unfortunately, I have a dell inspiron 6000 with no recovery disks.

If I have to run anything else and post a log, I have to first save it to a thumb drive and use my good computer.
Thanks for any help.

Brian

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 16 September 2009 - 06:17 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 17 September 2009 - 06:44 AM

Hello,

Thank you for your response. I understand how busy you all are and how you do this in kindness, so I can definitely be patient. I have since made progress on my machine. I reinstalled the OS and have everything back. I am still a bit hesitant to use passwords though as I feel something might still be there. I ran mbam with a full scan and it did not find anything, but I don't know. The only issue I have now is that it will not connect to my wireless network. It finds it, it has the key automatically in it, but all it does is says that is it connecting and then never does. I know this is a home issue because I can get it to wirelessly connect at other places. Can I run a HJT log and anything else and post here for someone to take a look at?

Best,
Brian

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 17 September 2009 - 05:44 PM

Yes, go ahead and post a new log. Please run a DDS log per my instructions above.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 18 September 2009 - 01:22 PM

Hello,

Thank you again. Here is my dds.txt. Below that will be my HJT log.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Brian at 14:09:40.20 on Fri 09/18/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1431 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
svchost.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Visagesoft\eXPert PDF\vspdfprsrv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\B9KGM6FV\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [winampagent] c:\program files\winamp\winampa.exe
mRun: [vspdfprsrv.exe] c:\program files\visagesoft\expert pdf\vspdfprsrv.exe --background
mRun: [updatemanager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [pcmservice] "c:\program files\dell\media experience\PCMService.exe"
mRun: [nerofiltercheck] c:\windows\system32\NeroCheck.exe
mRun: [monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [ituneshelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [digstream] c:\program files\digstream\digstream.exe
mRun: [digservices] c:\program files\espnruntime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [apoint] c:\program files\apoint\Apoint.exe
mRun: [adobe reader speed launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://sterling.view22.com/view22/kroom/view22RTE.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\ip3s6ic5.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-4 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-4 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-4 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-4 55656]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
S0 vopx;vopx;c:\windows\system32\drivers\nhtr.sys --> c:\windows\system32\drivers\nhtr.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-6-19 18560]
S3 memsweep2;MEMSWEEP2;\??\c:\windows\system32\1b.tmp --> c:\windows\system32\1B.tmp [?]

