View Full Version : Online Security Guide, Live Safety Center & more
knappster_1
2007-11-17, 20:20
Spybot S&D got rid of some problems that were on here, but some still remain. Notably, there is a shortcut to Online Security Guide and Live Safety Center on the desktop and start menu. There are IE popus occasionally, and Spybot S&D sees registry edits sometimes to. I ran S&D in safemode and it did not find anything. I removed two entries from startup in msconfig "winshow" and "lwfnrjl" and both are back now. This machine has Symantec Antivirus, which has been run and detected/removed some items as well. Here is the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:10 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Documents and Settings\rollin\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [68a1d0fe] rundll32.exe "C:\WINDOWS\system32\lwyfnrjl.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1513b40d4621f5c71520/netzip/RdxIE601.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\Software\..\Telephony: DomainName = go4b.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = go4b.com
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 7546 bytes
steamwiz
2007-11-18, 00:07
Hi
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
THEN ...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
Please remember to post :-
1. SUPERAntiSpyware Scan Log
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)
steam
knappster_1
2007-11-19, 15:16
Superantispyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/18/2007 at 02:45 PM
Application Version : 3.9.1008
Core Rules Database Version : 3259
Trace Rules Database Version: 1270
Scan type : Complete Scan
Total Scan Time : 02:47:51
Memory items scanned : 490
Memory threats detected : 1
Registry items scanned : 6101
Registry threats detected : 5
File items scanned : 163953
File threats detected : 242
Trojan.WinFixer
C:\WINDOWS\SYSTEM32\PMNLL.DLL
C:\WINDOWS\SYSTEM32\PMNLL.DLL
HKLM\Software\Classes\CLSID\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}
HKCR\CLSID\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}
HKCR\CLSID\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}\InprocServer32
HKCR\CLSID\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}
Adware.Tracking Cookie
C:\Documents and Settings\rollin\Cookies\rollin@interclick[2].txt
C:\Documents and Settings\rollin\Cookies\rollin@partypoker[2].txt
C:\Documents and Settings\rollin\Cookies\rollin@sexbuddies[2].txt
C:\Documents and Settings\rollin\Cookies\rollin@clicksor[2].txt
C:\Documents and Settings\rollin\Cookies\rollin@adlegend[3].txt
C:\Documents and Settings\rollin\Cookies\rollin@partygaming.122.2o7[1].txt
C:\Documents and Settings\rollin\Cookies\rollin@www.burstnet[1].txt
C:\Documents and Settings\rollin\Cookies\rollin@burstnet[2].txt
C:\Documents and Settings\rollin\Cookies\rollin@ad.yieldmanager[1].txt
C:\Documents and Settings\rollin\Cookies\rollin@CACWUTBH.txt
C:\Documents and Settings\rollin\Cookies\rollin@adsrevenue[1].txt
C:\Documents and Settings\rollin\Cookies\rollin@login.tracking101[2].txt
C:\Documents and Settings\rollin\Cookies\rollin@gamedownloadxp[1].txt
C:\Documents and Settings\rollin\Cookies\rollin@tacoda[2].txt
C:\Documents and Settings\rollin\Cookies\rollin@zedo[1].txt
C:\Documents and Settings\rollin\Cookies\rollin@doubleclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@112.2o7[2].txt
C:\Documents and Settings\Dave\Cookies\dave@122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@247realmedia[2].txt
C:\Documents and Settings\Dave\Cookies\dave@2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@a.websponsors[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ad.yieldmanager[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ad4.bannerbank[2].txt
C:\Documents and Settings\Dave\Cookies\dave@adbrite[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adknowledge[2].txt
C:\Documents and Settings\Dave\Cookies\dave@admarketplace[2].txt
C:\Documents and Settings\Dave\Cookies\dave@adopt.euroclick[2].txt
C:\Documents and Settings\Dave\Cookies\dave@adopt.specificclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adrevenue[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adrevolver[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.addynamix[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.as4x.tmcs[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.cnn[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.expedia[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.guardian.co[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.itv[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.monster[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.pointroll[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.realtechnetwork[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.revsci[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.wanadooregie[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adtech[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adv.webmd[2].txt
C:\Documents and Settings\Dave\Cookies\dave@advertising[2].txt
C:\Documents and Settings\Dave\Cookies\dave@anad.tacoda[1].txt
C:\Documents and Settings\Dave\Cookies\dave@anat.tacoda[2].txt
C:\Documents and Settings\Dave\Cookies\dave@aoluk.122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@apmebf[1].txt
C:\Documents and Settings\Dave\Cookies\dave@as1.falkag[2].txt
C:\Documents and Settings\Dave\Cookies\dave@assets.gcapmedia[1].txt
C:\Documents and Settings\Dave\Cookies\dave@atdmt[2].txt
C:\Documents and Settings\Dave\Cookies\dave@atoc.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@atwola[2].txt
C:\Documents and Settings\Dave\Cookies\dave@bannerads.zwire[1].txt
C:\Documents and Settings\Dave\Cookies\dave@bannerads[2].txt
C:\Documents and Settings\Dave\Cookies\dave@banners[1].txt
C:\Documents and Settings\Dave\Cookies\dave@belnk[1].txt
C:\Documents and Settings\Dave\Cookies\dave@bizrate[2].txt
C:\Documents and Settings\Dave\Cookies\dave@bluestreak[2].txt
C:\Documents and Settings\Dave\Cookies\dave@bs.serving-sys[1].txt
C:\Documents and Settings\Dave\Cookies\dave@budgetcarhire.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@burstnet[1].txt
C:\Documents and Settings\Dave\Cookies\dave@c2.zedo[1].txt
C:\Documents and Settings\Dave\Cookies\dave@casalemedia[2].txt
C:\Documents and Settings\Dave\Cookies\dave@cc.bridgetrack[2].txt
C:\Documents and Settings\Dave\Cookies\dave@centerparcs.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@clicktracks.aristotle[2].txt
C:\Documents and Settings\Dave\Cookies\dave@cnn.122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@commission-junction[1].txt
C:\Documents and Settings\Dave\Cookies\dave@counter.hitslink[1].txt
C:\Documents and Settings\Dave\Cookies\dave@counter2.hitslink[2].txt
C:\Documents and Settings\Dave\Cookies\dave@data2.perf.overture[2].txt
C:\Documents and Settings\Dave\Cookies\dave@dist.belnk[2].txt
C:\Documents and Settings\Dave\Cookies\dave@doubleclick.hertz[1].txt
C:\Documents and Settings\Dave\Cookies\dave@doubleclick[2].txt
C:\Documents and Settings\Dave\Cookies\dave@dowjones.122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@edge.ru4[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-airtran.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-associatednewmedia.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-attconsumer.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-attworldnet.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-bbc.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-bskyb.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-capitalgroup.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-deltatre.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-fastweb.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-foxsports.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-hitent.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-hollywoodmedia.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-inforspaceinc.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-liverpoolfctv.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-logantod.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-pennwell.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-pizzahut.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-reebok.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-wssuk.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-youtube.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@etype.adbureau[2].txt
C:\Documents and Settings\Dave\Cookies\dave@exitexchange[2].txt
C:\Documents and Settings\Dave\Cookies\dave@fastclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@findwhat[1].txt
C:\Documents and Settings\Dave\Cookies\dave@fortunecity[1].txt
C:\Documents and Settings\Dave\Cookies\dave@haynet.adbureau[1].txt
C:\Documents and Settings\Dave\Cookies\dave@hc2.humanclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@hertz.122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@icc.intellisrv[2].txt
C:\Documents and Settings\Dave\Cookies\dave@indexstats[2].txt
C:\Documents and Settings\Dave\Cookies\dave@indextools[2].txt
C:\Documents and Settings\Dave\Cookies\dave@keywordmax[1].txt
C:\Documents and Settings\Dave\Cookies\dave@livenation.122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@m1.webstats4u[1].txt
C:\Documents and Settings\Dave\Cookies\dave@marksandspencer.122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@maxserving[1].txt
C:\Documents and Settings\Dave\Cookies\dave@media.adrevolver[2].txt
C:\Documents and Settings\Dave\Cookies\dave@media.adrevolver[3].txt
C:\Documents and Settings\Dave\Cookies\dave@media.adrevolver[4].txt
C:\Documents and Settings\Dave\Cookies\dave@media.hotels[1].txt
C:\Documents and Settings\Dave\Cookies\dave@mediaplex[1].txt
C:\Documents and Settings\Dave\Cookies\dave@mediauk[2].txt
C:\Documents and Settings\Dave\Cookies\dave@microsoftwlmessengermkt.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@msnportal.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@network.realmedia[2].txt
C:\Documents and Settings\Dave\Cookies\dave@nextag[2].txt
C:\Documents and Settings\Dave\Cookies\dave@northwestairlines.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@offers.intermediainteractive[1].txt
C:\Documents and Settings\Dave\Cookies\dave@overture[1].txt
C:\Documents and Settings\Dave\Cookies\dave@partner2profit[1].txt
C:\Documents and Settings\Dave\Cookies\dave@partygaming.122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@partypoker[2].txt
C:\Documents and Settings\Dave\Cookies\dave@peoria.rentclicks[1].txt
C:\Documents and Settings\Dave\Cookies\dave@perf.overture[1].txt
