 |
||
Malware
|
||
|
|
|
|||||||
| Register | Projects | Blogs | FAQ | Search | Today's Posts | Mark Forums Read |
2009-11-07, 16:54
|
#1 |
|
Junior Member
Join Date: Nov 2009
Posts: 9
|
Malware
I posted yesterday but was unable to post the HJT log. I was finally able to save it to CD and transfer to my laptop. I know you need this to analyze, so I'll risk losing my place in line.
Again: Spybot had detected Opachki and seemed to have cleaned it but something is wrong. No Internet, can't drag and drop, no task bar or start button. Even tried to deny me saving the HJT log to CD saying I did not have permission. So here is the log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:37:46 AM, on 11/7/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16915) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe C:\WINDOWS\system32\DLA\TFSWCMD.EXE C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\\vptray.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKCU\..\Run: [TS] C:\Program Files\TS\tsc.exe O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User '?') O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?') O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (User '?') O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [TS] C:\Program Files\TS\tsc.exe (User '?') O4 - S-1-5-21-3790382252-2412222753-2890496779-1007 Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe (User '?') O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: PGPtray.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.imageservr.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2...nAxControl.CAB O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qpdom.cbservices.org/qp2.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.0.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123125006512 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...53/mcfscan.cab O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\System32\PGPsdkServ.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -- End of file - 16858 bytes Last edited by tashi; 2009-11-07 at 17:39. Reason: Edited topic title to remove reference to previous thread which has now been closed. :-) |
|
|
2009-11-11, 07:58
|
#2 |
|
Security Expert
Join Date: Oct 2006
Location: Finland
Posts: 20,805
|
Hi,
Please visit this webpage for download links, and instructions for running ComboFix tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows:
When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use. Generate an Uninstall List * Open HijackThis * Click on Open Misc Tools Section * Click on Open Uninstall Manager * Click on Save list * Save it to your Desktop * Post it & fresh hjt log on your next reply.
__________________
Microsoft MVP Consumer Security 2008 2009 2010 ASAP & UNITE member since 2006 I don't help with logs thru PM. If you have problems create a thread in the forum, please. Malware removal instructions are for the correspondent user's case only. |
|
|
|
2009-11-11, 23:16
|
#3 |
|
Junior Member
Join Date: Nov 2009
Posts: 9
|
No Recovery Console possible. ComboFix could not get on Internet to get it.
Was able to run requested logs. ComboFix 09-11-11.02 - Gary 11/11/2009 15:34.1.1 - NTFSx86 Running from: D:\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\stc c:\program files\stc\csv5p070.exe c:\program files\Sysmnt c:\program files\Sysmnt\Ssmgr.exe c:\windows\123messenger.per c:\windows\180ax.exe c:\windows\apphelp32.dll c:\windows\asferror32.dll c:\windows\asycfilt32.dll c:\windows\athprxy32.dll c:\windows\ati2dvaa32.dll c:\windows\ati2dvag32.dll c:\windows\audiosrv32.dll c:\windows\autodisc32.dll c:\windows\avifile32.dll c:\windows\avisynthex32.dll c:\windows\aviwrap32.dll c:\windows\bjam.dll c:\windows\bokja.exe c:\windows\browserad.dll c:\windows\cdsm32.dll c:\windows\changeurl_30.dll c:\windows\Downloaded Program Files\setup.dll c:\windows\licencia.txt c:\windows\msa64chk.dll c:\windows\msapasrc.dll c:\windows\mspphe.dll c:\windows\mssvr.exe c:\windows\ntnut.exe c:\windows\saiemod.dll c:\windows\salm.exe c:\windows\shdocpe.dll c:\windows\shdocpl.dll c:\windows\swin32.dll c:\windows\system32\MSNSA32.dll c:\windows\system32\ntnut32.exe c:\windows\system32\shdocpe.dll c:\windows\system32\SIPSPI32.dll c:\windows\system32\wer8274.dll c:\windows\system32\winfrun32.bin c:\windows\telefonos.txt c:\windows\textos.txt c:\windows\voiceip.dll c:\windows\winsb.dll . ((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 ))))))))))))))))))))))))))))))) . 