=============== Created Last 30 ================

2009-09-14 20:45 133,632 -c------ c:\windows\system32\dllcache\msv1_0.dll
2009-09-14 20:45 59,392 -c------ c:\windows\system32\dllcache\wdigest.dll
2009-09-14 20:45 298,496 -c------ c:\windows\system32\dllcache\kerberos.dll
2009-09-14 20:45 92,544 -c------ c:\windows\system32\dllcache\ksecdd.sys
2009-09-13 03:10 76,288 -c------ c:\windows\system32\dllcache\telnet.exe
2009-09-13 03:10 132,096 -c------ c:\windows\system32\dllcache\wkssvc.dll
2009-09-13 03:10 84,992 -c------ c:\windows\system32\dllcache\avifil32.dll
2009-09-13 03:10 58,880 -c------ c:\windows\system32\dllcache\atl.dll
2009-09-13 03:10 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-09-13 03:06 <DIR> --d----- c:\program files\MSXML 6.0
2009-09-12 14:00 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-09-12 14:00 683,520 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-09-12 14:00 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-09-12 14:00 332,800 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-09-12 13:59 1,193,414 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-09-12 13:59 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-09-12 12:33 3,467 a------- C:\WirelessDiagLog.csv
2009-09-12 12:04 27,136 ac------ c:\windows\system32\dllcache\irmon.dll
2009-09-12 12:04 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-09-12 12:04 27,136 a------- c:\windows\system32\irmon.dll
2009-09-12 12:04 8,192 a------- c:\windows\system32\wshirda.dll
2009-09-12 12:04 152,576 ac------ c:\windows\system32\dllcache\irftp.exe
2009-09-12 12:04 152,576 a------- c:\windows\system32\irftp.exe
2009-09-12 12:03 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-09-12 12:03 5,537,792 -c------ c:\windows\system32\dllcache\wmp.dll
2009-09-12 12:03 286,720 -c------ c:\windows\system32\dllcache\wmpdxm.dll
2009-09-12 12:03 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-09-12 12:03 655,872 -c------ c:\windows\system32\dllcache\mstscax.dll
2009-09-12 09:45 <DIR> --d----- c:\windows\system32\wbem\Repository.001
2009-09-12 09:43 <DIR> --d----- c:\windows\ServicePackFiles
2009-09-12 09:30 25,471 -------- c:\windows\system32\drivers\watv10nt.sys
2009-09-12 09:30 22,271 -------- c:\windows\system32\drivers\watv06nt.sys
2009-09-12 09:30 11,935 -------- c:\windows\system32\drivers\wadv11nt.sys
2009-09-12 09:30 11,871 -------- c:\windows\system32\drivers\wadv09nt.sys
2009-09-12 09:30 11,807 -------- c:\windows\system32\drivers\wadv07nt.sys
2009-09-12 09:30 11,295 -------- c:\windows\system32\drivers\wadv08nt.sys
2009-09-12 09:28 701,440 -------- c:\windows\system32\drivers\ati2mtag.sys
2009-09-11 21:37 155 a------- C:\version.ini
2009-09-11 21:37 21,425 a------- c:\windows\system32\drivers\AegisP.sys
2009-09-11 21:36 2,732,032 a------- c:\windows\system32\Netw2r32.dll
2009-09-11 21:36 2,209,408 a------- c:\windows\system32\drivers\w29n51.sys
2009-09-11 21:36 557,056 a------- c:\windows\system32\Netw2c32.dll
2009-09-11 21:34 <DIR> --d----- c:\docume~1\brian\applic~1\Intel
2009-09-11 20:58 <DIR> --d----- c:\windows\system32\bits
2009-09-11 20:55 351,232 a------- c:\windows\system32\winhttp.dll
2009-09-11 20:55 18,944 a------- c:\windows\system32\qmgrprxy.dll
2009-09-11 20:45 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-09-06 21:10 1,809,944 ac------ c:\windows\system32\dllcache\wuaueng.dll
2009-09-06 21:10 92,696 ac------ c:\windows\system32\dllcache\cdm.dll
2009-09-06 21:10 51,224 ac------ c:\windows\system32\dllcache\wuauclt.exe
2009-09-06 19:43 1,134,592 a------- c:\windows\system32\SETE59.tmp
2009-09-06 19:43 351,232 a------- c:\windows\system32\SETE5C.tmp
2009-09-06 19:43 187,392 a------- c:\windows\system32\SETE57.tmp
2009-09-06 19:39 1,236,480 a------- c:\windows\system32\SET319.tmp
2009-09-06 19:38 19,528 a------- c:\windows\002313_.tmp
2009-09-06 19:35 480,256 ac------ c:\windows\system32\dllcache\cintsetp.exe
2009-09-06 19:34 538,624 a------- c:\windows\system32\spider.exe
2009-09-06 17:01 163,840 a------- c:\windows\system32\igfxres.dll
2009-09-06 16:51 205,824 ac------ c:\windows\system32\dllcache\EXCH_seo.dll
2009-09-06 16:50 134,339 ac------ c:\windows\system32\dllcache\imekr.lex
2009-09-06 16:49 2,134,528 ac------ c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2009-09-06 16:49 175,104 ac------ c:\windows\system32\dllcache\EXCH_smtpadm.dll
2009-09-06 16:39 24,576 a------- c:\windows\system32\xpsp1hfm.exe
2009-09-06 16:35 25,065 a------- c:\windows\system32\wmpscheme.xml
2009-09-06 16:35 299,552 a------- c:\windows\WMSysPrx.prx
2009-09-06 16:33 61,440 ac------ c:\windows\system32\dllcache\icwres.dll
2009-09-06 16:33 40,960 ac------ c:\windows\system32\dllcache\trialoc.dll
2009-09-06 16:33 73,728 ac------ c:\windows\system32\dllcache\icwtutor.exe
2009-09-06 15:17 7,046 a----r-- c:\windows\SETF0.tmp
2009-09-06 15:17 13,608 a----r-- c:\windows\SETDB.tmp
2009-09-06 15:17 1,086,182 a----r-- c:\windows\SETCC.tmp
2009-09-06 15:11 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-09-06 15:11 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-09-06 15:11 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-09-06 15:11 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-09-06 15:11 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-09-06 15:10 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-09-06 15:10 520,192 ac------ c:\windows\system32\dllcache\wmpvis.dll
2009-09-06 15:10 319,542 ac------ c:\windows\system32\dllcache\wmmres.dll
2009-09-06 15:10 163,897 ac------ c:\windows\system32\dllcache\wmmutil.dll
2009-09-06 15:10 110,648 ac------ c:\windows\system32\dllcache\wmmfilt.dll
2009-09-06 15:08 82,432 ac------ c:\windows\system32\dllcache\comrepl.dll
2009-09-06 15:08 82,432 a------- c:\windows\system32\comrepl.dll
2009-09-06 15:08 23,552 a------- c:\windows\system32\COM1A0.tmp
2009-09-06 15:08 55,296 a------- c:\windows\system32\COM19E.tmp
2009-09-06 15:08 53,760 a------- c:\windows\system32\SET19D.tmp
2009-09-06 15:08 22,016 a------- c:\windows\system32\SET19F.tmp
2009-09-06 15:04 54,272 a------- c:\windows\system32\drivers\swmidi.sys
2009-09-06 14:55 7,046 a----r-- c:\windows\SETEF.tmp
2009-09-06 14:55 13,608 a----r-- c:\windows\SETDA.tmp
2009-09-06 14:55 1,086,182 a----r-- c:\windows\SETCB.tmp
2009-09-06 14:39 7,046 a----r-- c:\windows\SETE8.tmp
2009-09-06 14:39 13,608 a----r-- c:\windows\SETD6.tmp
2009-09-06 14:39 1,086,182 a----r-- c:\windows\SETCA.tmp
2009-09-06 14:02 7,046 a----r-- c:\windows\SETE7.tmp
2009-09-06 14:02 13,608 a----r-- c:\windows\SETD5.tmp
2009-09-06 14:02 1,086,182 a----r-- c:\windows\SETC9.tmp
2009-09-04 23:40 7,046 a----r-- c:\windows\SETE6.tmp
2009-09-04 23:40 13,608 a----r-- c:\windows\SETD4.tmp
2009-09-04 23:40 1,086,182 a----r-- c:\windows\SETC8.tmp
2009-09-04 19:05 2,457,980 a------- c:\windows\setupapi.log.1.old
2009-09-04 14:57 <DIR> --d----- c:\windows\msapps
2009-09-01 07:26 161,792 a------- c:\windows\SWREG.exe
2009-09-01 07:26 98,816 a------- c:\windows\sed.exe
2009-09-01 07:26 <DIR> --d----- C:\CimboFix
2009-08-31 21:06 <DIR> --d----- c:\program files\Sophos
2009-08-31 07:35 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 07:35 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-29 23:02 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-29 23:02 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-29 18:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\2222
2009-08-29 18:16 2 a------- C:\-132524183
2009-08-19 22:58 268,648 a------- c:\windows\system32\mucltui.dll
2009-08-19 22:58 208,744 a------- c:\windows\system32\muweb.dll
2009-08-19 22:58 27,496 a------- c:\windows\system32\mucltui.dll.mui

