View Full Version : Need help on a Trojan and a Rootkit
Modman_4
2007-12-05, 16:53
Hi. I use Spybot on a regular basis and my computer is supposedly protected by Trend Micro, so it alarmed me to suddenly go from clean (on my Spybot scan a few weeks ago) to being infected with the PWS.LDPinchIE trojan last week. I used Spybot to fix it but it was back the very next day, along with Win32.Murlo.ff.rtk. I used Spybot again and it seemed to be able to clean all except for the registry value for the rootkit, meaning it all would come back again and again. So I tried a few rootkit "cleanup" tools and nothing seemed to work permanently.
Yesterday I tried running Spybot in safe mode and it seems to have worked at getting rid of the trojan but not the rootkit (it kept telling me the registry entry was being used by a process). So late yesterday I signed up here and followed the instructions for posting a new thread. I ran the Kapersky scan and have the results to attach herewith. Then I ran Spybot in safe mode again and was surprised that this time it only found the registry entry for the rootkit, and was able to clean it and verify it was gone. The I restarted and ran the HijackThis scan and have the results to attach herewith. Just to let you know, when I restarted, Teatimer allowed the pesky "startdrv" value to be changed, so I suspect it is all back again, but I am continuing here in the hopes you can help me get squeaky clean!
Here is the body of the HijackThis scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:55 AM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\system32\services.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\TEMP\KR8EE1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] C:\WINDOWS\system32\nwiz.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://www.solidworks.com/plugins/edrawings/download.cfm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152801665465
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://download.autodesk.com/esd/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c567.cab?1604a10cec6b7cf55baa19521dde00b6efc8c354eb4bc58e789d6dcc1036ad736590ed7c9d0989cc4c106b250aab2fb781c3f6ccdff97dfa3533f4e0f6:82c459e3204ff84a0e0e8af70dae6150
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/winantispyware.com/www/download/2006/WinAntiSpyware2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = OLYMPIA.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
--
End of file - 9605 bytes
The Kapersky scan file is apparently too large to post (roughly 200,000 characters), so I await your instructions on that. Any help you can provide would be greatly appreciated! :)
little eagle
2007-12-10, 21:15
Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.
Modman_4
2007-12-10, 23:42
Hello, Little Eagle and thanks for taking the time to review my potential problem. I ran Spybot again with the most current definitions and am still coming back clean. I also ran a fresh HJT and have pasted the log below. My computer is behaving fairly well at the moment. I only notice that S&D can hog up to 99% of resources whenever I run it, which makes using other apps a little difficult at times, but not all the time -- my guess is sometimes it is slowed down by analyzing a huge file. Anyways the other stuff is this -- a while back since S&D flagged my ctfmon.exe as possible malware, I used teatimer to deny it being changed, which it wants to do every time i go online. And since my recent bout with the trojan and the rootkit, startdrv.exe has been added to my list of blocked registry changes. However, the following registry values are in my Teatimer's "Allowed registry changes" list:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\startdrv=
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer\Run\ctfmon=
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer\Run\Tucan=
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer\Runonce\SpybotDeletingA4587=command /c del "C:\WINDOWS\Temp\startdrv.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer\Runonce\SpybotDeletingC2909=cmd /c del "C:\WINDOWS\Temp\startdrv.exe"
When I was battling all of the nasties, I kept getting a random letter/number combination in my process list in task manager. This corresponded at one time or another with the two numbers shown in "SybotDeleting" above, and sometimes with others as well. I just peeked at my task manager again and there is an unknown process called VA6005.exe using 2,648 Kb but 0 CPU. Anyhow, here is my fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:33 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\system32\svchost.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\TEMP\VA6005.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] C:\WINDOWS\system32\nwiz.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://www.solidworks.com/plugins/edrawings/download.cfm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152801665465
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://download.autodesk.com/esd/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c567.cab?1604a10cec6b7cf55baa19521dde00b6efc8c354eb4bc58e789d6dcc1036ad736590ed7c9d0989cc4c106b250aab2fb781c3f6ccdff97dfa3533f4e0f6:82c459e3204ff84a0e0e8af70dae6150
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/winantispyware.com/www/download/2006/WinAntiSpyware2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = OLYMPIA.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
--
End of file - 9653 bytes
Anyways, please let me know if I am okay :alien:
little eagle
2007-12-11, 03:44
We will need to disable TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
---------------------------------
Close all programs leaving only HijackThis running. Place a check against each of the following,
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://www.solidworks.com/plugins/ed...s/download.cfm
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seek...0e8af70dae6150
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/si...reeInstall.cab
Click on Fix Checked when finished and exit HijackThis.
