Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a Hijack Virus, please help


  • This topic is locked This topic is locked
14 replies to this topic

#1 pcrich

pcrich

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 24 January 2010 - 07:35 PM

I have a Hijack virus and purchased spyware docters to get rid of it. No luck. I hope you can help me.

Here are my files.

Thanks,
pcrich


DDS (Ver_09-12-01.01) - NTFSx86
Run by Steve at 14:01:17.43 on Sun 01/24/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\steve\locals~1\temp\tempor~1\content.sh! c:\docume~1\steve\locals~1\temp\tempor~1.sh! c:\docume~1\steve\locals~1\temp\history\history.sh! c:\docume~1\steve\locals~1\temp\history.sh! c:\docume~1\steve\locals~1\temp\cookies.sh! c:\docume~1\steve\locals~1\temp\HSPERF~1.SH!
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [@BackupScheduler] c:\program files\online backup\OnlineBackup.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RDFNSListener] c:\program files\regdefense\RDFNSListener.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RDFNSAgent] c:\program files\regdefense\RDFNSAgent.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\nzy85uhw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT206422&SearchSource=2&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-22 23:20:11 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-21 22:41:53 882 ----a-w- c:\windows\RegSDImport.xml
2010-01-21 22:41:53 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-21 22:41:52 880 ----a-w- c:\windows\RegISSImport.xml
2010-01-21 22:41:52 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 22:41:52 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 22:41:52 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 22:41:52 131 ----a-w- c:\windows\IDB.zip
2010-01-21 22:41:52 1152444 ----a-w- c:\windows\UDB.zip
2010-01-21 22:32:32 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-21 22:32:32 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-21 22:31:56 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-21 22:31:56 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-21 22:31:56 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-21 22:31:56 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-21 22:31:30 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-01-21 22:31:30 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-21 22:31:13 0 d-----w- c:\program files\Spyware Doctor
2010-01-21 22:31:13 0 d-----w- c:\program files\common files\PC Tools
2010-01-21 22:31:13 0 d-----w- c:\docume~1\steve\applic~1\PC Tools
2010-01-21 22:31:13 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-19 00:11:16 0 d-----w- c:\docume~1\steve\applic~1\Canneverbe_Limited
2010-01-19 00:11:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Canneverbe Limited
2010-01-19 00:11:12 0 d-----w- c:\program files\Malwarebytes'Anti-Malware
2010-01-17 16:42:48 0 d-----w- c:\program files\Trend Micro
2010-01-17 13:15:30 0 d--h--w- C:\$AVG
2010-01-17 13:12:29 0 d-----w- c:\program files\AVG
2010-01-17 13:12:16 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-16 21:07:36 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-01-16 13:49:49 0 d-----w- c:\docume~1\steve\applic~1\Malwarebytes
2010-01-16 13:49:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-16 13:49:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-16 13:49:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-16 13:49:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 12:33:34 0 ----a-w- c:\windows\system32\6334.exe
2010-01-16 12:13:34 0 ----a-w- c:\windows\system32\18467.exe
2010-01-16 04:22:24 0 d-----w- C:\spoolerlogs
2010-01-15 21:03:38 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-01-15 16:56:44 320 ----a-w- c:\documents and settings\steve\batchrem.job
2010-01-15 15:44:11 0 d-----w- c:\program files\Enigma Software Group
2010-01-15 15:12:40 1 ----a-w- C:\s
2010-01-15 14:43:27 0 d-----w- c:\docume~1\steve\applic~1\McAfee
2010-01-12 19:51:16 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-01 13:43:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-31 20:50:21 0 d-----w- c:\program files\RegDefense
2009-12-28 15:03:02 0 d-----w- c:\program files\MSECache