==================== Find3M ====================

2009-09-06 16:32 23,428 a------- c:\windows\system32\emptyregdb.dat
2009-09-03 22:25 230,912 a------- c:\windows\PEV.exe
2009-08-05 07:29 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 00:53 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:53 82,432 a------- c:\windows\system32\fontsub.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
2008-12-30 08:51 47,360 a------- c:\docume~1\brian\applic~1\pcouffin.sys
2007-03-22 20:01 81,920 a------- c:\docume~1\brian\applic~1\ezpinst.exe

============= FINISH: 14:10:07.01 ===============


HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:05 PM, on 9/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Visagesoft\eXPert PDF\vspdfprsrv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [winampagent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Program Files\Visagesoft\eXPert PDF\vspdfprsrv.exe --background
O4 - HKLM\..\Run: [updatemanager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pcmservice] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [nerofiltercheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [digstream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [digservices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [adobe reader speed launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://sterling.view22.com/view22/kroom/view22RTE.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9357 bytes

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:16 AM

Posted 19 September 2009 - 02:33 PM

Hi bri2k,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • You seem to have run ComboFix already. I need to see the ComboFix.txt from the first run. Please copy/paste the log the first run located at C:\Qoobox\combofixX.txt where X is a number. Please post the log with the highest number.

  • Go to start => Run => copy/paste the following line in the run box and click OK.

    sc delete vopx

    A window will flash, it is normal.

  • Go to Tools => Internet Options => click on the Connections tab, then click on LAN Settings. The following items should be unchecked:
    • Automatically detect settings
    • Use a proxy server for your LAN
    In Firefox:

    Open Firefox. Go Tools -> Options -> Advanced -> click on the Network Tab, then click Settings.
    Select the radio button that says Auto Detect Proxy Settings for all this Network. Click Ok.

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Make sure you are have let computer run for a while.

    Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

    A command window opens. Wait until a log.txt file opens. Please post the content to your reply.


#7 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 19 September 2009 - 04:25 PM

Hello,

And thank you again.