-------------------------------------------------------
Reboot Run this online scan from ESET (http://www.eset.eu/online-scanner)
to check for additional infections from the malware.
You will need to use Internet explorer for this scan!
First, accept the Terms of Use
Click: Start
When asked, allow the ActiveX control to install
Click: Start
Make sure the options:
Remove found threats, and Scan unwanted applications
are both checked!
Click: Scan
When the scan finishes, use Notepad to open the ESET report.
It will be located here C:\Program Files\EsetOnlineScanner\log.txt
Modman_4
2007-12-11, 17:54
Hi again, Little Eagle. I did all that you asked, in order, and I am attching the EST scan log herewith in two posts:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2716 (20071211)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=43dcbfd68715bc4da90c3098f38eddba
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-12-11 03:34:07
# local_time=2007-12-11 10:34:07 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=701648
# found=161
# scan_time=6500
C:\Documents and Settings\ADeacon\Local Settings\Temp\10.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\11.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\12.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\13.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\15.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\16.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\17.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\18.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\19.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\1A.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\1C.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\1D.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\1E.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\1F.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\20.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\21.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\22.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\23.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\24.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\72.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\73.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\74.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\75.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\76.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\77.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\78.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\79.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\7A.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\7B.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\7C.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\7D.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\7E.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\7F.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\80.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\81.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\82.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\83.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\84.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\85.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\86.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\87.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\88.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\89.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\8A.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\8B.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\8C.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\8D.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\8E.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\8F.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\9.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\90.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\91.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\92.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\93.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\94.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\95.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\96.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\97.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\98.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\99.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\9A.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\9B.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\9C.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\9D.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\9E.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\9F.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\A0.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\A1.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\A2.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\A3.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\A4.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\A5.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\A6.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\A7.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\C.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\D.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\E.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Local Settings\Temp\F.tmp Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ADeacon\Pavark\RKCL_SEND\25110F9B008B282A3F18FE20EBF23264.fil Win32/Rootkit.Agent.EY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1806.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1807.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1808.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1809.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
Modman_4
2007-12-11, 17:56
here is the second half of the scan:
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1810.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1811.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1812.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1813.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1814.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1815.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1816.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1817.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1818.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1819.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1820.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1821.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1822.exe Win32/Agent.NNK trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1823.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1824.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1825.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1826.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1827.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1828.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1829.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1830.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1831.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1832.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1833.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1834.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1835.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1836.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1837.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1838.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1839.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1840.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1841.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1842.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1843.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1844.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1845.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1846.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1847.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1848.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1849.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1850.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1851.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1852.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1853.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1854.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1855.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1856.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1857.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1859.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1860.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1861.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1862.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1863.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1864.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1865.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1866.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1867.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1868.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1869.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1870.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1871.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1872.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1873.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1874.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1875.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1876.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1877.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1878.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1879.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1880.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1881.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1882.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1883.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1884.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1390067357-764733703-725345543-1111\Dc1885.exe Win32/Agent.NNN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N69M0703NetInstaller.exe Win32/Adware.WinFixer application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\ctl_w32.sy_ Win32/Rootkit.Agent.EY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\ip6fw.sys Win32/Rootkit.Agent.DP trojan (unable to clean - deleted) 00000000000000000000000000000000
From the looks of it to me, most of the threats still reside in various SystemRestore folders. Also, today my mystery process is named BJ97DF.exe. I await your further instructions :cowboy:
little eagle
2007-12-11, 21:02
Lets try running combofix.exe
Download it from one of the links below:
Note:
It is important that it is saved directly to your desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/ComboFix.exe
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Modman_4
2007-12-11, 23:13
Okay just to let you know, both of your links wouldn't work for me so I went to another thread on this forum and found a link that did work. I downloaded and ran ComboFix from my desktop as requested, and the log is as follows:
ComboFix 07-12-12.3 - ADeacon 2007-12-11 15:47:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.481 [GMT -5:00]
Running from: C:\Documents and Settings\ADeacon\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\ADeacon\Application Data\install.dat
C:\Program Files\winantispyware 2006 scanner
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CTL_W32
-------\LEGACY_NPF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\ctl_w32
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.