C:\Documents and Settings\Dave\Cookies\dave@phg.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@precisionclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@premiumtv.122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@pro-market[1].txt
C:\Documents and Settings\Dave\Cookies\dave@publishers.clickbooth[1].txt
C:\Documents and Settings\Dave\Cookies\dave@qksrv[1].txt
C:\Documents and Settings\Dave\Cookies\dave@qnsr[1].txt
C:\Documents and Settings\Dave\Cookies\dave@questionmarket[1].txt
C:\Documents and Settings\Dave\Cookies\dave@realmedia[2].txt
C:\Documents and Settings\Dave\Cookies\dave@rentclicks[1].txt
C:\Documents and Settings\Dave\Cookies\dave@revenue[1].txt
C:\Documents and Settings\Dave\Cookies\dave@revsci[1].txt
C:\Documents and Settings\Dave\Cookies\dave@roiservice[2].txt
C:\Documents and Settings\Dave\Cookies\dave@sales.liveperson[1].txt
C:\Documents and Settings\Dave\Cookies\dave@sel.as-eu.falkag[1].txt
C:\Documents and Settings\Dave\Cookies\dave@server.iad.liveperson[2].txt
C:\Documents and Settings\Dave\Cookies\dave@server.lon.liveperson[2].txt
C:\Documents and Settings\Dave\Cookies\dave@server2.bkvtrack[2].txt
C:\Documents and Settings\Dave\Cookies\dave@serving-sys[2].txt
C:\Documents and Settings\Dave\Cookies\dave@spylog[1].txt
C:\Documents and Settings\Dave\Cookies\dave@stat.dealtime[1].txt
C:\Documents and Settings\Dave\Cookies\dave@stat.onestat[1].txt
C:\Documents and Settings\Dave\Cookies\dave@statcounter[2].txt
C:\Documents and Settings\Dave\Cookies\dave@stats.channel4[1].txt
C:\Documents and Settings\Dave\Cookies\dave@statse.webtrendslive[1].txt
C:\Documents and Settings\Dave\Cookies\dave@statse.webtrendslive[3].txt
C:\Documents and Settings\Dave\Cookies\dave@tacoda[2].txt
C:\Documents and Settings\Dave\Cookies\dave@tracking.dc-storm[1].txt
C:\Documents and Settings\Dave\Cookies\dave@tracking.foxnews[1].txt
C:\Documents and Settings\Dave\Cookies\dave@tracking.webdiversity.co[1].txt
C:\Documents and Settings\Dave\Cookies\dave@tradedoubler[1].txt
C:\Documents and Settings\Dave\Cookies\dave@trafficmp[1].txt
C:\Documents and Settings\Dave\Cookies\dave@tribalfusion[2].txt
C:\Documents and Settings\Dave\Cookies\dave@trinitymirror.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@tripod[1].txt
C:\Documents and Settings\Dave\Cookies\dave@valueclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@volkswagen.122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@webstats.thefa[1].txt
C:\Documents and Settings\Dave\Cookies\dave@webtracking.touchclarity[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ww3.shoshkeles[2].txt
C:\Documents and Settings\Dave\Cookies\dave@www.burstbeacon[2].txt
C:\Documents and Settings\Dave\Cookies\dave@www.burstnet[1].txt
C:\Documents and Settings\Dave\Cookies\dave@www.clash-media[2].txt
C:\Documents and Settings\Dave\Cookies\dave@www.googleadservices[1].txt
C:\Documents and Settings\Dave\Cookies\dave@www.macromedia[1].txt
C:\Documents and Settings\Dave\Cookies\dave@www.rentclicks[1].txt
C:\Documents and Settings\Dave\Cookies\dave@xiti[1].txt
C:\Documents and Settings\Dave\Cookies\dave@yieldmanager[2].txt
C:\Documents and Settings\Dave\Cookies\dave@zedo[1].txt
C:\Documents and Settings\rollin\Cookies\rollin@adlegend[2].txt
C:\Documents and Settings\rollin\Cookies\rollin@clickbank[10].txt
C:\Documents and Settings\rollin\Cookies\rollin@clickbank[11].txt
C:\Documents and Settings\rollin\Cookies\rollin@clickbank[2].txt
C:\Documents and Settings\rollin\Cookies\rollin@clickbank[3].txt
C:\Documents and Settings\rollin\Cookies\rollin@clickbank[4].txt
C:\Documents and Settings\rollin\Cookies\rollin@clickbank[5].txt
C:\Documents and Settings\rollin\Cookies\rollin@clickbank[6].txt
C:\Documents and Settings\rollin\Cookies\rollin@clickbank[7].txt
C:\Documents and Settings\rollin\Cookies\rollin@clickbank[8].txt
C:\Documents and Settings\rollin\Cookies\rollin@clickbank[9].txt
Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO1.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO13.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO14.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO15.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO16.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO17.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO19.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO1A.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO1B.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO1C.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO1D.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO1E.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO1F.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO2.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO20.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO21.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO22.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO27.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO28.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO29.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO2A.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO2B.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO2E.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO2F.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO3.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO30.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO31.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO32.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO4.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO5.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO6.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO66.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO67.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO68.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO69.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO6A.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO7.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO8.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICO9.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICOA.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICOB.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICOC.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICOD.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICOE.TMP
C:\DOCUMENTS AND SETTINGS\ROLLIN\LOCAL SETTINGS\TEMP\ICOF.TMP
Adware.ClickSpring/Yazzle
C:\WINDOWS\PREFETCH\YAZZLE1549OINADMIN.EXE-0C086C08.PF
C:\WINDOWS\PREFETCH\YAZZLEBUNDLE-1549.EXE-0D717809.PF
knappster_1
2007-11-19, 15:17
Combofix Log:
ComboFix 07-11-08.3 - ROLLIN 2007-11-19 7:38:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.138 [GMT -6:00]
Running from: C:\Documents and Settings\rollin\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\rollin\Desktop\Live Safety Center.lnk
C:\Documents and Settings\rollin\Desktop\Online Security Guide.lnk
C:\Documents and Settings\rollin\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\winshow.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-19 to 2007-11-19 )))))))))))))))))))))))))))))))
.
2007-11-19 07:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 11:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 11:53 <DIR> d-------- C:\Documents and Settings\rollin\Application Data\SUPERAntiSpyware.com
2007-11-17 09:39 84,545 --a------ C:\WINDOWS\SYSTEM32\vouqqomk.dll
2007-11-17 09:39 82,496 --a------ C:\WINDOWS\SYSTEM32\kxfnsucl.dll
2007-11-16 15:55 <DIR> d-------- C:\WINDOWS\pss
2007-11-16 10:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-16 09:42 81,984 --a------ C:\WINDOWS\SYSTEM32\cdckuqol.dll
2007-11-16 09:39 145,780 --a------ C:\WINDOWS\SYSTEM32\xwrixeha.dll
2007-11-15 08:29 441,420 --ahs---- C:\WINDOWS\SYSTEM32\llnmp.ini2
2007-11-14 17:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\rMa02yy
2007-11-14 17:05 <DIR> d-------- C:\TEMP\abW9
2007-11-14 17:05 36,352 --a------ C:\WINDOWS\SYSTEM32\gebxxxw.dll
2007-11-06 08:38 241,721 --a------ C:\WINDOWS\SYSTEM32\HPBMINI.DLL
2007-11-06 08:38 103,424 --a------ C:\WINDOWS\SYSTEM32\hpzpnp.dll
2007-11-06 08:38 61,440 --a------ C:\WINDOWS\SYSTEM32\HPNRA.EXE
2007-11-06 08:38 52,736 --a------ C:\WINDOWS\SYSTEM32\HPZIPM12.DLL
2007-11-06 08:38 43,520 --a------ C:\WINDOWS\SYSTEM32\HPZINW12.DLL
2007-11-06 08:38 38,912 --a------ C:\WINDOWS\SYSTEM32\HPBPRO.DLL
2007-11-06 08:38 25,600 --a------ C:\WINDOWS\SYSTEM32\HPBOID.DLL
2007-11-06 08:37 <DIR> d-------- C:\HP LJ4x50 Series
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 13:26 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-16 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 14:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 13:50 --------- d-----w C:\Program Files\FedEx
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-08-21 17:44 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-21 17:44 249,856 ------w C:\WINDOWS\Setup1.exe
2007-08-21 16:20 60,968 ----a-w C:\Documents and Settings\rollin\GoToAssistDownloadHelper.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-07 17:49 2 ----a-w C:\Documents and Settings\administrator.GO4B\WSSEMAPHORES.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}]
C:\WINDOWS\system32\pmnll.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
2007-11-14 17:05 36352 --a------ C:\WINDOWS\system32\gebxxxw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD82EC86-537D-47FC-99AD-F24228F65B51}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-15 14:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2005-06-23 18:27]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2006-01-20 10:46]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56]
"NA1Messenger"="C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe" [2007-03-23 22:24]
"68a1d0fe"="C:\WINDOWS\system32\lwyfnrjl.dll" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-01-24 09:57:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 09:05:56]
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\Messages\WSTDMessaging.exe [2007-02-07 02:33:26]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe [2007-02-07 01:27:28]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\gebxxxw.dll [2007-11-14 17:05 36352]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxxxw]
gebxxxw.dll 2007-11-14 17:05 36352 C:\WINDOWS\SYSTEM32\gebxxxw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\68a1d0fe]
rundll32.exe "C:\WINDOWS\system32\lwyfnrjl.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
"C:\WINDOWS\winshow.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 07:49:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-19 7:59:07
.