I believe this is the combofix log you are looking for:
ComboFix 09-09-11.01 - Brian 09/11/2009 20:20.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.2039.1724 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\CimboPix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Occache\occache
c:\windows\system32\_003648_.tmp.dll
c:\windows\system32\_003649_.tmp.dll
c:\windows\system32\_003650_.tmp.dll
c:\windows\system32\_003651_.tmp.dll
c:\windows\system32\_003658_.tmp.dll
c:\windows\system32\_003659_.tmp.dll
c:\windows\system32\_003660_.tmp.dll
c:\windows\system32\_003661_.tmp.dll
c:\windows\system32\_003663_.tmp.dll
c:\windows\system32\_003664_.tmp.dll
c:\windows\system32\_003667_.tmp.dll
c:\windows\system32\_003668_.tmp.dll
c:\windows\system32\_003670_.tmp.dll
c:\windows\system32\_003671_.tmp.dll
c:\windows\system32\_003672_.tmp.dll
c:\windows\system32\_003674_.tmp.dll
c:\windows\system32\_003675_.tmp.dll
c:\windows\system32\_003677_.tmp.dll
c:\windows\system32\_003681_.tmp.dll
c:\windows\system32\_003682_.tmp.dll
c:\windows\system32\_003684_.tmp.dll
c:\windows\system32\_003687_.tmp.dll
c:\windows\system32\_003689_.tmp.dll
c:\windows\system32\_003690_.tmp.dll
c:\windows\system32\_003691_.tmp.dll
c:\windows\system32\_003692_.tmp.dll
c:\windows\system32\_003693_.tmp.dll
c:\windows\system32\_003696_.tmp.dll
c:\windows\system32\_003698_.tmp.dll
c:\windows\system32\_003699_.tmp.dll
c:\windows\system32\_003700_.tmp.dll
c:\windows\system32\_003704_.tmp.dll
c:\windows\system32\drivers\d31ab9b1.sys

c:\windows\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ee}
-------\Service_d31ab9b1


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-07 17:49 . 2009-09-07 17:49 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-07 01:45 . 2009-09-07 17:49 -------- d-----w- c:\windows\LastGood
2009-09-07 01:10 . 2003-07-16 20:53 189440 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-07 01:10 . 2003-07-16 20:53 139776 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-07 01:10 . 2003-07-16 20:25 14848 ----a-w- c:\windows\system32\cdm.dll
2009-09-07 01:09 . 2009-09-07 01:09 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-06 23:35 . 2003-07-16 20:24 21504 ------w- c:\windows\system32\dllcache\agtintl.dll
2009-09-06 23:34 . 2003-07-16 20:46 385024 ----a-w- c:\windows\system32\sqlsrv32.dll
2009-09-06 21:01 . 2005-01-23 14:30 163840 ----a-w- c:\windows\system32\igfxres.dll
2009-09-06 20:51 . 2001-08-18 02:36 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2009-09-06 20:50 . 2003-07-16 20:22 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2009-09-06 20:49 . 2001-08-18 02:36 2134528 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2009-09-06 20:49 . 2001-08-18 02:36 175104 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpadm.dll
2009-09-06 20:39 . 2003-03-21 19:56 24576 ----a-w- c:\windows\system32\xpsp1hfm.exe
2009-09-06 20:33 . 2003-07-16 20:48 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2009-09-06 20:33 . 2003-07-16 20:30 61440 -c--a-w- c:\windows\system32\dllcache\icwres.dll
2009-09-06 20:33 . 2003-07-16 20:30 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2009-09-06 19:12 . 2009-09-06 19:12 -------- d-----w- c:\documents and settings\Default User\Application Data\DivX
2009-09-06 19:10 . 2003-07-16 20:30 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-09-06 19:10 . 2003-07-16 20:52 520192 -c--a-w- c:\windows\system32\dllcache\wmpvis.dll
2009-09-06 19:10 . 2003-07-16 20:52 319542 -c--a-w- c:\windows\system32\dllcache\wmmres.dll
2009-09-06 19:10 . 2003-07-16 20:52 163897 -c--a-w- c:\windows\system32\dllcache\wmmutil.dll
2009-09-06 19:10 . 2003-07-16 20:52 110648 -c--a-w- c:\windows\system32\dllcache\wmmfilt.dll
2009-09-06 19:08 . 2003-07-16 20:25 82432 -c--a-w- c:\windows\system32\dllcache\comrepl.dll
2009-09-06 19:08 . 2003-07-16 20:25 82432 ----a-w- c:\windows\system32\comrepl.dll
2009-09-06 19:04 . 2001-08-17 18:00 54272 ----a-w- c:\windows\system32\drivers\swmidi.sys
2009-09-06 19:03 . 2009-09-06 19:03 -------- d-----w- c:\documents and settings\Default User\Application Data\Malwarebytes
2009-09-04 23:08 . 2003-07-16 20:30 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-09-04 23:08 . 2003-07-16 20:30 13312 ----a-w- c:\windows\system32\irclass.dll
2009-09-04 23:08 . 2003-07-16 20:46 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-09-04 23:08 . 2003-07-16 20:46 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-09-04 18:57 . 2009-09-04 18:57 -------- d-----w- c:\windows\msapps
2009-09-02 00:23 . 2009-09-02 00:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-01 11:26 . 2009-09-06 21:02 -------- d-----w- C:\CimboFix
2009-09-01 11:20 . 2009-09-01 11:20 -------- d-----w- C:\rsit
2009-09-01 01:06 . 2009-09-01 01:06 -------- d-----w- c:\program files\Sophos
2009-08-31 11:35 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 11:35 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 03:02 . 2009-08-30 21:12 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-30 03:02 . 2009-08-30 21:11 -------- d-----w- c:\program files\Spyware Doctor
2009-08-30 01:37 . 2009-08-30 01:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-08-29 22:22 . 2009-08-30 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\2222
2009-08-20 02:58 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-20 02:58 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-08-19 10:59 . 2009-08-19 10:59 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 23:21 . 2005-10-13 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2009-09-06 21:02 . 2005-05-01 02:11 56560 ----a-w- c:\documents and settings\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 20:32 . 2004-08-10 18:02 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-31 11:36 . 2008-12-07 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 21:54 . 2009-01-07 02:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-18 15:55 . 2005-07-13 00:33 -------- d-----w- c:\documents and settings\Brian\Application Data\Azureus
2009-08-18 12:53 . 2005-05-07 19:46 -------- d-----w- c:\program files\DC++
2009-08-05 11:29 . 2009-06-05 01:08 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-29 16:12 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
.