2007-12-11 08:44 . 2007-12-11 10:34 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-04 13:30 . 2007-12-04 13:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 13:30 . 2007-12-04 13:30 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-12-04 12:34 . 2007-12-04 12:34 8,576 --a------ C:\WINDOWS\system32\drivers\dajuvtsnyovw.sys
2007-12-03 17:15 . 2007-12-04 13:11 287 --a------ C:\WINDOWS\wininit.ini
2007-12-03 16:34 . 2007-12-03 16:34 2,196 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-03 16:33 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-03 16:33 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-03 16:33 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-03 16:33 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-03 16:33 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-03 13:50 . 2007-12-11 15:40 140,668 --a------ C:\WINDOWS\system32\pguard.dat
2007-12-03 13:50 . 2007-12-11 15:40 75,636 --a------ C:\WINDOWS\system32\pghash.dat
2007-12-03 13:45 . 2007-12-03 13:50 <DIR> d-------- C:\Program Files\ProcessGuard
2007-12-03 13:45 . 2004-10-13 17:06 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2007-12-03 13:45 . 2005-01-20 14:13 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2007-12-03 13:13 . 2007-12-03 13:13 8,576 --a------ C:\WINDOWS\system32\drivers\tmtdntdxcojw.sys
2007-12-03 12:58 . 2007-12-03 12:58 8,576 --a------ C:\WINDOWS\system32\drivers\rmjtbgiurfir.sys
2007-12-03 12:48 . 2007-12-04 12:57 2,849 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-12-03 11:43 . 2007-12-03 11:43 8,576 --a------ C:\WINDOWS\system32\drivers\fbeqfgcqedpq.sys
2007-12-03 11:38 . 2007-12-03 11:55 <DIR> d-------- C:\Documents and Settings\ADeacon\Pavark
2007-12-03 09:57 . 2007-12-03 09:55 8,576 --a------ C:\WINDOWS\system32\drivers\pyjilqvwjqjc.sys
2007-12-03 09:23 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-11-30 17:06 . 2007-11-30 17:06 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-30 15:39 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-30 08:21 . 2007-11-30 11:26 <DIR> d-------- C:\Documents and Settings\ADeacon\.housecall6.6
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 22:07 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-29 20:32 --------- d-----w C:\Program Files\Trend Micro
2007-10-31 20:01 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-10-31 20:01 --------- d-----w C:\Program Files\AutoCAD 2008
2007-10-31 14:23 --------- d-----w C:\Program Files\Steelcase FSL
1997-06-23 16:06 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}
[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2007-02-12 01:12 44648 --a------ C:\WINDOWS\system32\AcSignIcon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!1_ProcessGuard_Startup"="C:\Program Files\ProcessGuard\procguard.exe" [2005-01-20 14:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-02 22:32]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"nwiz"="C:\WINDOWS\system32\nwiz.exe" [2007-07-13 07:34]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"!1_pgaccount"="C:\Program Files\ProcessGuard\pgaccount.exe" [2005-01-20 14:14]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 23:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-16 23:00:00]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1390067357-764733703-725345543-1111\Scripts\Logon\0\0]
"Script"=LOGON.BAT
R2 APCPBEAgent;APC PBE Agent;C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;"C:\Program Files\ProcessGuard\dcsuserprot.exe"
R2 procguard;procguard;\??\C:\WINDOWS\system32\drivers\procguard.sys
S3 iscFlash;iscFlash;\??\C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 14:59:53 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
"2007-12-03 12:56:16 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-11 20:58:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-26 20:46:24 C:\WINDOWS\Tasks\zvszdg.job"
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 15:57:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 15:59:30 - machine was rebooted
.