==================== Find3M ====================

2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:21:05 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-22 05:21:03 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:21:00 3071488 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-11-08 22:36:19 67000 -c--a-w- c:\docume~1\steve\applic~1\GDIPFONTCACHEV1.DAT
2009-07-20 23:45:21 60857536 ----a-w- c:\program files\Ad-AwareAE.exe
2009-05-27 22:15:50 2060976 ----a-w- c:\program files\RegDefense.exe
2009-05-09 15:58:05 10695790 ----a-w- c:\program files\InstallCyberDefenderEDC-252072.exe
2009-05-07 21:28:52 21878064 ----a-w- c:\program files\QuickTimeInstaller.exe
2009-04-20 19:27:06 434832 ----a-w- c:\program files\switchsetup.exe
2009-04-20 19:07:54 20212408 ----a-w- c:\program files\setup_blazemp.exe
2009-04-20 18:42:18 3892161 ----a-w- c:\program files\wav_mp3_converter.exe
2009-04-20 18:30:42 1760088 ----a-w- c:\program files\mp3converter_simple.exe
2008-12-01 22:28:11 6276 -c--a-w- c:\program files\swmipl32_win_pad.xml
2008-12-01 22:28:11 5472 -c--a-w- c:\program files\History.txt
2008-12-01 22:28:11 276327 -c--a-w- c:\program files\setup_swmipl32.exe
2008-12-01 22:28:11 2348 -c--a-w- c:\program files\Readme.txt
2008-12-01 22:28:11 1275 -c--a-w- c:\program files\Order.txt
2008-12-01 22:28:10 444 -c--a-w- c:\program files\File_id.diz
2007-03-11 20:41:28 81920 -c--a-w- c:\program files\Calendar Creator 7.mdb
2006-01-09 23:13:34 87552 -c--a-w- c:\program files\filedtripbrochure.pub
2005-12-29 23:06:22 359112 -c--a-w- c:\program files\LimeWireWin.exe
2003-08-27 19:19:18 36963 -c----w- c:\program files\common files\SM1updtr.dll

============= FINISH: 14:04:21.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 30 January 2010 - 05:32 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 pcrich

pcrich
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 30 January 2010 - 05:56 PM

Thanks Extereme boy, yes I still have my google search engine hijacked ~ %80 of the time. I will provide the DDS logs but I'm not sure of what the root repeal log is (or how to obtain it.)

Thanks again,
pcrich

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 30 January 2010 - 06:08 PM

Hello.

Did you read my previous instructions? It says refer to the following page: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ wink.gif


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 pcrich

pcrich
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 31 January 2010 - 02:33 PM

Extremeboy,

Sorry about that. Here are my logs.