2009-11-07 14:21 . 2009-11-07 14:23 -------- d-----w- c:\program files\ERUNT 2009-11-07 14:15 . 2009-11-07 14:15 -------- d-----w- c:\program files\Trend Micro 2009-11-06 00:53 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-06 00:53 . 2009-11-07 14:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-06 00:53 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-06 00:51 . 2009-11-06 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-25 19:01 . 2009-10-25 19:02 -------- d-----w- c:\program files\Motorola . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-04 13:57 . 2005-03-16 23:30 5743788 -c--a-w- c:\windows\Internet Logs\tvDebug.Zip 2009-11-04 03:19 . 2008-06-17 02:09 -------- d-----w- c:\program files\Snoop 4.0 2009-11-04 00:49 . 2003-10-09 16:24 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-11-03 13:04 . 2008-04-18 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-10-25 19:01 . 2003-10-09 15:48 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-10-25 18:37 . 2009-10-25 18:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf 2009-10-22 08:03 . 2007-03-03 18:46 40 ----a-w- c:\windows\system32\profile.dat 2009-10-18 16:16 . 2007-02-19 23:03 -------- d-----w- c:\program files\Punch! Master Landscape 2009-10-06 01:52 . 2009-10-06 01:52 -------- d-----w- c:\documents and settings\Julie\Application Data\Apple Computer 2009-10-04 03:23 . 2005-06-17 01:20 -------- d-----w- c:\documents and settings\Gary\Application Data\Canon 2009-09-30 01:25 . 2009-09-30 02:43 428032 ----a-w- c:\windows\Internet Logs\xDB43.tmp 2009-09-30 00:37 . 2003-12-28 17:11 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-29 23:18 . 2009-09-29 23:18 -------- d-----w- c:\program files\Common Files\TSUninstall 2009-09-19 13:37 . 2008-03-18 03:49 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-19 13:35 . 2009-09-19 13:41 1693696 ----a-w- c:\windows\Internet Logs\xDB42.tmp 2009-09-11 14:18 . 2002-08-29 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-03 23:50 . 2007-03-04 20:18 92576 ----a-w- c:\documents and settings\Bryan.DB5JPM31\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-29 07:36 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll 2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-29 07:36 . 2002-08-29 10:00 17408 ----a-w- c:\windows\system32\corpol.dll 2009-08-26 08:00 . 2002-08-29 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 01:53 . 2007-03-04 20:09 92576 ----a-w- c:\documents and settings\Julie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-16 21:05 . 2003-12-25 19:05 92576 ----a-w- c:\documents and settings\Gary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2002-08-29 10:00 . 2002-08-29 10:00 94784 -csh--w- c:\windows\TWAIN.DLL 2008-04-14 00:12 . 2002-08-29 10:00 50688 --sh--w- c:\windows\twain_32.dll 2008-04-14 00:11 . 2002-08-29 10:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll 2008-04-14 00:12 . 2002-08-29 10:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll 2008-04-14 00:12 . 2002-08-29 10:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll 2008-04-14 00:12 . 2002-08-29 10:00 343040 --sha-w- c:\windows\SYSTEM32\msvcrt.dll 2008-04-14 00:12 . 2002-08-29 10:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe . ------- Sigcheck ------- Cryptography Services Error !