2007-12-07 12:59:29 --- E O F ---
The mystery file is now SB11B7.exe, and I had to disable Processgurad to run ComboFix, by the way. I still have it disabled. I anxiouslt await the next step :alien:
little eagle
2007-12-12, 00:24
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Modman_4
2007-12-12, 16:35
Thanks Little Eagle I followed your instructions, although I noticed the file to run was RunThis.cmd as there was no RunThis.bat. The logfile of SDFix is as follows:
SDFix: Version 1.118
Run by Administrator on Wed 12/12/2007 at 08:58 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 09:10:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
Files with Hidden Attributes:
Thu 12 Feb 2004 4 ..SH. --- "C:\SIV7.tmp"
Mon 23 Jun 1997 287,504 A.SH. --- "C:\WINDOWS\system32\Msxbse35.dll"
Mon 14 Jul 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Mon 5 May 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Mon 5 May 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Mon 14 Jul 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Thu 20 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT64.tmp"
Finished!
And my latest HJT log is this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22, on 2007-12-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\system32\services.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\CA5C1A.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] C:\WINDOWS\system32\nwiz.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152801665465
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://download.autodesk.com/esd/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = OLYMPIA.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
--
End of file - 8868 bytes
As you can see, my mystery file is still there -- today it is CA5C1A.exe. What's next? :rolleyes:
little eagle
2007-12-13, 01:04
This look fine now.
Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)
Reset your restore points, please note that you will need to log into your computer with an account
which has full administrator access. You will know if the account has administrator access because
you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Modman_4
2007-12-13, 16:11
Okay I did as you requested and cleaned out over 42 Mb of "stuff", rebooted, turned off system restore, rebooted, and turned sytem restore back on. So I am all set now? I must say you don't know how much I appreciated the help! do you have any idea what that mystery process is though? It is still there but apparently it is harmless or legit?
In any event, thanks again!:santa:
little eagle
2007-12-13, 20:06
do you have any idea what that mystery process is though? It is still there but apparently it is harmless or legit?
Lets try this and see if we can find it.
Download and Run Silent Runners
Download Silent Runners.zip (http://tinyurl.com/8bmsr) and extract it to a new folder on your Desktop.
Run the Silent Runners.vbs file.
You will receive a prompt: Do you want to skip supplementary searches? - click NO.
If your antivirus has a script blocker you will get a warning asking if you want to allow Silent Runners.vbs to run.
This script is not malicious so please allow it. A text file will appear in the folder - it's not done let it run. (Itwon't appear to be doing anything!)
Once the All Done! prompt flashes up open the text file and save it to SR's folder on you Desktop.
Modman_4
2007-12-13, 21:09
Okay here's my results from Silent Runners:
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"!1_ProcessGuard_Startup" = ""C:\Program Files\ProcessGuard\procguard.exe" -minimize" ["DiamondCS"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IntelliPoint" = ""C:\Program Files\Microsoft IntelliPoint\point32.exe"" [MS]
"OfficeScanNT Monitor" = ""C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"nwiz" = "C:\WINDOWS\system32\nwiz.exe" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"!1_pgaccount" = ""C:\Program Files\ProcessGuard\pgaccount.exe"" ["DiamondCS"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2F85D76C-0569-466F-A488-493E6BD0E955}\(Default) = (no title provided)
-> {HKLM...CLSID} = "dsWebAllowBHO Class"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\dsWebAllow.dll" [MS]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {HKLM...CLSID} = "ACDWFTHMBPRXY"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk, Inc."]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Deskbar"