--- E O F ---
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:13, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\rollin\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM\..\Run: [68a1d0fe] rundll32.exe "C:\WINDOWS\system32\lwyfnrjl.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1513b40d4621f5c71520/netzip/RdxIE601.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\Software\..\Telephony: DomainName = go4b.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = go4b.com
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 7390 bytes
steamwiz
2007-11-19, 21:50
Hi
Please find your hijackthis.exe file and rename it...
from this :-
C:\Documents and Settings\rollin\Desktop\HiJackThis.exe
to this :-
C:\Documents and Settings\rollin\Desktop\problems.exe
run problems.exe & post a new log please
steam
knappster_1
2007-11-19, 22:21
HijackThis (Problems.exe) log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:16, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\WINDOWS\system32\wufknsbw.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\UPS\WSTD\WorldShipTD.exe
C:\UPS\WSTD\upslnkmg.exe
c:\ups\wstd\tdrptsrv.exe
M:\90W\Mas90\Home\pvxwin32.exe
M:\90W\Mas90\launcher\launch32.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\rollin\Desktop\Problems.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {15F9B025-D7E6-4A89-9BF9-1A7E36AF3A27} - C:\WINDOWS\system32\geedd.dll
O2 - BHO: (no name) - {295DB863-5B9F-451B-B850-B75B8FAF4E7D} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\gebxxxw.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {DD82EC86-537D-47FC-99AD-F24228F65B51} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM\..\Run: [68a1d0fe] rundll32.exe "C:\WINDOWS\system32\lwyfnrjl.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1513b40d4621f5c71520/netzip/RdxIE601.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\Software\..\Telephony: DomainName = go4b.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = go4b.com
O20 - Winlogon Notify: gebxxxw - C:\WINDOWS\SYSTEM32\gebxxxw.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\wufknsbw.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8469 bytes
steamwiz
2007-11-19, 22:38
Hi
Thank you ... you will now see the O2 & O20 entries are now showing in your log ...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\SYSTEM32\vouqqomk.dll
C:\WINDOWS\SYSTEM32\kxfnsucl.dll
C:\WINDOWS\SYSTEM32\cdckuqol.dll
C:\WINDOWS\SYSTEM32\xwrixeha.dll
C:\WINDOWS\SYSTEM32\llnmp.ini2
C:\WINDOWS\SYSTEM32\gebxxxw.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\lwyfnrjl.dll
Folder::
C:\WINDOWS\SYSTEM32\rMa02yy
C:\TEMP
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15F9B025-D7E6-4A89-9BF9-1A7E36AF3A27}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD82EC86-537D-47FC-99AD-F24228F65B51}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"68a1d0fe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxxxw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\68a1d0fe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
knappster_1
2007-11-19, 23:52
Hello Steamwiz. Thanks for your help thus far. I attempted this and one of the command prompts showed
'SED' is not recognized as an internal or external command, operable program,or batchfile. two lines in a row, while another command prompt sat on top of it with just the cursor flashing. After about 30 minutes I closed the two command prompts and restarted.
After restarting, I had to create the text file again. I double checked that I followed your rules, but upon running it again, I am in the same situation. I still have the command prompts up. Can you tell me what I should do from here? Thanks.
steamwiz
2007-11-20, 00:58
Hi
I'm sorry, I've no idea what's going on at the moment ...it's late & I have to be up at 6am, so i don't have time to research it now ...
Please run this scan & we'll continue tomorrow...
Go here to run an online scan from ESET.
http://www.eset.eu/online-scanner
Note: You will need to use Internet explorer for this scan
1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is checkmarked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Copy and paste the log into your next reply
steam
knappster_1
2007-11-20, 23:16
Sorry for the delay. Some knucklehead closed the scanner after it had been running for 4 hours and it had to start over. It had detected 3 threats before he closed it, but unfortunately I couldn't find a log of what was found. Upon completion the second go-round, this is the log:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2673 (20071120)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=252dd86ab0cfb84c961d6bd42b72fa37
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-11-20 10:10:21
# local_time=2007-11-20 04:10:21 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1060539
# found=2
# scan_time=14495
C:\WINDOWS\SYSTEM32\tedvhytb.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\wufknsbw.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
steamwiz
2007-11-21, 22:55
HI
Please delete your Combofix.exe file & download the version from here :-
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
See if you have any better luck with it ...
steam
knappster_1
2007-11-22, 00:02
Hey steamwiz,
Still no dice. It did the same thing as the earlier version. Earlier today I ran Vundofix and Spybot S&D. Symantec Antivirus has been picking up viruses like Virtumonde and Ezula lately, too, so some things may have changed. I am posting my current Hijackthis log and the vundofix log below.
Hijackthis (run as Problem.exe):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:01, on 2007-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\Documents and Settings\rollin\Desktop\Problems.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {045FC74F-E48D-4DB7-B38A-764715043D43} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0C0FF94A-DC57-4B9B-8984-73E443EA415C} - (no file)
O2 - BHO: (no name) - {295DB863-5B9F-451B-B850-B75B8FAF4E7D} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {2CDF24C5-7FE6-4096-B854-85CAEB61DAF2} - C:\WINDOWS\system32\geedd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78A2ED6E-7085-4FF3-A382-8B9310871AC4} - (no file)
O2 - BHO: (no name) - {DD82EC86-537D-47FC-99AD-F24228F65B51} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1513b40d4621f5c71520/netzip/RdxIE601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\Software\..\Telephony: DomainName = go4b.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = go4b.com
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - cmd.exe (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8541 bytes
Vundofix:
VundoFix V6.6.2
Checking Java version...
Scan started at 12:00:49 PM 11/17/2007
Listing files found while scanning....
VundoFix V6.6.2
Checking Java version...
Scan started at 09:44:55 2007-11-21
Listing files found while scanning....
C:\WINDOWS\system32\gebxxxw.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebxxxw.dll
C:\WINDOWS\system32\gebxxxw.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebxxxw.dll
C:\WINDOWS\system32\gebxxxw.dll Has been deleted!
Performing Repairs to the registry.
Done!
steamwiz
2007-11-22, 21:14
Hi
OK ... the last version I gave you was a slightly older "more stable" version of Combofix, which I hoped might work for you... the author of the program is aware of the SED errors being encountered by some users, & has managed to correct some of them...
So ... I would like you to delete the version you have now, and try the latest version again ...
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
It really is worth the messing about if we can get it to work again ...
In the meantime please do this :-
Then reboot into >>>safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) Click Here for instructions find and delete :- (if found)
Run hijackthis & place a checkmark next to :-
O2 - BHO: (no name) - {045FC74F-E48D-4DB7-B38A-764715043D43} - (no file)
O2 - BHO: (no name) - {0C0FF94A-DC57-4B9B-8984-73E443EA415C} - (no file)
O2 - BHO: (no name) - {295DB863-5B9F-451B-B850-B75B8FAF4E7D} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {2CDF24C5-7FE6-4096-B854-85CAEB61DAF2} - C:\WINDOWS\system32\geedd.dll
O2 - BHO: (no name) - {78A2ED6E-7085-4FF3-A382-8B9310871AC4} - (no file)
O2 - BHO: (no name) - {DD82EC86-537D-47FC-99AD-F24228F65B51} - (no file)
Click "fix checked"
Still in safemode
find and delete :- (if found)
These Files :-
C:\WINDOWS\SYSTEM32\vouqqomk.dll
C:\WINDOWS\SYSTEM32\kxfnsucl.dll
C:\WINDOWS\SYSTEM32\cdckuqol.dll
C:\WINDOWS\SYSTEM32\xwrixeha.dll
C:\WINDOWS\SYSTEM32\llnmp.ini2
C:\WINDOWS\SYSTEM32\gebxxxw.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\lwyfnrjl.dll
These Folders :-
C:\WINDOWS\SYSTEM32\rMa02yy
C:\TEMP\abW9
Reboot back to normal mode ...