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2004-08-06 2502656] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741] "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-09 151597] "OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016] "PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2003-11-10 406016] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "vptray"="c:\progra~1\SYMANT~1\SYMANT~2\\vptray.exe" [2006-09-28 125168] "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648] "BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880] "Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968] "nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2006-10-22 1622016] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= 2;2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [x] R2 PGPsdkServ;PGPsdkService;c:\windows\System32\PGPsdkServ.exe [2003-10-27 65536] R3 SavRoam;SavRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464] R3 WipeFile;WipeFile;c:\windows\system32\DRIVERS\WipeFile.sys [2006-08-31 58880] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448] --- Other Services/Drivers In Memory --- *NewlyCreated* - MBR *NewlyCreated* - PROCEXP113 *Deregistered* - mbr *Deregistered* - PROCEXP113 . Contents of the 'Scheduled Tasks' folder 2009-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] . . ------- Supplementary Scan ------- . uLocal Page = \blank.htm uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://hsremove.com/done.htm mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = hxxp://localhost uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html LSP: lspcsnp4.dll Trusted Zone: imageservr.com Trusted Zone: imagesrvr.com Trusted Zone: turbotax.com Trusted Zone: imageservr.com Trusted Zone: imagesrvr.com DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB . - - - - ORPHANS REMOVED - - - - HKCU-Run-TS - c:\program files\TS\tsc.exe AddRemove-NoAdware 5.0_is1 - c:\program files\NoAdware5.0\unins000.exe AddRemove-TS - c:\program files\TS\tsc.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-11 15:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3790382252-2412222753-2890496779-1007\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . Completion time: 2009-11-11 15:51 ComboFix-quarantined-files.txt 2009-11-11 21:49 Pre-Run: 11,435,855,872 bytes free Post-Run: 12,338,659,328 bytes free - - End Of File - - 21BAF83C87042CE6C519EE62628305D1 Uninstall Active Images Express Adobe Acrobat 8.1.2 Standard Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) Adobe Flash Player 10 ActiveX Adobe Reader 7.0.9 Adobe® Photoshop® Album Starter Edition 3.2 AnswerWorks 4.0 Runtime - English AnswerWorks 5.0 English Runtime Apple Software Update BCM V.92 56K Modem Britannica Ready Reference Canon MP Drivers 6.0 Canon MP Navigator 1.0 Canon ScanGear Starter Canon Utilities Easy-PhotoPrint Compatibility Pack for the 2007 Office system Critical Update for Windows Media Player 11 (KB959772) CutePDF Writer 2.3 DAO Deer Hunter Deer Hunter - Extended Season Deer Hunter Companion Dell Picture Studio - Dell Image Expert Dell Solution Center Dell Support Center (Support Software) DellSupport DiscAPI (Studio 10) DivX DS21Patch DVDSentry Easy-WebPrint ERUNT 1.1j ESET Online Scanner Garmin Trip and Waypoint Manager v3 Garmin USB Drivers Garmin WebUpdater Garmin WebUpdater Google Earth Google Updater HighMAT Extension to Microsoft Windows XP CD Writing Wizard HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB932716-v2) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) HP Photo Printing Software Intel(R) PRO Network Adapters and Drivers Intel(R) PROSet Ipswitch WS_FTP LE ItsDeductible Express Java 2 Runtime Environment, SE v1.4.2 Java(TM) 6 Update 13 Kaspersky Online Scanner LG USB Drivers LiveUpdate 3.1 (Symantec Corporation) Lizardtech Express View Logitech MouseWare 9.79.1 LogViewer Macromedia Contribute 3.11 Macromedia Dreamweaver 8 Macromedia Extension Manager Macromedia Fireworks 8 Macromedia Flash 8 Macromedia Flash 8 Video Encoder Macromedia Flash Player 8 Plugin Malwarebytes' Anti-Malware Media Downloader Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 3.5 SP1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Data