Thanks much,
pcrich


DDS (Ver_09-12-01.01) - NTFSx86
Run by Steve at 13:26:13.73 on Sun 01/31/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\steve\locals~1\temp\tempor~1\content.sh! c:\docume~1\steve\locals~1\temp\tempor~1.sh! c:\docume~1\steve\locals~1\temp\history\history.sh! c:\docume~1\steve\locals~1\temp\history.sh! c:\docume~1\steve\locals~1\temp\cookies.sh! c:\docume~1\steve\locals~1\temp\HSPERF~1.SH!
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [@BackupScheduler] c:\program files\online backup\OnlineBackup.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RDFNSListener] c:\program files\regdefense\RDFNSListener.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RDFNSAgent] c:\program files\regdefense\RDFNSAgent.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\nzy85uhw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT206422&SearchSource=2&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-30 17:10:49 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-30 17:10:49 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-30 17:10:49 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-30 17:10:49 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-30 17:10:49 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-30 14:06:46 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-01-30 13:59:10 0 d-----w- c:\windows\ERUNT
2010-01-30 13:44:11 0 d-----w- C:\SDFix
2010-01-28 00:02:29 62556 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-27 03:09:27 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-27 03:01:46 0 d-----w- c:\program files\iTunes
2010-01-27 02:10:13 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-27 02:05:26 0 d-----w- c:\program files\Bonjour
2010-01-22 23:20:11 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-21 22:41:53 883 ----a-w- c:\windows\RegSDImport.xml
2010-01-21 22:41:53 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-21 22:41:52 880 ----a-w- c:\windows\RegISSImport.xml
2010-01-21 22:41:52 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 22:41:52 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 22:41:52 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 22:41:52 131 ----a-w- c:\windows\IDB.zip
2010-01-21 22:41:52 1152444 ----a-w- c:\windows\UDB.zip
2010-01-21 22:32:32 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-21 22:32:32 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-21 22:31:56 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-21 22:31:56 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-21 22:31:56 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-21 22:31:56 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-21 22:31:30 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-01-21 22:31:30 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-21 22:31:13 0 d-----w- c:\program files\Spyware Doctor
2010-01-21 22:31:13 0 d-----w- c:\program files\common files\PC Tools
2010-01-21 22:31:13 0 d-----w- c:\docume~1\steve\applic~1\PC Tools
2010-01-21 22:31:13 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-19 00:11:16 0 d-----w- c:\docume~1\steve\applic~1\Canneverbe_Limited
2010-01-19 00:11:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Canneverbe Limited
2010-01-19 00:11:12 0 d-----w- c:\program files\Malwarebytes'Anti-Malware
2010-01-17 16:42:48 0 d-----w- c:\program files\Trend Micro
2010-01-17 13:15:30 0 d--h--w- C:\$AVG
2010-01-17 13:12:29 0 d-----w- c:\program files\AVG
2010-01-17 13:12:16 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-16 21:07:36 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-01-16 13:49:49 0 d-----w- c:\docume~1\steve\applic~1\Malwarebytes
2010-01-16 13:49:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-16 13:49:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-16 13:49:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-16 13:49:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 04:22:24 0 d-----w- C:\spoolerlogs
2010-01-15 21:03:38 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-01-15 16:56:44 320 ----a-w- c:\documents and settings\steve\batchrem.job
2010-01-15 15:44:11 0 d-----w- c:\program files\Enigma Software Group
2010-01-15 15:12:40 1 ----a-w- C:\s
2010-01-15 14:43:27 0 d-----w- c:\docume~1\steve\applic~1\McAfee
2010-01-12 19:51:16 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:21:05 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-22 05:21:03 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:21:00 3071488 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-11-08 22:36:19 67000 -c--a-w- c:\docume~1\steve\applic~1\GDIPFONTCACHEV1.DAT
2009-07-20 23:45:21 60857536 ----a-w- c:\program files\Ad-AwareAE.exe
2009-05-27 22:15:50 2060976 ----a-w- c:\program files\RegDefense.exe
2009-05-09 15:58:05 10695790 ----a-w- c:\program files\InstallCyberDefenderEDC-252072.exe
2009-05-07 21:28:52 21878064 ----a-w- c:\program files\QuickTimeInstaller.exe
2009-04-20 19:27:06 434832 ----a-w- c:\program files\switchsetup.exe
2009-04-20 19:07:54 20212408 ----a-w- c:\program files\setup_blazemp.exe
2009-04-20 18:42:18 3892161 ----a-w- c:\program files\wav_mp3_converter.exe
2009-04-20 18:30:42 1760088 ----a-w- c:\program files\mp3converter_simple.exe
2008-12-01 22:28:11 6276 -c--a-w- c:\program files\swmipl32_win_pad.xml
2008-12-01 22:28:11 5472 -c--a-w- c:\program files\History.txt
2008-12-01 22:28:11 276327 -c--a-w- c:\program files\setup_swmipl32.exe
2008-12-01 22:28:11 2348 -c--a-w- c:\program files\Readme.txt
2008-12-01 22:28:11 1275 -c--a-w- c:\program files\Order.txt
2008-12-01 22:28:10 444 -c--a-w- c:\program files\File_id.diz
2007-03-11 20:41:28 81920 -c--a-w- c:\program files\Calendar Creator 7.mdb
2006-01-09 23:13:34 87552 -c--a-w- c:\program files\filedtripbrochure.pub
2005-12-29 23:06:22 359112 -c--a-w- c:\program files\LimeWireWin.exe
2003-08-27 19:19:18 36963 -c----w- c:\program files\common files\SM1updtr.dll

============= FINISH: 13:29:17.48 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