-> {HKCU...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]
"{D426CFD0-87FC-4906-98D9-A23F5D515D61}" = "Windows Desktop Search Outlook Express ISearchFolder Class"
-> {HKLM...CLSID} = "Windows Desktop Search Outlook Express SearchProtocol Class"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\OEPH.dll" [MS]
"{5800AD5B-72C1-477B-9A08-CA112DF06D97}" = "AutoCAD DWG InfoTip Handler"
-> {HKLM...CLSID} = "AcInfoTipHandler"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll" ["Autodesk"]
"{8A0BC933-7552-42E2-A228-3BE055777227}" = "AutoCAD DWG Column Handler"
-> {HKLM...CLSID} = "AcColumnHandler"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll" ["Autodesk"]
"{ADC46291-D8A1-4486-A24C-86FFB392AEFA}" = "Autodesk Dgn File Preview"
-> {HKLM...CLSID} = "AcDgnImageExtractor"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\AcDgnCOM17.dll" ["Autodesk"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\0\
DisplayName = "OLYMPIA"
0\ -> launches: "\\OLYMPIA.LOCAL\SysVol\OLYMPIA.LOCAL\Policies\{545ABC7E-6702-4BBA-AB5C-F8EFB1E738C0}\User\Scripts\Logon\LOGON.BAT" [** WMI GetObject error **]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{8A0BC933-7552-42E2-A228-3BE055777227}\(Default) = "AutoCAD DWG column info"
-> {HKLM...CLSID} = "AcColumnHandler"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll" ["Autodesk"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Autodesk.DWF.ContextMenu\(Default) = "{6C18531F-CA85-45F7-8278-FF33CF0A5964}"
-> {HKLM...CLSID} = "DWFShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\dwf Common\DWFShellExtension.dll" [file not found]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Winzip\wzshlext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Winzip\wzshlext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Winzip\wzshlext.dll" [null data]
Default executables:
--------------------
<<!>> HKCU\Software\Classes\.exe\(Default) = "exefile"
<<!>> HKCU\Software\Classes\.hta\(Default) = "htafile"
<<!>> HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
<<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINNT\Web\Wallpaper\GTW_blue.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINNT\Web\Wallpaper\GTW_blue.bmp"
Enabled Scheduled Tasks:
------------------------
"Ad-Aware SE Personal" -> launches: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" ["Lavasoft Sweden"]
"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"zvszdg.job" -- insufficient permission to read this file!
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
APC PBE Agent, APCPBEAgent, "C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe" ["APC"]
APC UPS Service, APC UPS Service, "C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe" ["American Power Conversion Corporation"]
Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"" ["Autodesk"]
DiamondCS Process Guard Service v3.000, DCSPGSRV, ""C:\Program Files\ProcessGuard\dcsuserprot.exe"" ["DiamondCS"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PrismXL, PrismXL, "C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS" ["Lanovation"]
Trend Micro Client/Server Security Agent Listener, tmlisten, "C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe" ["Trend Micro Inc."]
Trend Micro Client/Server Security Agent Personal Firewall, OfcPfwSvc, "C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe" ["Trend Micro Inc."]
Trend Micro Client/Server Security Agent RealTime Scan, ntrtscan, "C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe" ["Trend Micro Inc."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDF Port\Driver = "C:\WINDOWS\system32\pdfports.dll" ["Adobe Systems Incorporated."]
PDFCreator\Driver = "pdfcmnnt.dll" [null data]
---------- (launch time: 2007-12-13 13:45:31)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 177 seconds.
---------- (total run time: 243 seconds)
The mystery process right now goes by the name of NI939F.exe
little eagle
2007-12-14, 04:26
Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked and uncheck the Registry box. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.
Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.