Access Components KB870669 Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 Microsoft National Language Support Downlevel APIs Microsoft Office 2000 SR-1 Premium Microsoft Office Professional Edition 2003 Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.7 Microsoft WinUsb 1.0 Modem Helper MSN Gaming Zone MSN Messenger 6.2 MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MUSICMATCH Jukebox NVIDIA Drivers OmniPage SE 2.0 Paint Shop Pro 7 PGP 8.0.3 Pinnacle Instant DVD Recorder PowerDVD Presto! PageManager 6.03 Punch! Master Landscape Quicken 2007 QuickTime RAPID (Studio 10) RealOne Player Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 7 (KB972260) Security Update for Windows Internet Explorer 7 (KB974455) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 9 (KB911565) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) SmartSound Quicktracks Plugin Sonic DLA Sonic MyDVD Sonic RecordNow! Sonic Update Manager Spybot - Search & Destroy Spybot - Search & Destroy 1.5.2.20 Studio 10 Symantec Client Security Time Zone Data Update Tool for Microsoft Office Outlook TurboTax 2008 TurboTax 2008 wiliper TurboTax 2008 WinPerFedFormset TurboTax 2008 WinPerProgramHelp TurboTax 2008 WinPerReleaseEngine TurboTax 2008 WinPerTaxSupport TurboTax 2008 WinPerUserEducation TurboTax 2008 wrapper TurboTax Deluxe 2003 TurboTax Deluxe 2004 TurboTax Deluxe 2005 TurboTax Deluxe 2007 TurboTax Deluxe Deduction Maximizer 2006 TurboTax ItsDeductible 2005 TurboTax ItsDeductible 2006 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 7 (KB976749) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) V CAST Music VC 9.0 Runtime VC 9.0 Runtime WexTech AnswerWorks Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0) Windows Genuine Advantage v1.3.0254.0 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Service Pack 3 WinRAR archiver WordPerfect Office 11 Yahoo! Customizations Yahoo! Internet Mail Yahoo! Messenger Yahoo! Messenger Explorer Bar ZoneAlarm ZoneAlarm Spy Blocker Zune Zune Zune Language Pack (ES) Zune Language Pack (FR) HJT Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:06:44 PM, on 11/11/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16915) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\DLA\TFSWCMD.EXE C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\\vptray.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User '?') O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?') O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (User '?') O4 - S-1-5-21-3790382252-2412222753-2890496779-1007 Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe (User '?') O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: PGPtray.lnk = ? O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O10 - Unknown file in Winsock LSP: lspcsnp4.dll O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.imageservr.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2...nAxControl.CAB O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qpdom.cbservices.org/qp2.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.0.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123125006512 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...53/mcfscan.cab O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\System32\PGPsdkServ.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -- End of file - 16103 bytes |
|
|
|
2009-11-12, 07:27
|
#4 |
|
Security Expert
Join Date: Oct 2006
Location: Finland
Posts: 20,805
|
Hi,
Move ComboFix.exe to your desktop, please. Is the connection still down? If it is then follow manual way to install recovery console. Instructions for that in ComboFix tutorial (remember to choose recovery console that is suitable for your Windows version!).
__________________
Microsoft MVP Consumer Security 2008 2009 2010 ASAP & UNITE member since 2006 I don't help with logs thru PM. If you have problems create a thread in the forum, please. Malware removal instructions are for the correspondent user's case only. |
|
|
|
2009-11-16, 05:17