3D Home Architect® Deluxe 3.0
3D Home Design Suite
3D Home™ Interiors Deluxe 2.0
Adobe Flash Player 10 Plugin
Adobe Reader 7.1.0
AnswerWorks 5.0 English Runtime
AOL Security Toolbar
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Camera Suite
ArcSoft PhotoStudio 5.5
Audio MP3 Sound Recorder
Bonjour
Browser Defender 2.0.6.11
Cakewalk Home Studio 8.0
Calendar Creator 7.0 Deluxe
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon Digital Camera USB WIA Driver
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 1.0
Canon MP970 series
Canon MP970 series User Registration
Canon My Printer
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint EX
Canon Utilities PhotoStitch 3.1
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 2.1
Canon Utilities Solution Menu
Canon Utilities ZoomBrowser EX
CD-DA X-Tractor v0.20
CDBurnerXP
CDBurnerXP Pro 3
Compatibility Pack for the 2007 Office system
Cool Edit Pro
Critical Update for Windows Media Player 11 (KB959772)
Cypress USB Mass Storage Driver Installation
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
DFX for MUSICMATCH
Digital Line Detect
DVD-MovieAlbumSE 3
DVD-RAM Driver
EarthLink setup files
EPSON Printer Software
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HyperSnap 6
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
InterActual Player
Internet Explorer Default Page
iPod for Windows 2006-06-28
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Java™ 6 Update 17
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
jetAudio Basic
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McAfee Virtual Technician
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Expedia Streets 98
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MID Converter 4.0
Mind on Statistics 3e
Modem Helper
Mortgage Payment Calculator 1.0
Mozilla Firefox (3.5.7)
Mp3Decode
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch for Windows Media Player
My Way Search Assistant
MyDVD
Napster
NetWaiting
NetZeroInstallers
Online Backup
PhotoWise
Picture Package Music Transfer
PIXMA Extended Survey Program
PowerDVD
proDAD Heroglyph 1.0
Quicken 2008
QuickTime
RAW Image Task
RealPlayer
RegDefense
RegistryDefense
RemoteCapture Task 1.0.1
Remove Home Makeover
Roxio Burn Engine
Safari
SBC Yahoo! Applications
ScanSoft OmniPage SE 4
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Shockwave
Skype™ 4.1
SmartSound Quicktracks Plugin
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sony Picture Utility
Sony USB Driver
SoundMAX
Spyware Doctor 7.0
Studio 9
Studio 9 Content CD/DVD
Super Mp3 Recorder 2.5
Sweet MIDI Player 32 (remove only)
Sweet Sixteen 32 (remove only)
Switch Sound File Converter
TurboTax 2005 - MSXML 3
TurboTax ItsDeductible 2006
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
USB Storage Adapter FX (SM1)
Video DVD Maker Free v2.4.0.16
Viewpoint Media Player
Virtual Earth 3D (Beta)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual IP InSight(SBC)
WeatherBug
WebFldrs XP
WexTech AnswerWorks
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Toolbar

==== End Of File ===========================


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/31 13:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE800000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AF6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED1D3000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf8483e52

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf8464cde

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf8464ed0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf8484640

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf84848f4

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "IPVNMon.sys" at address 0xf834c25d

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf8482b44

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf8484d60

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf8484112

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf8464984

Stealth Objects
-------------------
Object: Hidden Module [Name: z00clicker.dll]
Process: firefox.exe (PID: 1488) Address: 0x01190000 Size: 176128

==EOF==

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 31 January 2010 - 03:01 PM

Thanks for those logs. We'll start with Combofix here.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 pcrich

pcrich
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 31 January 2010 - 06:14 PM

Hi extremeboy,

Here is the combofix file you requested.

Thanks,
pcrich

ComboFix 10-01-31.02 - Steve 01/31/2010 16:57:09.1.1 - x86
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Anna\My Documents\ZbThumbnail.info
c:\documents and settings\Emma\My Documents\ZbThumbnail.info
c:\documents and settings\Steve\My Documents\ZbThumbnail.info
C:\s
c:\windows\Guxbpi.dll
c:\windows\patch.exe
c:\windows\Resdux.dll
c:\windows\Rop12.exe
c:\windows\Serpop.exe
c:\windows\system32\twain_32.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 )))))))))))))))))))))))))))))))
.