Please let me know which files you found\didn't find & which you were able to delete\not delete.
Post a new hijackthis log & Combofix log (if you got it to work)
steam
knappster_1
2007-11-26, 15:35
I have tried the ComboFix again, and it is still unsuccessful, but for a reason. Now it says:
Del /a NlsLang 2>nul
Prior to that in a different window it says something to the effect of:
C:\ComboFix\DirRoot
The file cannot be opened because it is in use by another process.
Something is still wrong, even after deleting the keys from hijackThis, because there are random zip files popping up on the desktop now. This was the only entry in hijackthis that was not there:
O2 - BHO: (no name) - {2CDF24C5-7FE6-4096-B854-85CAEB61DAF2} - C:\WINDOWS\system32\geedd.dll
and none of the files or folders you asked me to delete were there.
Here is the updated log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:11 AM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\rollin.12-MIDDLEOFFICE\Desktop\Problems.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1513b40d4621f5c71520/netzip/RdxIE601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\Software\..\Telephony: DomainName = go4b.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = go4b.com
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6567 bytes
steamwiz
2007-11-26, 21:27
Hi
I have tried the ComboFix again, and it is still unsuccessful, but for a reason. Now it says:
Del /a NlsLang 2>nul
That's a new one to me ... I'll have to get back to you on that ...
What are the names of the random zip files ? do you mean the names are random ? if so please post a couple of them for me, even random ones usualy follow some kind of pattern ...
Please run a Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
Click Accept
You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Once finished, save the log to your Desktop as filename KAV.txt
THEN ...
Download Deckard's System Scanner (formerly Comboscan) (http://www.geekstogo.com/forum/index.php?automodule=downloads&showfile=19) to your Desktop.
1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please copy and paste the contents of Supplementary.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
-
After running these please post a new hijackthis log run from normal mode ...
steam
knappster_1
2007-11-27, 14:56
I'm having the worst luck with all of this. After running Kaspersky, nothing popped up for saving the log (almost 6 hours to run the darn thing). I jotted down a few notes and ran the Comboscan and will run Kaspersky again to see if it gives log info the 2nd time. In the meantime, this is what I have:
The current zip file on the desktop is named:
[4]-Submit_2007-11-26@7.32.zip
While Kaspersky was running, Symantec Antivirus detected Trojan.Metajuan twice and
Trojan.Vundo once
Kaspersky details:
Kaspersky Total number of scanned objects: 932095
Number of viruses found: 6
Number of infected objects: 11
Number of suspicious objects: 5
Duration of the scan process 05:47:54
Comboscan (Deckard System Scanner)
main.txt:
Deckard's System Scanner v20071014.68
Run by rollin on 2007-11-27 07:43:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
14: 2007-11-27 13:43:59 UTC - RP14 - Deckard's System Scanner Restore Point
13: 2007-11-26 14:07:29 UTC - RP13 - ComboFix created restore point
12: 2007-11-26 13:30:30 UTC - RP12 - ComboFix created restore point
11: 2007-11-21 22:39:47 UTC - RP11 - ComboFix created restore point
10: 2007-11-21 20:49:16 UTC - RP10 - Installed Java(TM) 6 Update 3
-- First Restore Point --
1: 2007-11-20 13:28:02 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 510 MiB (512 MiB recommended).
-- HijackThis (run as rollin.exe) ----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:45, on 2007-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\Documents and Settings\rollin\Desktop\dss.exe
C:\DOCUME~1\ROLLIN~1.12-\Desktop\rollin.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {045FC74F-E48D-4DB7-B38A-764715043D43} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0C0FF94A-DC57-4B9B-8984-73E443EA415C} - (no file)
O2 - BHO: (no name) - {295DB863-5B9F-451B-B850-B75B8FAF4E7D} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78A2ED6E-7085-4FF3-A382-8B9310871AC4} - (no file)
O2 - BHO: (no name) - {DD82EC86-537D-47FC-99AD-F24228F65B51} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1513b40d4621f5c71520/netzip/RdxIE601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\Software\..\Telephony: DomainName = go4b.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = go4b.com
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8266 bytes
-- HijackThis Fixed Entries (C:\DOCUME~1\ROLLIN~1.12-\Desktop\backups\) --------
backup-20071126-075143-451 O2 - BHO: (no name) - {DD82EC86-537D-47FC-99AD-F24228F65B51} - (no file)
backup-20071126-075143-491 O2 - BHO: (no name) - {295DB863-5B9F-451B-B850-B75B8FAF4E7D} - C:\WINDOWS\system32\pmnll.dll (file missing)
backup-20071126-075143-711 O2 - BHO: (no name) - {0C0FF94A-DC57-4B9B-8984-73E443EA415C} - (no file)
backup-20071126-075143-761 O2 - BHO: (no name) - {78A2ED6E-7085-4FF3-A382-8B9310871AC4} - (no file)
backup-20071126-075143-794 O2 - BHO: (no name) - {045FC74F-E48D-4DB7-B38A-764715043D43} - (no file)
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 AsfAlrt - c:\windows\system32\drivers\asfalrt.sys <Not Verified; Intel Corporation; Intel Alert on LAN® 2>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 catchme - c:\docume~1\rollin\locals~1\temp\catchme.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 ASFAgent (ASF Agent) - c:\program files\intel\asf agent\asfagent.exe <Not Verified; Intel Corporation; Intel® PRO Alerting Suite ASF 1.0 and ASF 2.0 Compatible>
R2 Iap - c:\program files\dell\openmanage\client\iap.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Files created between 2007-10-27 and 2007-11-27 -----------------------------
2007-11-27 07:43:27 0 d-------- U:\Deckard
2007-11-26 14:52:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 14:52:01 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-26 14:51:57 0 d-------- C:\WINDOWS\LastGood
2007-11-21 14:53:36 0 d-------- C:\Program Files\Java
2007-11-21 14:49:26 0 d-------- C:\Program Files\Common Files\Java
2007-11-21 14:46:43 0 --a------ C:\WINDOWS\mozver.dat
2007-11-21 08:41:19 80960 --a------ C:\WINDOWS\system32\lruxxams.dll
2007-11-21 08:38:11 84545 --a------ C:\WINDOWS\system32\qtsrvcck.dll
2007-11-20 07:40:10 0 d-------- C:\Program Files\EsetOnlineScanner
2007-11-18 11:54:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 11:53:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 11:53:43 0 d-------- C:\Documents and Settings\rollin\Application Data\SUPERAntiSpyware.com
2007-11-18 11:53:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-17 13:08:54 2 -----n--- U:\WSSEMAPHORES.dat
2007-11-16 15:55:26 0 d-------- C:\WINDOWS\pss
2007-11-16 10:38:10 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-11-16 10:21:05 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-16 10:20:32 0 d-------- C:\Documents and Settings\rollin\Application Data\Mozilla
-- Find3M Report ---------------------------------------------------------------
2007-11-26 10:02:42 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-21 14:49:26 0 d-------- C:\Program Files\Common Files
2007-10-29 08:04:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-29 07:50:11 0 d-------- C:\Program Files\FedEx
2007-10-11 16:02:56 0 d-------- C:\Documents and Settings\rollin\Application Data\Real
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{045FC74F-E48D-4DB7-B38A-764715043D43}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C0FF94A-DC57-4B9B-8984-73E443EA415C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78A2ED6E-7085-4FF3-A382-8B9310871AC4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD82EC86-537D-47FC-99AD-F24228F65B51}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-15 14:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2005-06-23 18:27]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2006-01-20 10:46]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56]
"NA1Messenger"="C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe" [2007-03-23 22:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
C:\Documents and Settings\rollin\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 13:36:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-01-24 09:57:12]
DESKTOP.INI [2002-09-03 13:36:04]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 09:05:56]
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\Messages\WSTDMessaging.exe [2007-02-07 02:33:26]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe [2007-02-07 01:27:28]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
*Newly Created Service* - ERASERUTILDRVI4
-- End of Deckard's System Scanner: finished at 2007-11-27 07:45:44 ------------
knappster_1
2007-11-27, 14:56
Deckard System Scanner extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 509.98 MiB / 178.27 MiB
Pagefile Memory (total/avail): 1246.73 MiB / 902.34 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.52 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 74.47 GiB total, 59.14 GiB free.