------- Sigcheck -------

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2003-07-16 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winampagent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"vspdfprsrv.exe"="c:\program files\Visagesoft\eXPert PDF\vspdfprsrv.exe" [2006-05-04 998912]
"updatemanager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"pcmservice"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"nerofiltercheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-15 135168]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 53248]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"intelwireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"digstream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"digservices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2003-07-16 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Apoint\\Apoint.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/4/2009 9:08 PM 108289]
S0 vopx;vopx;c:\windows\System32\drivers\nhtr.sys --> c:\windows\System32\drivers\nhtr.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [6/19/2007 2:21 AM 18560]
S3 memsweep2;MEMSWEEP2;\??\c:\windows\system32\1B.tmp --> c:\windows\system32\1B.tmp [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\ip3s6ic5.default\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-istray - c:\program files\Spyware Doctor\pctsTray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 20:40
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset004\Services\memsweep2]
"ImagePath"="\??\c:\windows\system32\1B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
c:\windows\System32\msctfime.ime
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1044)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(236)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
c:\windows\System32\msctfime.ime
c:\windows\System32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\brss01a.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\fxssvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\WgaTray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Intel\Wireless\Bin\PfWizard.exe
.
**************************************************************************
.
Completion time: 2009-09-12 20:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-12 00:48

Pre-Run: 17,171,075,072 bytes free
Post-Run: 14,945,763,328 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
271 --- E O F --- 2009-08-27 14:19


And here is the other log from cmd you asked for:


Windows IP Configuration



Host Name . . . . . . . . . . . . : BrianLaptop

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.md.comcast.net.



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : hsd1.md.comcast.net.

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-11-43-76-7D-74

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 68.87.73.246

68.87.71.230

Lease Obtained. . . . . . . . . . : Saturday, September 19, 2009 4:24:46 PM

Lease Expires . . . . . . . . . . : Sunday, September 20, 2009 4:24:46 PM



Ethernet adapter Bluetooth Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)

Physical Address. . . . . . . . . : 00-10-C6-76-47-2F

Server: cns.manassaspr.va.dc02.comcast.net
Address: 68.87.73.246

Name: google.com
Addresses: 74.125.45.100, 74.125.67.100, 74.125.127.100



Pinging google.com [74.125.127.100] with 32 bytes of data:



Reply from 74.125.127.100: bytes=32 time=107ms TTL=47

Reply from 74.125.127.100: bytes=32 time=106ms TTL=47



Ping statistics for 74.125.127.100:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 106ms, Maximum = 107ms, Average = 106ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 43 76 7d 74 ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
0x10005 ...00 10 c6 76 47 2f ...... Bluetooth Device (Personal Area Network)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 20
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 20
224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 20
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
255.255.255.255 255.255.255.255 192.168.1.100 10005 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:16 AM

Posted 19 September 2009 - 04:55 PM

There are a number of things I see.

You had connection (via Ethernet cable?). But there is no wireless device listed.

The initial logs list Windows XP Service Pack 2 but ComboFix list it as Service Pack 1.

You have used Last Known Good configuration option a couple of time to boot the computer.

There are a number of system files infected or patched.

You have reinstalled Windows, did you do a repair install?
Do you have your Windows installation CD, we need to run a scan to check the integrity of system files.

#9 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 19 September 2009 - 07:04 PM

Here are the answers to your questions.

There are a number of things I see.

You had connection (via Ethernet cable?). But there is no wireless device listed. I disabled the wireless connection because I hardwired it in. I couldn't get the wireless to connect to mine.