|
#5 |
|
Junior Member
Join Date: Nov 2009
Posts: 9
|
Hi Blade,
Personal note. I just noticed you are in Finland. My grandparents migrated to America from Finland in the 1800’s and settled in Upper Michigan. My Uncle Bruno was active in bringing Jazz to Finland back in the 1930’s and 40’s. Still no Internet access on virus infected desktop computer. I can down load the Windows set up on my laptop to CD. I can then insert the CD into the infected desktop computer and make the six-disk setup diskettes. I can’t complete the setup (and I assume the Recovery Console) as it asks for the Windows XP Service Pack 2 CD. All I have is the Dell OEM CD. Can’t figure out how to install the Recovery Console from there. Can’t get the ComboFix file on the infected computers desktop. Wouldn’t be able to drag and drop the Recovery Console over the ComboFix file anyway since drag and drop is not operational. There is a Recovery Option available from the six disks, but choosing that to run just brought up the impaired Windows operating system. Virus has stopped all Drag and Drop. I can’t move ComboFix from the CD (remember, I can’t access Internet from the desktop computer) to the desktop. Using DOS commands, I was able to copy it to the C:\ drive and ran it from there, but not from desk top. Can’t use DOS to copy it to the desktop directory. I ran it again from the C:\location and the log is attached. ComboFix 09-11-11.02 - Gary 11/15/2009 21:51.2.1 - NTFSx86 Running from: C:\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 ))))))))))))))))))))))))))))))) . 2009-11-16 02:45 . 2009-11-11 20:41 3563264 ----a-r- C:\ComboFix.exe 2009-11-07 14:21 . 2009-11-07 14:23 -------- d-----w- c:\program files\ERUNT 2009-11-07 14:15 . 2009-11-07 14:15 -------- d-----w- c:\program files\Trend Micro 2009-11-06 00:53 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-06 00:53 . 2009-11-07 14:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-06 00:53 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-06 00:51 . 2009-11-06 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-25 19:01 . 2009-10-25 19:02 -------- d-----w- c:\program files\Motorola . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-04 13:57 . 2005-03-16 23:30 5743788 -c--a-w- c:\windows\Internet Logs\tvDebug.Zip 2009-11-04 03:19 . 2008-06-17 02:09 -------- d-----w- c:\program files\Snoop 4.0 2009-11-04 00:49 . 2003-10-09 16:24 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-11-03 13:04 . 2008-04-18 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-10-25 19:01 . 2003-10-09 15:48 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-10-25 18:37 . 2009-10-25 18:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf 2009-10-22 08:03 . 2007-03-03 18:46 40 ----a-w- c:\windows\system32\profile.dat 2009-10-18 16:16 . 2007-02-19 23:03 -------- d-----w- c:\program files\Punch! Master Landscape 2009-10-06 01:52 . 2009-10-06 01:52 -------- d-----w- c:\documents and settings\Julie\Application Data\Apple Computer 2009-10-04 03:23 . 2005-06-17 01:20 -------- d-----w- c:\documents and settings\Gary\Application Data\Canon 2009-09-30 01:25 . 2009-09-30 02:43 428032 ----a-w- c:\windows\Internet Logs\xDB43.tmp 2009-09-30 00:37 . 2003-12-28 17:11 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-29 23:18 . 2009-09-29 23:18 -------- d-----w- c:\program files\Common Files\TSUninstall 2009-09-19 13:37 . 2008-03-18 03:49 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-19 13:35 . 2009-09-19 13:41 1693696 ----a-w- c:\windows\Internet Logs\xDB42.tmp 2009-09-11 14:18 . 2002-08-29 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-03 23:50 . 2007-03-04 20:18 92576 ----a-w- c:\documents and settings\Bryan.DB5JPM31\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-29 07:36 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll 2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-29 07:36 . 2002-08-29 10:00 17408 ----a-w- c:\windows\system32\corpol.dll 2009-08-26 08:00 . 