2010-01-31 19:23 . 2010-01-31 19:30 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\WinZip
2010-01-31 19:22 . 2010-01-31 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-01-30 17:10 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-30 17:10 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-30 17:10 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-30 17:10 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-30 17:10 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-30 14:06 . 2010-01-30 14:06 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-01-30 13:59 . 2010-01-30 13:59 -------- d-----w- c:\windows\ERUNT
2010-01-30 13:44 . 2010-01-30 14:57 -------- d-----w- C:\SDFix
2010-01-28 00:02 . 2010-01-28 00:02 62556 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-27 04:48 . 2010-01-27 04:48 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Threat Expert
2010-01-27 03:09 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-27 03:01 . 2010-01-27 03:09 -------- d-----w- c:\program files\iTunes
2010-01-27 02:10 . 2010-01-27 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-27 02:05 . 2010-01-27 02:05 -------- d-----w- c:\program files\Bonjour
2010-01-27 01:47 . 2010-01-27 03:04 -------- d-----w- c:\program files\Common Files\Apple
2010-01-22 23:20 . 2009-11-25 16:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-18 23:04 . 2004-12-14 17:27 -------- d-----w- c:\documents and settings\Administrator.OFFICE\Application Data\Sonic
2010-01-18 23:04 . 2010-01-19 00:11 -------- d-----w- c:\documents and settings\Administrator.OFFICE\Local Settings\Application Data\Microsoft
2010-01-18 23:04 . 2010-01-19 00:07 -------- d-----w- c:\documents and settings\Administrator.OFFICE
2010-01-17 16:42 . 2010-01-17 16:42 -------- d-----w- c:\program files\Trend Micro
2010-01-17 13:15 . 2010-01-17 13:15 -------- d-----w- C:\$AVG
2010-01-17 13:12 . 2010-01-19 00:11 -------- d-----w- c:\program files\AVG
2010-01-17 13:12 . 2010-01-19 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-16 21:07 . 2009-11-12 18:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-01-16 13:49 . 2010-01-16 13:49 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2010-01-16 13:49 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-16 13:49 . 2010-01-16 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-16 13:49 . 2010-01-19 00:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 13:49 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-16 04:22 . 2010-01-16 04:22 -------- d-----w- C:\spoolerlogs
2010-01-15 21:03 . 2010-01-15 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-01-15 15:44 . 2010-01-31 18:03 -------- d-----w- c:\program files\Enigma Software Group
2010-01-15 14:43 . 2010-01-15 14:43 -------- d-----w- c:\documents and settings\Steve\Application Data\McAfee
2010-01-12 19:51 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-05 15:56 . 2010-01-20 10:46 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 21:35 . 2009-05-25 17:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-31 17:59 . 2007-06-17 12:00 -------- d-----w- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2010-01-27 22:19 . 2006-12-31 21:07 -------- d-----w- c:\documents and settings\Steve\Application Data\Apple Computer
2010-01-27 21:58 . 2005-03-22 14:38 -------- d-----w- c:\program files\Calendar Creator 7.0 Deluxe
2010-01-27 03:04 . 2006-12-31 20:48 -------- d-----w- c:\program files\iPod
2010-01-27 02:04 . 2004-12-14 17:25 -------- d-----w- c:\program files\QuickTime
2010-01-19 00:11 . 2010-01-19 00:11 -------- d-----w- c:\documents and settings\Administrator.OFFICE\Application Data\Jasc Software Inc
2010-01-19 00:11 . 2010-01-19 00:11 -------- d-----w- c:\documents and settings\Steve\Application Data\Canneverbe_Limited
2010-01-19 00:11 . 2010-01-19 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-01-19 00:11 . 2010-01-19 00:11 -------- d-----w- c:\program files\Malwarebytes'Anti-Malware
2010-01-19 00:10 . 2008-05-03 11:57 -------- d-----w- c:\program files\CDBurnerXP
2010-01-16 04:52 . 2007-06-17 12:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-15 16:13 . 2007-06-17 11:35 -------- d-----w- c:\program files\AOL Security Toolbar
2010-01-15 14:42 . 2007-03-07 10:41 -------- d-----w- c:\program files\McAfee
2010-01-15 14:42 . 2007-02-12 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-14 18:31 . 2009-12-25 15:47 -------- d-----w- c:\documents and settings\Steve\Application Data\Skype