D: is CDROM (No Media)
M: is Network (NTFS)
O: is Network (NTFS)
T: is Network (NTFS)
U: is Network (NTFS)
V: is Network (NTFS)
X: is Network (NTFS)
\\.\PHYSICALDRIVE0 - IC35L090AVV207-0 - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
AV: Symantec AntiVirus Corporate Edition v10.0.1.1000 (Symantec Corporation)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe:*:Disabled:javaw"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\rollin\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=12-UPSTAIRS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=U:
HOMEPATH=\
HOMESHARE=\\4B-dc1\users\RMeeker
LOGONSERVER=\\4B-SERVER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Windows Resource Kits\Tools\;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Microsoft SQL Server\80\Tools\Binn
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\rollin\LOCALS~1\Temp
TMP=C:\DOCUME~1\rollin\LOCALS~1\Temp
USERDNSDOMAIN=GO4B.COM
USERDOMAIN=GO4B
USERNAME=rollin
USERPROFILE=C:\Documents and Settings\rollin
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
David Wolstencroft (admin)
bknapp.DAVE (admin)
rollin.12-MIDDLEOFFICE (admin)
Administrator (admin)
rollin (admin)
rick (new local, net ready)
Dave (admin)
bknapp
mike (new local, net ready)
administrator.GO4B (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{447716E9-424F-4DA4-92C3-A52B597E1EC7}\Setup.exe" -l0x9 -remove -s -f1"C:\Program Files\InstallShield Installation Information\{447716E9-424F-4DA4-92C3-A52B597E1EC7}\setup.iss" -f2"C:\Program Files\InstallShield Installation Information\{447716E9-424F-4DA4-92C3-A52B597E1EC7}\remove.log" -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8DE4AC83-5D22-40C5-B4D1-CC2285C0CAA0}\Setup.exe" -l0x9 -remove -s -f1"C:\Program Files\InstallShield Installation Information\{8DE4AC83-5D22-40C5-B4D1-CC2285C0CAA0}\setup.iss" -f2"C:\Program Files\InstallShield Installation Information\{8DE4AC83-5D22-40C5-B4D1-CC2285C0CAA0}\remove.log" -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4B Components Engineering Software --> MsiExec.exe /I{7A06B929-E843-4B4C-A2F2-C1D8C76A9651}
Abacast Client --> C:\PROGRA~1\Abacast\UNWISE.EXE C:\PROGRA~1\Abacast\client.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
AnswerWorks Runtime --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove /q0
AutoDWG DWG to PDF Converter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C65D81C3-3FC2-4B01-B515-7C6F805886BC}\setup.exe"
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera Window DS for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}
Canon PhotoRecord --> MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCC --> MsiExec.exe /I{95749C5B-BC37-41E3-8D39-EEF4C21A2825}
CIC Database Utility --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\CICDU\ST6UNST.LOG"
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
FedEx Ship Manager --> MsiExec.exe /I{4784E738-3C3E-4DF0-8C89-59D6E9565FE8}
FOSS --> MsiExec.exe /I{EA9629DA-5715-48BA-B054-28169702B176}
Free DWG Viewer 5.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}\Setup.exe" -l0x9
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Documents and Settings\rollin\Desktop\HijackThis.exe" /uninstall
hp LaserJet 1010 Series --> MsiExec.exe /x {292C47B2-8DB7-47BF-896C-C3C5EE8108C4}
Intel (R) Pro Alerting Agent --> MsiExec.exe /I{3C50A915-DD33-4802-B83B-9EA997D3337B}
Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intel(R) PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
Java 2 SDK Standard Edition v1.3 --> C:\WINDOWS\IsUninst.exe -fC:\jdk1.3\Uninst.isu
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LaserJet 1020 series --> C:\Program Files\Zenographics\{DC109B65-193F-4438-ACF6-D3ABB831DD5D}\setup.exe -u "HPLJInstaller.dll=Hpl_1020.inf"
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
MAS 90 Workstation (M:\90W\Mas90) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC423D29-642E-46DE-B16A-7947D26A58FB}\Wksetup.exe" -l0x9
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{96327C3C-96BE-4C7A-A6F7-A71635E5949A}
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Mozilla Firefox (2.0.0.9) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSIChecker --> MsiExec.exe /I{C9D43B38-34AD-4EC2-B696-46F42D49D174}
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
NA1Messenger --> MsiExec.exe /I{9376D1C4-434F-40C9-90AC-ED6F22D36F3A}
NRF --> MsiExec.exe /I{68AF09E3-1167-4771-903C-CCCDCF7E171C}
OMCI --> MsiExec.exe /X{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}
OrderReminder hp LaserJet 101x --> "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\Uninstall-hpLJ_101x\installerhelper.exe" "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\Uninstall-hpLJ_101x\installerhelper.properties" -from-addremove
PolicyManager --> MsiExec.exe /I{56B59C2A-EFB8-44AC-88F5-3280171E4522}
QBXMLRP2 --> MsiExec.exe /I{926933C7-B2B4-4CF9-8659-7026913FC032}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Reconciler --> MsiExec.exe /I{5AE59A84-B2F3-42CC-A246-5AF80F6EE770}
ReportServer --> MsiExec.exe /I{33035862-543C-4405-9CC6-08593CF2C25F}
RRU --> MsiExec.exe /I{ED782024-4713-4DD6-85FA-B2B038DE4007}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SonixReader1.81 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{41169060-81E5-11D6-85BE-00E04CE0BDED}\Setup.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.2 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SupportUtility --> MsiExec.exe /I{C30E30A6-0AB5-470A-AB67-D322938F5429}
Symantec AntiVirus --> MsiExec.exe /I{3248E093-5288-4CA9-B3AB-11A675FEA1F9}
System --> MsiExec.exe /I{DB2C58E0-6284-4B48-97F2-22A980B6360B}
UPS WorldShip --> C:\UPS\WSTD\Uninstall\Uninstall.exe
WebHelp --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8C5BD501-AD5D-4A75-9321-076509B438FC}\Setup.exe" -l0x9 -removeonly
WorldShip --> MsiExec.exe /I{2A033A00-FE0D-4609-B0E8-2C49CC494FC8}
-- Application Event Log -------------------------------------------------------
Event Record #/Type16242 / Error
Event Submitted/Written: 11/26/2007 07:12:10 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Vundo in File: C:\VUNDOF~1\GEBXXX~1.BAD by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was deleted successfully.
Event Record #/Type16241 / Error
Event Submitted/Written: 11/26/2007 07:12:08 PM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Vundo in File: C:\VUNDOF~1\GEBXXX~1.BAD by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was deleted successfully.
Event Record #/Type16240 / Error
Event Submitted/Written: 11/26/2007 07:07:58 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Metajuan in File: C:\SYSTEM~1\_RESTO~1\RP4\A0000178.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully.
Event Record #/Type16239 / Error
Event Submitted/Written: 11/26/2007 07:07:58 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Trojan.Metajuan in File: C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP4\A0000178.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully.
Event Record #/Type16238 / Error
Event Submitted/Written: 11/26/2007 07:07:58 PM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Metajuan in File: C:\SYSTEM~1\_RESTO~1\RP4\A0000178.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was deleted successfully.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type116760 / Error
Event Submitted/Written: 11/26/2007 05:47:36 PM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{FF352CBC-7542-4825-A253-73571C851B23}.
The backup browser is stopping.
Event Record #/Type116759 / Warning
Event Submitted/Written: 11/26/2007 05:46:06 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\4B-DC1 on the network \Device\NetBT_Tcpip_{FF352CBC-7542-4825-A253-73571C851B23}.
The data is the error code.
Event Record #/Type116758 / Warning
Event Submitted/Written: 11/26/2007 05:45:36 PM
Event ID/Source: 8022 / BROWSER
Event Description:
The browser was unable to retrieve a list of domains from the browser master \\4B-DC1 on the network \Device\NetBT_Tcpip_{FF352CBC-7542-4825-A253-73571C851B23}.
The data is the error code.
Event Record #/Type116756 / Error
Event Submitted/Written: 11/26/2007 04:07:35 PM
Event ID/Source: 10009 / DCOM
Event Description:
DCOM was unable to communicate with the computer 14-WAREHOUSE using any of the configured
protocols.