The initial logs list Windows XP Service Pack 2 but ComboFix list it as Service Pack 1. Since I ran combo fix, I had updated the computer to SP2.

You have used Last Known Good configuration option a couple of time to boot the computer. I tried using that, but it never worked. I finally reinstalled the OS.

There are a number of system files infected or patched.

You have reinstalled Windows, did you do a repair install? I did ont do a repair, I did a reinstall.
Do you have your Windows installation CD, we need to run a scan to check the integrity of system files. I don't have the disk on me, but I can get it. It comes with SP1.

You say there are a number of things infected, with the current configuration, can we get rid of the items? When I was reinstalling the OS, combofix kept running and I would have to shut it down because each time it did, it started the install over.

Thanks again.
Brian

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:16 AM

Posted 19 September 2009 - 07:19 PM

Thanks for the detailed feedback. It make sense now.

The only thing I don't understand though is that your laptop is getting wireless connection in other places.

You say there are a number of things infected, with the current configuration, can we get rid of the items? When I was reinstalling the OS, combofix kept running and I would have to shut it down because each time it did, it started the install over.

I think it is where it went wrong. Updating, installing and running ComboFix at the same time.

You say there are a number of things infected, with the current configuration, can we get rid of the items?

They are system files and we can't get rid of them. They are corrupted, not fully installed and we have to replace them with a good copy. We need to use Windows installation CD to scan and replace those files. Another option is to uninstall SP2 and reinstall it, but it might go wrong as long as those system files are not checked and replaced.

#11 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 20 September 2009 - 06:23 AM

If I get the install CD, what do you recommend I do? Boot from disk and then do a repair this time? Will that reinstall SP1?

Thanks again so much for your help.
Brian

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:16 AM

Posted 20 September 2009 - 09:18 AM

We don't want to install Windows.

Let's take a look at the latest ComboFix log before trying anything.

Delete your copy of ComboFix and download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#13 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 20 September 2009 - 12:05 PM

Here is the first half of the log. I keep getting an error (message too long).