2002-08-29 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 01:53 . 2007-03-04 20:09 92576 ----a-w- c:\documents and settings\Julie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2002-08-29 10:00 . 2002-08-29 10:00 94784 -csh--w- c:\windows\TWAIN.DLL 2008-04-14 00:12 . 2002-08-29 10:00 50688 --sh--w- c:\windows\twain_32.dll 2008-04-14 00:11 . 2002-08-29 10:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll 2008-04-14 00:12 . 2002-08-29 10:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll 2008-04-14 00:12 . 2002-08-29 10:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll 2008-04-14 00:12 . 2002-08-29 10:00 343040 --sha-w- c:\windows\SYSTEM32\msvcrt.dll 2008-04-14 00:12 . 2002-08-29 10:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe . ------- Sigcheck ------- Cryptography Services Error !! . ((((((((((((((((((((((((((((( SnapShot@2009-11-11_21.45.49 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-16 02:38 . 2009-11-16 02:38 16384 c:\windows\Temp\Perflib_Perfdata_780.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2004-08-06 2502656] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741] "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-09 151597] "OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016] "PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2003-11-10 406016] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "vptray"="c:\progra~1\SYMANT~1\SYMANT~2\\vptray.exe" [2006-09-28 125168] "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648] "BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880] "Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968] "nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2006-10-22 1622016] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= 2;2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [x] R2 PGPsdkServ;PGPsdkService;c:\windows\System32\PGPsdkServ.exe [2003-10-27 65536] R3 SavRoam;SavRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464] R3 WipeFile;WipeFile;c:\windows\system32\DRIVERS\WipeFile.sys [2006-08-31 58880] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448] --- Other Services/Drivers In Memory --- *Deregistered* - mbr *Deregistered* - PROCEXP113 . Contents of the 'Scheduled Tasks' folder 2009-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] . . ------- Supplementary Scan ------- . uLocal Page = \blank.htm uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://hsremove.com/done.htm mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = hxxp://localhost uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html LSP: lspcsnp4.dll Trusted Zone: imageservr.com Trusted Zone: imagesrvr.com Trusted Zone: turbotax.com Trusted Zone: imageservr.com Trusted Zone: imagesrvr.com DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-15 22:00 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3790382252-2412222753-2890496779-1007\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(356) c:\windows\system32\WININET.dll c:\program files\Logitech\MouseWare\System\LgWndHk.dll c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-11-16 22:06 ComboFix-quarantined-files.txt 2009-11-16 04:05 ComboFix2.txt 2009-11-11 21:52 Pre-Run: 12,329,009,152 bytes free Post-Run: 12,290,453,504 bytes free - - End Of File - - 2A78B42D99F7D87F1C8DBB29344CF089 näkemiin Deerslayer |
|
|
|
2009-11-16, 07:20
|
#6 | |
|
Security Expert
Join Date: Oct 2006
Location: Finland
Posts: 20,805
|
Hi,
Quote:
 . I had to go and check out the history. I assume you mean Bruno Laakko?Back to instructions.. Please upload following files to http://www.virustotal.com and post back the results: c:\windows\system32\svchost.exe c:\windows\system32\lsass.exe Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. @echo off cacls c:\windows\system32\svchost.exe >c:\logit.txt cacls c:\windows\system32\lsass.exe >>c:\logit.txt del %0 Double-click on fixes.bat file to execute it. After that you should have logit.txt file in c: root. Attach the file/its contents to your reply.