Event Record #/Type116702 / Error
Event Submitted/Written: 11/26/2007 08:13:02 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053
-- End of Deckard's System Scanner: finished at 2007-11-27 07:45:44 ------------
knappster_1
2007-11-27, 21:49
I was able to get the Kaspersky log, and it was very long because of locked files and I am going to have to omit some of the paths because it is kind of sensitive.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-27 14:35
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/11/2007
Kaspersky Anti-Virus database records: 466556
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
M:\
O:\
T:\
U:\
V:\
X:\
Scan Statistics:
Total number of scanned objects: 933408
Number of viruses found: 6
Number of infected objects: 9
Number of suspicious objects: 5
Duration of the scan process: 06:33:39
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06300001.VBN Infected: Trojan-Dropper.Win32.Agent.chq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06300002.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7\A0000338.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\SYSTEM32\qtsrvcck.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
[path omitted]\pk263wsp(1).exe/TSADBOT.EXE Infected: not-a-virus:AdWare.Win32.TimeSink skipped
[path omitted]\pk263wsp(1).exe ZIP: infected - 1 skipped
[path omitted]\UNNAMED/CMMPU.EXE Infected: Email-Worm.Win32.Magistr.a skipped
[path omitted]\UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
[path omitted]\Inbox.dbx Mail MS Outlook 5: infected - 2 skipped
hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:47, on 2007-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\UPS\WSTD\WorldShipTD.exe
C:\UPS\WSTD\upslnkmg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\ups\wstd\tdrptsrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\rollin\Desktop\Problems.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {045FC74F-E48D-4DB7-B38A-764715043D43} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0C0FF94A-DC57-4B9B-8984-73E443EA415C} - (no file)
O2 - BHO: (no name) - {295DB863-5B9F-451B-B850-B75B8FAF4E7D} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78A2ED6E-7085-4FF3-A382-8B9310871AC4} - (no file)
O2 - BHO: (no name) - {DD82EC86-537D-47FC-99AD-F24228F65B51} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1513b40d4621f5c71520/netzip/RdxIE601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\Software\..\Telephony: DomainName = go4b.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = go4b.com
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8543 bytes
steamwiz
2007-11-27, 22:16
Hi
The file on your desktop is not malware, it's created by Combofix & contains files which we would like to have a closer look at ... however ... I did not give you the command which would cause Combofix to do this, & I did not specify anyfiles, so I have no idea why Combofix has done this or what files it has zipped up ...
Another thing, Combofix has run ... even if not to completion ...
13: 2007-11-26 14:07:29 UTC - RP13 - ComboFix created restore point
12: 2007-11-26 13:30:30 UTC - RP12 - ComboFix created restore point
11: 2007-11-21 22:39:47 UTC - RP11 - ComboFix created restore point
The first thing Combofix does is create a restore point, which it has done on 3 occasions ...
-
RE: Total Physical Memory: 510 MiB (512 MiB recommended).
This is your RAM ... the fact that it says 510 & not 512 could indicate that you have a defective stick of RAM ...
Go to > Start > Run > type or copy > msinfo32 > click OK
System Information opens ...
What does it say for :-
Total Physical Memory ?
Available Physical Memory ?
Total Virtual Memory ?
Available Virtual Memory ?
-
1. Download and unzip Avenger (by Swandog46) to your desktop. > http://swandog46.geekstogo.com/avenger.zip
2. Double click the Avenger.exe file
3. Click OK
4. Select Input script manually
5. Click the Magnifying Glass icon
6. Highlight the text in the code box below, & copy and paste it into the View/edit script box
Files to delete:
C:\WINDOWS\system32\lruxxams.dll
C:\WINDOWS\system32\qtsrvcck.dll
registry keys to delete:
HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{045FC74F-E48D-4DB7-B38A-764715043D43}
HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{0C0FF94A-DC57-4B9B-8984-73E443EA415C}
HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}
HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{78A2ED6E-7085-4FF3-A382-8B9310871AC4}
HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{DD82EC86-537D-47FC-99AD-F24228F65B51}
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
7. Click Done
8. Click the Traffic Light icon to start the program.
9. click Yes to execute the script and click Yes when asked to reboot your computer
10. Post the contents of the file C:\Avenger.txt
Please try to get the log from Kaspersky... we need to see what these are :-
Number of viruses found: 6
Number of infected objects: 11
They may NOT be virus, they may just be adware, & they would still be listed like this ...
I can also see that Trojan.Metajuan was found in system restore ... we'll purge this later ...
Lastly ... see if you have a new C:\ComboFix.txt
by now you may have ....
C:\ComboFix.txt
C:\ComboFix1.txt
C:\ComboFix2.txt
steam
knappster_1
2007-11-27, 23:59
Total Physical memory: 512.00 MB
Available Physical Memory: 100.77 MB
Total Virtual Memory: 2.00 GB
Available Virtual Memory: 1.96 GB
The Kaspersky log is posted above. I am going to run it again overnight tonight and will post an updated log tomorrow.
Avenger log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ehxyprke
*******************
Script file located at: \??\C:\WINDOWS\system32\x^ifcmfd.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\lruxxams.dll deleted successfully.
File C:\WINDOWS\system32\qtsrvcck.dll deleted successfully.
Registry key HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{045FC74F-E48D-4DB7-B38A-764715043D43} deleted successfully.
Registry key HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{0C0FF94A-DC57-4B9B-8984-73E443EA415C} deleted successfully.
Registry key HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D} deleted successfully.
Registry key HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{78A2ED6E-7085-4FF3-A382-8B9310871AC4} deleted successfully.
Registry key HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{DD82EC86-537D-47FC-99AD-F24228F65B51} deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Combofix2.txt
ComboFix 07-11-08.3 - ROLLIN 2007-11-19 7:38:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.138 [GMT -6:00]
Running from: C:\Documents and Settings\rollin\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\rollin\Desktop\Live Safety Center.lnk
C:\Documents and Settings\rollin\Desktop\Online Security Guide.lnk
C:\Documents and Settings\rollin\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\winshow.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-19 to 2007-11-19 )))))))))))))))))))))))))))))))
.
2007-11-19 07:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 11:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 11:53 <DIR> d-------- C:\Documents and Settings\rollin\Application Data\SUPERAntiSpyware.com
2007-11-17 09:39 84,545 --a------ C:\WINDOWS\SYSTEM32\vouqqomk.dll
2007-11-17 09:39 82,496 --a------ C:\WINDOWS\SYSTEM32\kxfnsucl.dll
2007-11-16 15:55 <DIR> d-------- C:\WINDOWS\pss
2007-11-16 10:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-16 09:42 81,984 --a------ C:\WINDOWS\SYSTEM32\cdckuqol.dll
2007-11-16 09:39 145,780 --a------ C:\WINDOWS\SYSTEM32\xwrixeha.dll
2007-11-15 08:29 441,420 --ahs---- C:\WINDOWS\SYSTEM32\llnmp.ini2
2007-11-14 17:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\rMa02yy
2007-11-14 17:05 <DIR> d-------- C:\TEMP\abW9
2007-11-14 17:05 36,352 --a------ C:\WINDOWS\SYSTEM32\gebxxxw.dll
2007-11-06 08:38 241,721 --a------ C:\WINDOWS\SYSTEM32\HPBMINI.DLL
2007-11-06 08:38 103,424 --a------ C:\WINDOWS\SYSTEM32\hpzpnp.dll
2007-11-06 08:38 61,440 --a------ C:\WINDOWS\SYSTEM32\HPNRA.EXE
2007-11-06 08:38 52,736 --a------ C:\WINDOWS\SYSTEM32\HPZIPM12.DLL
2007-11-06 08:38 43,520 --a------ C:\WINDOWS\SYSTEM32\HPZINW12.DLL
2007-11-06 08:38 38,912 --a------ C:\WINDOWS\SYSTEM32\HPBPRO.DLL
2007-11-06 08:38 25,600 --a------ C:\WINDOWS\SYSTEM32\HPBOID.DLL
2007-11-06 08:37 <DIR> d-------- C:\HP LJ4x50 Series
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 13:26 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-16 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 14:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 13:50 --------- d-----w C:\Program Files\FedEx
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-08-21 17:44 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-21 17:44 249,856 ------w C:\WINDOWS\Setup1.exe
2007-08-21 16:20 60,968 ----a-w C:\Documents and Settings\rollin\GoToAssistDownloadHelper.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-07 17:49 2 ----a-w C:\Documents and Settings\administrator.GO4B\WSSEMAPHORES.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}]
C:\WINDOWS\system32\pmnll.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
2007-11-14 17:05 36352 --a------ C:\WINDOWS\system32\gebxxxw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD82EC86-537D-47FC-99AD-F24228F65B51}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-15 14:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2005-06-23 18:27]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2006-01-20 10:46]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56]
"NA1Messenger"="C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe" [2007-03-23 22:24]
"68a1d0fe"="C:\WINDOWS\system32\lwyfnrjl.dll" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-01-24 09:57:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 09:05:56]
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\Messages\WSTDMessaging.exe [2007-02-07 02:33:26]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe [2007-02-07 01:27:28]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\gebxxxw.dll [2007-11-14 17:05 36352]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxxxw]
gebxxxw.dll 2007-11-14 17:05 36352 C:\WINDOWS\SYSTEM32\gebxxxw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\68a1d0fe]
rundll32.exe "C:\WINDOWS\system32\lwyfnrjl.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
"C:\WINDOWS\winshow.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 07:49:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-19 7:59:07
.