2010-01-14 12:36 . 2009-12-20 17:46 -------- d-----w- c:\documents and settings\Steve\Application Data\skypePM
2010-01-01 20:52 . 2005-02-05 20:59 -------- d-----w- c:\program files\Google
2010-01-01 13:40 . 2004-12-14 17:15 -------- d-----w- c:\program files\Java
2009-12-31 20:50 . 2009-12-31 20:50 -------- d-----w- c:\program files\RegDefense
2009-12-28 15:32 . 2004-12-17 12:51 70888 -c--a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-28 15:03 . 2009-12-28 15:03 -------- d-----w- c:\program files\MSECache
2009-12-25 15:44 . 2009-12-25 15:44 -------- d-----r- c:\program files\Skype
2009-12-25 15:44 . 2009-12-25 15:44 -------- d-----w- c:\program files\Common Files\Skype
2009-12-25 15:43 . 2009-12-20 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-23 13:46 . 2008-11-22 14:39 -------- d-----w- c:\program files\HyperSnap 6
2009-12-23 11:59 . 2004-12-14 17:24 -------- d-----w- c:\program files\Common Files\AOL
2009-12-23 11:59 . 2004-12-14 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-12-22 05:21 . 2004-08-04 11:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 11:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-21 22:59 . 2005-01-25 19:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-21 22:18 . 2005-01-25 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-20 17:46 . 2009-12-20 17:46 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-20 23:45 . 2009-07-20 23:39 60857536 ----a-w- c:\program files\Ad-AwareAE.exe
2009-05-27 22:15 . 2009-05-25 23:15 2060976 ----a-w- c:\program files\RegDefense.exe
2009-05-09 15:58 . 2009-05-09 15:54 10695790 ----a-w- c:\program files\InstallCyberDefenderEDC-252072.exe
2009-05-07 21:28 . 2009-05-07 21:27 21878064 ----a-w- c:\program files\QuickTimeInstaller.exe
2009-04-20 19:27 . 2009-04-20 19:27 434832 ----a-w- c:\program files\switchsetup.exe
2009-04-20 19:07 . 2009-04-20 19:05 20212408 ----a-w- c:\program files\setup_blazemp.exe
2009-04-20 18:42 . 2009-04-20 18:42 3892161 ----a-w- c:\program files\wav_mp3_converter.exe
2009-04-20 18:30 . 2009-04-20 18:30 1760088 ----a-w- c:\program files\mp3converter_simple.exe
2008-12-01 22:28 . 2008-09-29 15:02 276327 -c--a-w- c:\program files\setup_swmipl32.exe
2008-12-01 22:28 . 2008-09-29 15:00 6276 -c--a-w- c:\program files\swmipl32_win_pad.xml
2008-12-01 22:28 . 2008-09-28 19:58 5472 -c--a-w- c:\program files\History.txt
2008-12-01 22:28 . 2008-01-07 21:10 1275 -c--a-w- c:\program files\Order.txt
2008-12-01 22:28 . 2007-07-06 18:54 2348 -c--a-w- c:\program files\Readme.txt
2008-12-01 22:28 . 2007-03-12 23:22 444 -c--a-w- c:\program files\File_id.diz
2007-03-11 20:41 . 2007-03-11 20:41 81920 -c--a-w- c:\program files\Calendar Creator 7.mdb
2006-01-09 23:13 . 2006-01-09 23:13 87552 -c--a-w- c:\program files\filedtripbrochure.pub
2005-12-29 23:06 . 2005-12-29 23:06 359112 -c--a-w- c:\program files\LimeWireWin.exe
2003-08-27 19:19 . 2004-12-24 00:35 36963 -c----w- c:\program files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-02 68856]
"@BackupScheduler"="c:\program files\Online Backup\OnlineBackup.exe" [2008-05-20 611768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-03 198160]
"RDFNSListener"="c:\program files\RegDefense\RDFNSListener.exe" [2009-11-18 106608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"RDFNSAgent"="c:\program files\RegDefense\RDFNSAgent.exe" [2009-11-18 211568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-14 24576]
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE [2005-1-13 135680]
RAMASST.lnk - c:\windows\SYSTEM32\RAMASST.exe [2005-10-8 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI1"=vpnt.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 02]
2003-06-11 06:52 380928 ----a-w- c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 02]
2003-06-11 06:52 122880 ----a-w- c:\program files\Visual Networks\Visual IP InSight\SBC\ipmon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 17:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RDListener]
2009-06-10 08:48 105584 ----a-w- c:\program files\Registry Defense\RDListener.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
2003-08-27 19:20 94208 ----a-r- c:\windows\SM1bg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-03 23:36 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2003-07-11 19:51 57344 ----a-w- c:\program files\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"IJPLMSVC"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 32256]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320]