Post back with the GMER logs and a new HijackThis log
Modman_4
2007-12-14, 17:26
Hello :) here is the Gmer rootkit scan log you requested:
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-12-14 10:04:33
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.13 ----
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwFsControlFile
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwReadVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwRequestWaitReplyPort
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSuspendProcess
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwWriteVirtualMemory
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F6A686C0] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F6A6802E] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F6A685EE] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F6A68F90] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F6A68006] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F6A62BBC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F6A62BBC] TmPreFlt.sys
---- EOF - GMER 1.0.13 ----
Here is the Gmer autostart log you requested:
GMER 1.0.13.12551 - http://www.gmer.net
Autostart scan 2007-12-14 10:10:34
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
WgaLogon@DLLName = WgaLogon.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
APC UPS Service /*APC UPS Service*/@ = C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
APCPBEAgent /*APC PBE Agent*/@ = C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
DCSPGSRV /*DiamondCS Process Guard Service v3.000*/@ = "C:\Program Files\ProcessGuard\dcsuserprot.exe"
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
ntrtscan /*Trend Micro Client/Server Security Agent RealTime Scan*/@ = C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
OfcPfwSvc /*Trend Micro Client/Server Security Agent Personal Firewall*/@ = C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
PrismXL /*PrismXL*/@ = C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
tmlisten /*Trend Micro Client/Server Security Agent Listener*/@ = C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
WinDefend /*Windows Defender*/@ = "C:\Program Files\Windows Defender\MsMpEng.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IntelliPoint"C:\Program Files\Microsoft IntelliPoint\point32.exe" = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
@OfficeScanNT Monitor"C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow = "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
@Windows Defender"C:\Program Files\Windows Defender\MSASCui.exe" -hide = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
@nwizC:\WINDOWS\system32\nwiz.exe = C:\WINDOWS\system32\nwiz.exe
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@!1_pgaccount"C:\Program Files\ProcessGuard\pgaccount.exe" = "C:\Program Files\ProcessGuard\pgaccount.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@!1_ProcessGuard_Startup"C:\Program Files\ProcessGuard\procguard.exe" -minimize = "C:\Program Files\ProcessGuard\procguard.exe" -minimize
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{56F9679E-7826-4C84-81F3-532071A8BCC5}C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll = C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
@{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}C:\PROGRA~1\WIFD1F~1\MpShHook.dll = C:\PROGRA~1\WIFD1F~1\MpShHook.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{BB7DF450-F119-11CD-8465-00AA00425D90} /*Microsoft Access Custom Icon Handler*/C:\Program Files\Microsoft Office\Office\soa800.dll = C:\Program Files\Microsoft Office\Office\soa800.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{6DEA92E9-8682-4b6a-97DE-354772FE5727} /*Autodesk DWF Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*AutoCAD Digital Signatures Icon Overlay Handler*/C:\WINDOWS\system32\AcSignIcon.dll = C:\WINDOWS\system32\AcSignIcon.dll
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{97090E2F-3062-4459-855B-014F0D3CDBB1} /*Windows Deskbar*/(null) =
@{13E7F612-F261-4391-BEA2-39DF4F3FA311} /*Windows Desktop Search*/C:\Program Files\Windows Desktop Search\msnlExt.dll = C:\Program Files\Windows Desktop Search\msnlExt.dll
@{D426CFD0-87FC-4906-98D9-A23F5D515D61} /*Windows Desktop Search Outlook Express ISearchFolder Class*/C:\Program Files\Windows Desktop Search\OEPH.dll = C:\Program Files\Windows Desktop Search\OEPH.dll
@{5800AD5B-72C1-477B-9A08-CA112DF06D97} /*AutoCAD DWG InfoTip Handler*/C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll = C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll
@{8A0BC933-7552-42E2-A228-3BE055777227} /*AutoCAD DWG Column Handler*/C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll = C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll
@{ADC46291-D8A1-4486-A24C-86FFB392AEFA} /*Autodesk Dgn File Preview*/C:\Program Files\Common Files\Autodesk Shared\AcDgnCOM17.dll = C:\Program Files\Common Files\Autodesk Shared\AcDgnCOM17.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Autodesk.DWF.ContextMenu@{6C18531F-CA85-45F7-8278-FF33CF0A5964} = C:\Program Files\Common Files\Autodesk Shared\dwf Common\DWFShellExtension.dll /*file not found*/
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
WinZip@{E0D79300-84BE-11CE-9641-444553540000} = C:\Winzip\wzshlext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79300-84BE-11CE-9641-444553540000} = C:\Winzip\wzshlext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
WinZip@{E0D79300-84BE-11CE-9641-444553540000} = C:\Winzip\wzshlext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{2F85D76C-0569-466F-A488-493E6BD0E955}C:\Program Files\Windows Desktop Search\dsWebAllow.dll = C:\Program Files\Windows Desktop Search\dsWebAllow.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
@{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}C:\Program Files\Windows Live Toolbar\msntb.dll = C:\Program Files\Windows Live Toolbar\msntb.dll
HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.msn.com/ = http://www.msn.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = OLYMPIA.LOCAL
---- EOF - GMER 1.0.13 ----
Modman_4
2007-12-14, 17:26
...and here is the fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14, on 2007-12-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\system32\services.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TEMP\PZFEC5.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] C:\WINDOWS\system32\nwiz.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152801665465
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://download.autodesk.com/esd/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = OLYMPIA.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
--
End of file - 8638 bytes
little eagle
2007-12-15, 01:37
Download and install AVG Anti-Spyware (ewido). Then scan and post the report here.