--- E O F ---
knappster_1
2007-11-28, 14:53
I ran Kaspersky again last night. There are network paths and folders that include people's names, so I am going to post only the infected files similarly to the way I did before. If you need more information, I can send that to you privately, just let me know. I have included a little bit more information than last time.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-28 07:38
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/11/2007
Kaspersky Anti-Virus database records: 467164
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
M:\
O:\
T:\
U:\
V:\
X:\
Scan Statistics:
Total number of scanned objects: 932244
Number of viruses found: 6
Number of infected objects: 9
Number of suspicious objects: 5
Duration of the scan process: 06:05:45
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06300001.VBN Infected: Trojan-Dropper.Win32.Agent.chq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06300002.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP14\A0000938.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7\A0000338.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
[network shared path omitted]\pk263wsp(1).exe/TSADBOT.EXE Infected: not-a-virus:AdWare.Win32.TimeSink skipped
[network shared path omitted]\\pk263wsp(1).exe ZIP: infected - 1 skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx/[From ***** <*****@*****>][Date Sat, 27 Oct 2001 23:39:05 -0400]/UNNAMED/CMMPU.EXE Infected: Email-Worm.Win32.Magistr.a skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx/[From ****** <*****.*****>][Date Sat, 27 Oct 2001 23:39:05 -0400]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 2 skipped
T:\Media\Drawings\~DIB0617.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB0708.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB087E.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB0970.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB1026.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
Scan process completed.
steamwiz
2007-11-28, 20:41
Hi
My Apologies for missing that you had posted the KASPERSKY entries ...
The infected files are in 3 locations :-
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine
You need to empty your Quarantine folder ...
-
C:\System Volume Information\_restore
For this you need to purge your restore points ...
This will clear all your infected restore points...
Turn off (Disable) System Restore in XP :-
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.
Then...
Turn on (enable) System Restore :-
Follow the same procedure, but this time uncheck Turn off System Restore
if you have any problem with this... here's a link to instructions :-
Disabling or enabling Windows XP System Restore >
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
-
& these :-
[network shared path omitted]\pk263wsp(1).exe/TSADBOT.EXE Infected: not-a-virus:AdWare.Win32.TimeSink skipped
[network shared path omitted]\\pk263wsp(1).exe ZIP: infected - 1 skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx/[From ***** <*****@*****>][Date Sat, 27 Oct 2001 23:39:05 -0400]/UNNAMED/CMMPU.EXE Infected: Email-Worm.Win32.Magistr.a skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx/[From ****** <*****.*****>][Date Sat, 27 Oct 2001 23:39:05 -0400]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 2 skipped
AS you have edited the path (& I don't want you to post anything you consider private/sensitive) you need to delete these :-
[network shared path omitted]\pk263wsp(1).exe
[network shared path omitted]\\pk263wsp(1).exe ZIP
& the others which are infected e-mail attachments ..
-
Your RAM is OK as windows reports it ...
Total Physical memory: 512.00 MB
-
The Combofix log you posted is the oldest one ...
Combofix2.txt run on 2007-11-19 @ 7:59:07
Combofix1.txt would be newer ...
But Combofix.txt (with NO number is the newest on, & the one I would like to see (if you have one)
After doing the above, please run a new KASPERSKY scan ...
steam
knappster_1
2007-11-29, 14:45
No need to apologize, I had posted that quite a bit later than the earlier posts, and just a few minutes before your post (because I had to run Kaspersky the 2nd time to get the log). Unfortunately the ComboFix2.txt is the only log file there. Currently the suspicious files that Kaspersky found are:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-29 07:38
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/11/2007
Kaspersky Anti-Virus database records: 467918
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
M:\
O:\
T:\
U:\
V:\
X:\
Scan Statistics:
Total number of scanned objects: 930452
Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 5
Duration of the scan process: 05:31:02
Infected Object Name / Virus Name / Last Action
T:\Media\Drawings\~DIB0617.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB0708.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB087E.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB0970.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB1026.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
steamwiz
2007-11-29, 21:01
HI
Ignore the fact that it says ... Number of viruses found: 1
It is referring to the "Suspicious" entries, which are not necessarily malicious ...
There is very little reference on the net to that particular exploit, & no description ...
Having said that, .TMP files are meant to be executed and then deleted ... so if you don't know what they are, I would recommend deleting them ...
Then as that should take care of all the malware we can see, I would like you to delete any version of Combofix that you have & try once again with the newest version :-
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
cheers
steam
knappster_1
2007-11-30, 15:36
I had to try a couple of times with ComboFix, but I did get it to finish. I just ran it without dragging any textfile onto it. Here's the log:
ComboFix 07-11-30.7 - rollin 2007-11-30 8:16:58.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.123 [GMT -6:00]
Running from: C:\Documents and Settings\rollin\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.
2007-11-27 16:49 . 2007-11-27 16:49 885 --a------ C:\backup.reg
2007-11-27 16:45 . 2007-11-27 16:45 126,976 --a------ C:\zip.exe
2007-11-27 16:45 . 2007-11-27 16:45 845 --a------ C:\avexport.bat
2007-11-26 14:52 . 2007-11-26 14:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 14:52 . 2007-11-26 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 14:54 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-21 14:53 . 2007-11-21 14:54 <DIR> d-------- C:\Program Files\Java
2007-11-21 14:49 . 2007-11-21 14:49 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-21 14:46 . 2007-11-21 14:46 0 --a------ C:\WINDOWS\mozver.dat
2007-11-21 09:44 . 2007-11-26 19:10 <DIR> d-------- C:\VundoFix Backups
2007-11-21 08:38 . 2007-11-21 08:38 714,281 ---hs---- C:\WINDOWS\SYSTEM32\kccvrstq.ini
2007-11-20 07:40 . 2007-11-20 16:10 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-19 09:17 . 2007-11-19 15:43 685,703 ---hs---- C:\WINDOWS\SYSTEM32\btyhvdet.ini
2007-11-19 07:24 . 2007-11-19 07:24 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-11-18 11:54 . 2007-11-18 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 11:53 . 2007-11-19 08:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 11:53 . 2007-11-18 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 11:53 . 2007-11-18 11:53 <DIR> d-------- C:\Documents and Settings\rollin\Application Data\SUPERAntiSpyware.com
2007-11-17 09:39 . 2007-11-17 11:47 678,040 ---hs---- C:\WINDOWS\SYSTEM32\kmoqquov.ini
2007-11-16 10:36 . 2007-11-17 11:50 401 --a------ C:\WINDOWS\wininit.ini
2007-11-16 10:21 . 2007-11-16 10:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-16 09:50 . 2007-11-17 09:39 675,358 ---hs---- C:\WINDOWS\SYSTEM32\ljrnfywl.ini
2007-11-06 08:38 . 2006-06-06 14:20 241,721 --a------ C:\WINDOWS\SYSTEM32\HPBMINI.DLL
2007-11-06 08:38 . 2007-02-13 20:23 103,424 --a------ C:\WINDOWS\SYSTEM32\hpzpnp.dll
2007-11-06 08:38 . 2004-10-16 05:31 61,440 --a------ C:\WINDOWS\SYSTEM32\HPNRA.EXE
2007-11-06 08:38 . 2006-05-11 18:15 52,736 --a------ C:\WINDOWS\SYSTEM32\HPZIPM12.DLL
2007-11-06 08:38 . 2006-05-11 18:15 43,520 --a------ C:\WINDOWS\SYSTEM32\HPZINW12.DLL
2007-11-06 08:38 . 2006-11-16 19:16 38,912 --a------ C:\WINDOWS\SYSTEM32\HPBPRO.DLL
2007-11-06 08:38 . 2006-11-16 19:15 25,600 --a------ C:\WINDOWS\SYSTEM32\HPBOID.DLL
2007-11-06 08:38 . 2006-11-02 19:32 18,747 --a------ C:\WINDOWS\SYSTEM32\hpceac06.hpi
2007-11-06 08:37 . 2007-11-06 08:37 <DIR> d-------- C:\HP LJ4x50 Series
2007-10-12 08:48 . 2007-10-12 08:48 37 --a------ C:\WINDOWS\PVX.INI
2007-10-10 07:21 . 2007-07-09 07:16 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 14:13 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-16 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 14:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 13:50 --------- d-----w C:\Program Files\FedEx
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-08-21 17:44 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-21 17:44 249,856 ------w C:\WINDOWS\Setup1.exe
2007-08-21 16:20 60,968 ----a-w C:\Documents and Settings\rollin\GoToAssistDownloadHelper.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-08-08 22:30 19,456 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll
2007-08-03 00:11 253,952 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
2007-08-03 00:11 241,664 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
2007-06-07 17:49 2 ----a-w C:\Documents and Settings\administrator.GO4B\WSSEMAPHORES.dat
.