Pt. 1

ComboFix 09-09-18.02 - Brian 09/20/2009 12:34.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1505 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-18 18:16 . 2009-09-19 20:34 -------- d-----w- C:\HJT
2009-09-15 00:45 . 2009-06-25 08:44 59392 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-09-15 00:45 . 2009-06-25 08:44 133632 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-15 00:45 . 2009-06-25 08:44 298496 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-09-15 00:45 . 2009-06-22 11:34 92544 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-09-13 07:10 . 2009-06-12 11:50 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-09-13 07:10 . 2009-06-10 06:32 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-09-13 07:10 . 2009-06-10 14:21 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-09-13 07:10 . 2009-07-17 18:55 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-09-13 07:10 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-09-13 07:06 . 2009-09-13 07:06 -------- d-----w- c:\program files\MSXML 6.0
2009-09-12 18:00 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-09-12 18:00 . 2008-04-11 18:50 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-09-12 18:00 . 2008-10-03 10:15 247326 -c----w- c:\windows\system32\dllcache\strmdll.dll
2009-09-12 18:00 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-09-12 17:59 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-09-12 16:04 . 2004-08-04 07:56 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2009-09-12 16:04 . 2004-08-04 07:56 8192 ----a-w- c:\windows\system32\wshirda.dll
2009-09-12 16:04 . 2004-08-04 07:56 27136 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2009-09-12 16:04 . 2004-08-04 07:56 27136 ----a-w- c:\windows\system32\irmon.dll
2009-09-12 16:04 . 2004-08-04 07:56 152576 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2009-09-12 16:04 . 2004-08-04 07:56 152576 ----a-w- c:\windows\system32\irftp.exe
2009-09-12 16:03 . 2009-07-13 14:08 286720 -c----w- c:\windows\system32\dllcache\wmpdxm.dll
2009-09-12 16:03 . 2009-07-13 14:08 5537792 -c----w- c:\windows\system32\dllcache\wmp.dll
2009-09-12 16:03 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-09-12 16:03 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-09-12 13:45 . 2009-09-12 13:53 -------- d-----w- c:\windows\system32\wbem\Repository.001
2009-09-12 13:43 . 2009-09-12 16:24 -------- d-----w- c:\windows\ServicePackFiles
2009-09-12 13:30 . 2004-08-04 02:29 25471 ------w- c:\windows\system32\drivers\watv10nt.sys
2009-09-12 13:30 . 2004-08-04 02:29 22271 ------w- c:\windows\system32\drivers\watv06nt.sys
2009-09-12 13:30 . 2004-08-04 02:29 11935 ------w- c:\windows\system32\drivers\wadv11nt.sys
2009-09-12 13:30 . 2004-08-04 02:29 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys
2009-09-12 13:30 . 2004-08-04 02:29 11807 ------w- c:\windows\system32\drivers\wadv07nt.sys
2009-09-12 13:30 . 2004-08-04 02:29 11295 ------w- c:\windows\system32\drivers\wadv08nt.sys
2009-09-12 13:28 . 2004-08-04 02:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-09-12 01:37 . 2009-09-12 01:37 -------- d-----w- c:\documents and settings\TEMP.BRIANLAPTOP.003\Application Data\Intel
2009-09-12 01:37 . 2009-09-12 01:37 -------- d-----w- c:\documents and settings\TEMP.BRIANLAPTOP.002\Application Data\Intel
2009-09-12 01:37 . 2009-09-12 01:37 -------- d-----w- c:\documents and settings\TEMP.BRIANLAPTOP.001\Application Data\Intel
2009-09-12 01:37 . 2009-09-12 01:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-09-12 01:37 . 2009-09-12 01:37 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-09-12 01:36 . 2007-02-12 15:41 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2009-09-12 01:36 . 2007-02-12 15:40 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2009-09-12 01:36 . 2007-02-08 17:51 2209408 ----a-w- c:\windows\system32\drivers\w29n51.sys
2009-09-12 01:35 . 2009-09-12 01:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-09-12 01:35 . 2009-09-12 01:35 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-09-12 01:35 . 2009-09-12 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-09-12 01:35 . 2009-09-12 01:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-09-12 01:34 . 2009-09-12 01:34 -------- d-----w- c:\documents and settings\Brian\Application Data\Intel
2009-09-12 00:58 . 2009-09-12 00:58 -------- d-----w- c:\windows\system32\bits
2009-09-12 00:55 . 2008-12-16 12:47 351232 ----a-w- c:\windows\system32\winhttp.dll
2009-09-12 00:55 . 2004-08-04 07:56 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2009-09-07 17:49 . 2009-09-07 17:49 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-07 01:10 . 2008-10-16 18:13 1809944 -c--a-w- c:\windows\system32\dllcache\wuaueng.dll
2009-09-07 01:10 . 2008-10-16 18:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-07 01:10 . 2008-10-16 18:09 92696 -c--a-w- c:\windows\system32\dllcache\cdm.dll
2009-09-07 01:10 . 2008-10-16 18:09 92696 ----a-w- c:\windows\system32\cdm.dll
2009-09-07 01:10 . 2008-10-16 18:09 51224 -c--a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-09-07 01:10 . 2008-10-16 18:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-07 01:09 . 2009-09-07 01:09 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-06 23:35 . 2004-08-04 05:31 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll
2009-09-06 23:34 . 2004-08-04 10:00 306176 ----a-w- c:\windows\system32\slbcsp.dll
2009-09-06 21:01 . 2005-01-23 14:30 163840 ----a-w- c:\windows\system32\igfxres.dll
2009-09-06 20:51 . 2001-08-18 02:36 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2009-09-06 20:50 . 2003-07-16 20:22 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2009-09-06 20:49 . 2001-08-18 02:36 2134528 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2009-09-06 20:49 . 2001-08-18 02:36 175104 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpadm.dll
2009-09-06 20:39 . 2003-03-21 19:56 24576 ----a-w- c:\windows\system32\xpsp1hfm.exe
2009-09-06 20:33 . 2003-07-16 20:48 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2009-09-06 20:33 . 2003-07-16 20:30 61440 -c--a-w- c:\windows\system32\dllcache\icwres.dll
2009-09-06 20:33 . 2003-07-16 20:30 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2009-09-06 19:12 . 2009-09-06 19:12 -------- d-----w- c:\documents and settings\Default User\Application Data\DivX
2009-09-06 19:10 . 2003-07-16 20:30 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-09-06 19:10 . 2003-07-16 20:52 520192 -c--a-w- c:\windows\system32\dllcache\wmpvis.dll
2009-09-06 19:10 . 2003-07-16 20:52 319542 -c--a-w- c:\windows\system32\dllcache\wmmres.dll
2009-09-06 19:10 . 2003-07-16 20:52 163897 -c--a-w- c:\windows\system32\dllcache\wmmutil.dll
2009-09-06 19:10 . 2003-07-16 20:52 110648 -c--a-w- c:\windows\system32\dllcache\wmmfilt.dll
2009-09-06 19:08 . 2003-07-16 20:25 82432 -c--a-w- c:\windows\system32\dllcache\comrepl.dll
2009-09-06 19:08 . 2003-07-16 20:25 82432 ----a-w- c:\windows\system32\comrepl.dll
2009-09-06 19:04 . 2001-08-17 18:00 54272 ----a-w- c:\windows\system32\drivers\swmidi.sys
2009-09-06 19:03 . 2009-09-06 19:03 -------- d-----w- c:\documents and settings\Default User\Application Data\Malwarebytes
2009-09-04 23:08 . 2003-07-16 20:30 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-09-04 23:08 . 2003-07-16 20:30 13312 ----a-w- c:\windows\system32\irclass.dll
2009-09-04 23:08 . 2003-07-16 20:46 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-09-04 23:08 . 2003-07-16 20:46 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-09-04 18:57 . 2009-09-04 18:57 -------- d-----w- c:\windows\msapps
2009-09-02 00:23 . 2009-09-02 00:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-01 11:26 . 2009-09-06 21:02 -------- d-----w- C:\CimboFix
2009-09-01 11:20 . 2009-09-01 11:20 -------- d-----w- C:\rsit
2009-09-01 01:06 . 2009-09-01 01:06 -------- d-----w- c:\program files\Sophos
2009-08-31 11:35 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 11:35 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 03:02 . 2009-08-30 21:12 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-30 03:02 . 2009-08-30 21:11 -------- d-----w- c:\program files\Spyware Doctor
2009-08-29 22:22 . 2009-08-30 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\2222