--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2007-03-07 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-07 16:22]

2007-03-07 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-07 16:22]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\nzy85uhw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT206422&SearchSource=2&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-31 17:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.mfp]
@DACL=(02 0000)
@="MacromediaFlashPaper.MacromediaFlashPaper"
"Content Type"="application/x-shockwave-flash"

[HKEY_LOCAL_MACHINE\software\Classes\.sol]
@DACL=(02 0000)
"Content Type"="text/plain"

[HKEY_LOCAL_MACHINE\software\Classes\.sor]
@DACL=(02 0000)
"Content Type"="text/plain"

[HKEY_LOCAL_MACHINE\software\Classes\.spl]
@DACL=(02 0000)
@="ShockwaveFlash.ShockwaveFlash"
"Content Type"="application/futuresplash"

[HKEY_LOCAL_MACHINE\software\Classes\.swf]
@DACL=(02 0000)
@="ShockwaveFlash.ShockwaveFlash"
"Content Type"="application/x-shockwave-flash"
"PerceivedType"="video"

[HKEY_LOCAL_MACHINE\software\Classes\.swf\OpenWithList\jetAudio.exe]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\FlashProp.FlashProp]
@DACL=(02 0000)
@="FlashProp Class"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3996)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-31 17:36:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-31 22:36

Pre-Run: 2,658,635,776 bytes free
Post-Run: 3,229,958,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6E3CEEAA4715AE621D4D8809E380B7D5


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 31 January 2010 - 06:34 PM

Hello.

One of the infection that is removed was a backdoor. One of the critical file was patched.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 pcrich

pcrich
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 01 February 2010 - 08:06 AM

extremeboy,

I'll take your advice and format my pc. Once again, thanks for the help. I'll get back to you if I have any further problems.

pcrich

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 01 February 2010 - 01:10 PM

Okay. Thanks for letting me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 pcrich

pcrich
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 02 February 2010 - 03:06 PM

extremeboy,

It's going to be a few days (at least 5), until I can re-format my pc. It would be nice if I can attempt to remove the 2nd backdoor Trojan from my machine (in the meantime). What steps should I take to do this. I'm keeping on-line time to a minimum, but would feel better eliminating this problem for now.

Thanks,
pcrich

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 02 February 2010 - 04:39 PM

Hello.

It's pretty much removed already now. I was just referring that you DID have an infection like that.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 pcrich

pcrich
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 02 February 2010 - 09:25 PM

extremeboy,

I guess I'm not sure if I am still infected and if I really need to re-format my pc. Any way to really know if I'm clean? It would be nice not to have to re-format, but if there is doubt, I'll go for it. If there are further instructions I'm ready to continue.

Thanks,
pcrich

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 03 February 2010 - 05:52 PM

Okay. Let's continue with a Malwarebytes scan.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 12 February 2010 - 04:31 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users