((((((((((((((((((((((((((((( snapshot@2007-11-19_ 7.52.31.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 22:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 09:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
- 2004-01-16 13:42:47 24,670 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2004-01-16 13:42:47 28,768 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-07-27 21:49:02 196,683 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 21:49:02 225,355 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 02:25:22 139,264 ----a-w C:\WINDOWS\SYSTEM32\lnod32umc.dll
+ 2005-12-05 19:37:10 106,496 ----a-w C:\WINDOWS\SYSTEM32\lnod32upd.dll
+ 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:40 190,696 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-20 15:37:24 45,218 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
+ 2007-06-13 17:10:34 77,824 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{045FC74F-E48D-4DB7-B38A-764715043D43}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C0FF94A-DC57-4B9B-8984-73E443EA415C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78A2ED6E-7085-4FF3-A382-8B9310871AC4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD82EC86-537D-47FC-99AD-F24228F65B51}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-15 14:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2005-06-23 18:27]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2006-01-20 10:46]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56]
"NA1Messenger"="C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe" [2007-03-23 22:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-01-24 09:57:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 09:05:56]
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\Messages\WSTDMessaging.exe [2007-02-07 02:33:26]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe [2007-02-07 01:27:28]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
.
**************************************************************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 08:23:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-30 8:25:17
C:\ComboFix2.txt ... 2007-11-19 07:59
.
--- E O F ---
steamwiz
2007-11-30, 21:43
Hi
Did you make the script you tried to drop into Combofix with NOTEPAD .. not any other text editor, NOT Wordpad for instance ?
Please try again with this one ...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\SYSTEM32\kccvrstq.ini
C:\WINDOWS\SYSTEM32\btyhvdet.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\kmoqquov.ini
C:\WINDOWS\SYSTEM32\ljrnfywl.ini
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{045FC74F-E48D-4DB7-B38A-764715043D43}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C0FF94A-DC57-4B9B-8984-73E443EA415C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78A2ED6E-7085-4FF3-A382-8B9310871AC4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD82EC86-537D-47FC-99AD-F24228F65B51}]
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
knappster_1
2007-11-30, 23:03
I've been using notepad every time, but this time it finally worked! Here is the log:
ComboFix 07-11-30.7 - rollin 2007-11-30 15:55:07.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.171 [GMT -6:00]
Running from: C:\Documents and Settings\rollin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rollin\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\SYSTEM32\btyhvdet.ini
C:\WINDOWS\SYSTEM32\kccvrstq.ini
C:\WINDOWS\SYSTEM32\kmoqquov.ini
C:\WINDOWS\SYSTEM32\ljrnfywl.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\btyhvdet.ini
C:\WINDOWS\SYSTEM32\kccvrstq.ini
C:\WINDOWS\SYSTEM32\kmoqquov.ini
C:\WINDOWS\SYSTEM32\ljrnfywl.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.
2007-11-27 16:49 . 2007-11-27 16:49 885 --a------ C:\backup.reg
2007-11-27 16:45 . 2007-11-27 16:45 126,976 --a------ C:\zip.exe
2007-11-27 16:45 . 2007-11-27 16:45 845 --a------ C:\avexport.bat
2007-11-26 14:52 . 2007-11-26 14:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 14:52 . 2007-11-26 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 14:54 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-21 14:53 . 2007-11-21 14:54 <DIR> d-------- C:\Program Files\Java
2007-11-21 14:49 . 2007-11-21 14:49 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-21 14:46 . 2007-11-21 14:46 0 --a------ C:\WINDOWS\mozver.dat
2007-11-21 09:44 . 2007-11-26 19:10 <DIR> d-------- C:\VundoFix Backups
2007-11-20 07:40 . 2007-11-20 16:10 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-18 11:54 . 2007-11-18 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 11:53 . 2007-11-19 08:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 11:53 . 2007-11-18 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 11:53 . 2007-11-18 11:53 <DIR> d-------- C:\Documents and Settings\rollin\Application Data\SUPERAntiSpyware.com
2007-11-16 10:36 . 2007-11-17 11:50 401 --a------ C:\WINDOWS\wininit.ini
2007-11-16 10:21 . 2007-11-16 10:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-06 08:38 . 2006-06-06 14:20 241,721 --a------ C:\WINDOWS\SYSTEM32\HPBMINI.DLL
2007-11-06 08:38 . 2007-02-13 20:23 103,424 --a------ C:\WINDOWS\SYSTEM32\hpzpnp.dll
2007-11-06 08:38 . 2004-10-16 05:31 61,440 --a------ C:\WINDOWS\SYSTEM32\HPNRA.EXE
2007-11-06 08:38 . 2006-05-11 18:15 52,736 --a------ C:\WINDOWS\SYSTEM32\HPZIPM12.DLL
2007-11-06 08:38 . 2006-05-11 18:15 43,520 --a------ C:\WINDOWS\SYSTEM32\HPZINW12.DLL
2007-11-06 08:38 . 2006-11-16 19:16 38,912 --a------ C:\WINDOWS\SYSTEM32\HPBPRO.DLL
2007-11-06 08:38 . 2006-11-16 19:15 25,600 --a------ C:\WINDOWS\SYSTEM32\HPBOID.DLL
2007-11-06 08:38 . 2006-11-02 19:32 18,747 --a------ C:\WINDOWS\SYSTEM32\hpceac06.hpi
2007-11-06 08:37 . 2007-11-06 08:37 <DIR> d-------- C:\HP LJ4x50 Series
2007-10-12 08:48 . 2007-10-12 08:48 37 --a------ C:\WINDOWS\PVX.INI
2007-10-10 07:21 . 2007-07-09 07:16 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 14:13 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-16 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 14:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 13:50 --------- d-----w C:\Program Files\FedEx
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-08-21 17:44 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-21 17:44 249,856 ------w C:\WINDOWS\Setup1.exe
2007-08-21 16:20 60,968 ----a-w C:\Documents and Settings\rollin\GoToAssistDownloadHelper.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-08-08 22:30 19,456 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll
2007-08-03 00:11 253,952 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
2007-08-03 00:11 241,664 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
2007-06-07 17:49 2 ----a-w C:\Documents and Settings\administrator.GO4B\WSSEMAPHORES.dat
.
((((((((((((((((((((((((((((( snapshot@2007-11-19_ 7.52.31.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 22:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 09:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
- 2004-01-16 13:42:47 24,670 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2004-01-16 13:42:47 28,768 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-07-27 21:49:02 196,683 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 21:49:02 225,355 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 02:25:22 139,264 ----a-w C:\WINDOWS\SYSTEM32\lnod32umc.dll
+ 2005-12-05 19:37:10 106,496 ----a-w C:\WINDOWS\SYSTEM32\lnod32upd.dll
+ 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:40 190,696 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-20 15:37:24 45,218 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
+ 2007-06-13 17:10:34 77,824 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-15 14:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2005-06-23 18:27]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2006-01-20 10:46]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56]
"NA1Messenger"="C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe" [2007-03-23 22:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-01-24 09:57:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 09:05:56]
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\Messages\WSTDMessaging.exe [2007-02-07 02:33:26]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe [2007-02-07 01:27:28]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
.
**************************************************************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 15:59:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-30 16:00:31
C:\ComboFix2.txt ... 2007-11-30 08:25
C:\ComboFix3.txt ... 2007-11-19 07:59
.
--- E O F ---
knappster_1
2007-12-05, 23:16
Sorry steam, I forgot to post the HJT log earlier. Here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:51 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\UPS\WSTD\WorldShipTD.exe
C:\UPS\WSTD\upslnkmg.exe
c:\ups\wstd\tdrptsrv.exe
C:\Documents and Settings\rollin\Desktop\Problems.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1513b40d4621f5c71520/netzip/RdxIE601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\Software\..\Telephony: DomainName = go4b.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = go4b.com
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8253 bytes
steamwiz
2007-12-06, 21:22
Hi
Hijackthis & Combofix are now clean ...
Are your problems resolved ?
If you have no further questions or concerns .... Happy surfing
steam
knappster_1
2007-12-07, 22:14
Yeah, the problems appear to have been fixed. Thanks a lot for your help steam. Happy hunting :bigthumb:
steamwiz
2007-12-09, 20:59
You're very welcome :)
steam