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 10:57 . 2005-10-13 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2009-09-13 07:16 . 2009-08-19 10:59 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 21:02 . 2005-05-01 02:11 56560 ----a-w- c:\documents and settings\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 20:32 . 2004-08-10 18:02 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-31 11:36 . 2008-12-07 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 21:54 . 2009-01-07 02:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-18 15:55 . 2005-07-13 00:33 -------- d-----w- c:\documents and settings\Brian\Application Data\Azureus
2009-08-18 12:53 . 2005-05-07 19:46 -------- d-----w- c:\program files\DC++
2009-08-05 11:29 . 2009-06-05 01:08 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:11 . 2009-09-06 23:35 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2009-09-06 23:34 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2003-07-16 20:28 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2009-09-06 23:35 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2005-04-18 04:39 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-26 16:18 . 2006-06-23 15:33 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:44 . 2009-09-06 23:35 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2009-09-06 23:35 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2009-09-06 23:34 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2009-09-06 23:34 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2009-09-06 23:34 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2009-09-06 23:34 168448 ----a-w- c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-12_00.40.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-12 13:28 . 2004-08-04 04:57 54784 c:\windows\WinSxS

Edited by farbar, 20 September 2009 - 04:47 PM.


#14 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 20 September 2009 - 12:08 PM

Pt 2 of combo fix log:

+ 2009-09-13 07:04 . 2009-09-13 07:04 15709696 c:\windows\Installer\324735a.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winampagent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"vspdfprsrv.exe"="c:\program files\Visagesoft\eXPert PDF\vspdfprsrv.exe" [2006-05-04 998912]
"updatemanager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"pcmservice"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"nerofiltercheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"digstream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"digservices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Apoint\\Apoint.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/4/2009 9:08 PM 108289]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [6/19/2007 2:21 AM 18560]
S3 memsweep2;MEMSWEEP2;\??\c:\windows\system32\1B.tmp --> c:\windows\system32\1B.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\ip3s6ic5.default\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 12:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset004\Services\memsweep2]
"ImagePath"="\??\c:\windows\system32\1B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(172)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-20 12:43
ComboFix-quarantined-files.txt 2009-09-20 16:43
ComboFix2.txt 2009-09-12 00:49

Pre-Run: 11,362,881,536 bytes free
Post-Run: 11,396,444,160 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=6 Sets=1,2,3,4,6
3331 --- E O F --- 2009-09-15 01:43

Edited by farbar, 20 September 2009 - 12:49 PM.


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:16 AM

Posted 20 September 2009 - 05:30 PM

Hi bri2k,

It seems updating to SP2 has done the trick and there is no patched system file any more.

I have some connections problems (due to my ISP). I edited the post to make it easier to review. The next time we run ComboFix we don't need the following section and you may remove that section. But we need the section before and after that:

((((((((((((((((((((((((((((( SnapShot@2009-09-12_00.40.50 )))))))))))))))))))))))))))))))))))))))))

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    FixCSet::

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall



  • To check if all devices are working properly, enable your wireless connection.
    • Go to start > right-click My computer and select Properties.
    • Under Hardware tab select Device Manger.
    • Expand Network Adapters.
    • Note the device name or names listed.
    • Check if there is any ? or ! sign next to the listed devices. If yes tell me about that and:
      • Double-click on the listed device with ? or !
      • Under General tab note the writing in the Device Status section and post it to your reply.
    • If you expand Network Adapters and there is no ? or ! sign:
      • Double-click on the listed device(s).
      • Under General tab note the writing in the Device Status section and post it to your reply.
  • Tell me if you have a secured wireless network. When you open the wireless icon on the status bar and select to list the available connections, is your wireless connection listed?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users