__________________
Microsoft MVP Consumer Security 2008 2009 2010 ASAP & UNITE member since 2006 I don't help with logs thru PM. If you have problems create a thread in the forum, please. Malware removal instructions are for the correspondent user's case only. |
|
|
|
|
2009-11-17, 04:02
|
#7 |
|
Junior Member
Join Date: Nov 2009
Posts: 9
|
Yep, Bruno Laakko was my Dad's brother. He had the band Lepakot. I see you list music as an interset. Jazz maybe?
On to the problem at hand. Requested files below: File svchost.exe received on 2009.11.17 02:21:43 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/41 (0%) Loading server information... Your file is queued in position: 2. Estimated start time is between 50 and 71 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.41 2009.11.17 - AhnLab-V3 5.0.0.2 2009.11.16 - AntiVir 7.9.1.65 2009.11.16 - Antiy-AVL 2.0.3.7 2009.11.16 - Authentium 5.2.0.5 2009.11.17 - Avast 4.8.1351.0 2009.11.16 - AVG 8.5.0.425 2009.11.16 - BitDefender 7.2 2009.11.17 - CAT-QuickHeal 10.00 2009.11.16 - ClamAV 0.94.1 2009.11.16 - Comodo 2960 2009.11.16 - DrWeb 5.0.0.12182 2009.11.17 - eSafe 7.0.17.0 2009.11.16 - eTrust-Vet 35.1.7123 2009.11.16 - F-Prot 4.5.1.85 2009.11.16 - F-Secure 9.0.15370.0 2009.11.11 - Fortinet 3.120.0.0 2009.11.16 - GData 19 2009.11.17 - Ikarus T3.1.1.74.0 2009.11.17 - Jiangmin 11.0.800 2009.11.16 - K7AntiVirus 7.10.897 2009.11.16 - Kaspersky 7.0.0.125 2009.11.17 - McAfee 5804 2009.11.16 - McAfee+Artemis 5804 2009.11.16 - McAfee-GW-Edition 6.8.5 2009.11.17 - Microsoft 1.5202 2009.11.16 - NOD32 4613 2009.11.16 - Norman 6.03.02 2009.11.16 - nProtect 2009.1.8.0 2009.11.16 - Panda 10.0.2.2 2009.11.16 - PCTools 7.0.3.5 2009.11.16 - Prevx 3.0 2009.11.17 - Rising 22.22.01.01 2009.11.17 - Sophos 4.47.0 2009.11.17 - Sunbelt 3.2.1858.2 2009.11.12 - Symantec 1.4.4.12 2009.11.17 - TheHacker 6.5.0.2.071 2009.11.16 - TrendMicro 9.0.0.1003 2009.11.16 - VBA32 3.12.10.11 2009.11.15 - ViRobot 2009.11.16.2039 2009.11.16 - VirusBuster 4.6.5.0 2009.11.16 - Additional information File size: 14336 bytes MD5...: 27c6d03bcdb8cfeb96b716f3d8be3e18 SHA1..: 49083ae3725a0488e0a8fbbe1335c745f70c4667 SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5 ssdeep: 384:IDvi+JmG6yqlCRaJt4RHS5LutGJae7g9VJnpWCNJbW:INcG6xlCRaJKGOA7S HJ PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x2509 timedatestamp.....: 0x48025bc0 (Sun Apr 13 19:15:12 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x2c00 0x2c00 6.29 f6589e1ed3da6afefb0b4294d9ff7f2e .data 0x4000 0x210 0x200 1.62 cbd504e46c836e09e8faabdcfbabaec2 .rsrc 0x5000 0x408 0x600 2.51 dcede0c303bbb48c6875eb64477e5882 ( 4 imports ) > ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW > KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook > ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid > RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: Generic Host Process for Win32 Services original name: svchost.exe internal name: svchost.exe file version.: 5.1.2600.5512 (xpsp.080413-2111) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Antivirus Version Last Update Result a-squared 4.5.0.41 2009.11.17 - AhnLab-V3 5.0.0.2 2009.11.16 - AntiVir 7.9.1.65 2009.11.16 - Antiy-AVL 2.0.3.7 2009.11.16 - Authentium 5.2.0.5 2009.11.17 - Avast 4.8.1351.0 2009.11.16 - AVG 8.5.0.425 2009.11.16 - BitDefender 7.2 2009.11.17 - CAT-QuickHeal 10.00 2009.11.16 - ClamAV 0.94.1 2009.11.16 - Comodo 2960 2009.11.16 - DrWeb 5.0.0.12182 2009.11.17 - eSafe 7.0.17.0 2009.11.16 Win32.Banker eTrust-Vet 35.1.7123 2009.11.16 - F-Prot 4.5.1.85 2009.11.16 - F-Secure 9.0.15370.0 2009.11.11 - Fortinet 3.120.0.0 2009.11.16 - GData 19 2009.11.17 - Ikarus T3.1.1.74.0 2009.11.17 - Jiangmin 11.0.800 2009.11.16 - K7AntiVirus 7.10.897 2009.11.16 - Kaspersky 7.0.0.125 2009.11.17 - McAfee 5804 2009.11.16 - McAfee+Artemis 5804 2009.11.16 - McAfee-GW-Edition 6.8.5 2009.11.17 - Microsoft 1.5202 2009.11.16 - NOD32 4613 2009.11.16 - Norman 6.03.02 2009.11.16 - nProtect 2009.1.8.0 2009.11.16 - Panda 10.0.2.2 2009.11.16 - PCTools 7.0.3.5 2009.11.16 - Prevx 3.0 2009.11.17 - Rising 22.22.01.01 2009.11.17 - Sophos 4.47.0 2009.11.17 - Sunbelt 3.2.1858.2 2009.11.12 - Symantec 1.4.4.12 2009.11.17 - TheHacker 6.5.0.2.071 2009.11.16 - TrendMicro 9.0.0.1003 2009.11.16 - VBA32 3.12.10.11 2009.11.15 - ViRobot 2009.11.16.2039 2009.11.16 - VirusBuster 4.6.5.0 2009.11.16 - Additional information File size: 13312 bytes MD5...: bf2466b3e18e970d8a976fb95fc1ca85 SHA1..: de5a73cbb5f51f64c53fb4277ef2c23e70db123f SHA256: f7794b5d12dc5d820a162850f4388e2aa80426ad07cb221799cf941c682ab501 ssdeep: 384:ggHUJZXmtGDWkzLWT4a8WfMptsN0BhgO49:338z4zRfMpy0BF4 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x14bd timedatestamp.....: 0x48025186 (Sun Apr 13 18:31:34 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x10d0 0x1200 6.00 7d33d24893e1db0fa0ecbd7a8fa637bd .data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250 .rsrc 0x4000 0x1b30 0x1c00 7.15 54488850c25258396b2c9492c36b0bd5 ( 5 imports ) > ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf > KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery > ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter > LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo > SAMSRV.dll: SamIInitialize, SampUsingDsData ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: LSA Shell (Export Version) original name: lsass.exe internal name: lsass.exe file version.: 5.1.2600.5512 (xpsp.080413-2113) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Bat File Log (was not able to get it on desk top. Was able to get it to C:\ root and ran it from there) c:\windows\system32\svchost.exe BUILTIN\Users:R BUILTIN\Administrators:F NT AUTHORITY\SYSTEM:F c:\windows\system32\lsass.exe BUILTIN\Users:R BUILTIN\Administrators:F NT AUTHORITY\SYSTEM:F |
|
|
|
2009-11-17, 17:24
|
#8 | |
|
Security Expert
Join Date: Oct 2006
Location: Finland
Posts: 20,805
|
Hi,
Quote:
Click start->run->write services.msc and see what's the status of Remote Procedure Call (RPC) service. If it's not started, double click the service and set its startup type as automatic and start the service. If any issues arise post back (exact error message if any is shown).
__________________
Microsoft MVP Consumer Security 2008 2009 2010 ASAP & UNITE member since 2006 I don't help with logs thru PM. If you have problems create a thread in the forum, please. Malware removal instructions are for the correspondent user's case only. |
|
|
|
|
2009-11-18, 03:39
|
#9 |
|
Junior Member
Join Date: Nov 2009
Posts: 9
|
Hi Blade,
Here's what we have. Can't run from "START" as START is not on the Windows desktop anymore. Ran it from Task Manager. Status of RPC is "Starting". I let that go for about three hours and it still shows "starting". Doubling clicking it does nothing at all. I tried right click,and the following are all greyed out: Start Stop Pause Resume Restart No errors, just won't do anything. By the way, the "Extended" tab has nothing but a blue square on it. The Standard tab has the services listed. Not sure if that means anything. I checked other services and the following are all hung in the "starting" status as well: Automatic updates Intuit Update Service SSDP Discovery Service Symantec Network Proxy Windows Time. Rebooted into safe mode and it made no difference. Deerslayer |
|
|
|
2009-11-18, 10:23
|
#10 |
|
Security Expert
Join Date: Oct 2006
Location: Finland
Posts: 20,805
|
Hi,
Do you recall when this drag and drop issue first started to show up? What was done before it? Reboot the system. Then immediately after that start eventviewer thru task manager (eventvwr.exe) and see if there're errors that have same datetime stamp with the startup timestamp. Let me know what errors there are.
__________________
Microsoft MVP Consumer Security 2008 2009 2010 ASAP & UNITE member since 2006 I don't help with logs thru PM. If you have problems create a thread in the forum, please. Malware removal instructions are for the correspondent user's case only. |
|
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