Instructions and download link can be found here (http://forums.security-central.us/showthread.php?t=3165).
Boot in safe mode before scanning.
Modman_4
2007-12-17, 17:55
Okay I downloaded the program and I printed out the instructions on the link you gave me. Then I restarted in safe mode and ran the scan without anything else running. Following the instructions from that page, I thought it was part of what you wanted me to do was to "apply all actions" and then "save a report". Once I "applied all actions" the "save a report" button grayed out on me so I couldn't save the report, so I rebooted innnormal mode and here I am without a report I can give you. It did say I had 9 tracker cookies and one trace. What do we do now?
little eagle
2007-12-18, 02:10
Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
Modman_4
2007-12-18, 15:50
Okay I followed the link but when I clicked the agreement button I got a page-not-found error. So I rooted around their website and under the USA page found a download for blacklight (not the beta version though) and ran it. It came back clean (no hidden files found). Attached is the logfile fsbl-20071218131837:
12/18/07 08:18:37 [Info]: BlackLight Engine 1.0.67 initialized
12/18/07 08:18:37 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/18/07 08:18:37 [Note]: 7019 4
12/18/07 08:18:37 [Note]: 7005 0
12/18/07 08:18:51 [Note]: 7006 0
12/18/07 08:18:51 [Note]: 7011 2512
12/18/07 08:18:51 [Note]: 7026 0
12/18/07 08:18:51 [Note]: 7026 0
12/18/07 08:18:55 [Note]: FSRAW library version 1.7.1024
little eagle
2007-12-19, 03:16
The mystery process right now goes by the name of NI939F.exe
Use Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to find out which files is running it.
Let me know what you find out.
Modman_4
2007-12-19, 16:21
Hi Little Eagle. I did what you requested and am attaching two logfiles. The first (NTRtScan.txt) shows PLDE1E.exe (today's name for it) running under NTRtScan (which is legitimate), yet PLDE1E.exe has no info as to what it is or who made it. The second (PLDE1E.exe) contains what is going on with it, which apparently releases ofcdog (the icon is a little brown terrier). I hope I did the attachment thing correctly. Anyways here they are as is. Please let me know if it is just a legitimate part of the Trend Micro thing or what...
1865
1866
little eagle
2007-12-20, 05:30
Using Windows Explorer, locate the following file
PLDE1E.exe
Let me know if you find it.
Modman_4
2007-12-20, 15:00
Hi. Today it is called RG41ED.exe and I found it under C:\WINDOWS\Temp
Under Properties it is 168 Kb, and was Created 12-20-07 at 7:35 am (the time I booted up the computer), yet was Modified 11-02-05
little eagle
2007-12-21, 15:13
Lets try this Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\drivers\dajuvtsnyovw.sys
C:\WINDOWS\system32\drivers\tmtdntdxcojw.sys
C:\WINDOWS\system32\drivers\rmjtbgiurfir.sys
C:\WINDOWS\system32\drivers\fbeqfgcqedpq.sys
C:\WINDOWS\system32\drivers\pyjilqvwjqjc.sys
C:\WINDOWS\Tasks\zvszdg.job
Driver::
dajuvtsnyovw
tmtdntdxcojw
rmjtbgiurfir
fbeqfgcqedpq
pyjilqvwjqjc
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
Then post the results log and a new HijackThis log.
Modman_4
2007-12-21, 16:21
Okay I ran the script and here is the combofix log:
ComboFix 07-12-21.4 - ADeacon 2007-12-21 8:53:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.287 [GMT -5:00]
Running from: C:\Documents and Settings\ADeacon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ADeacon\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\drivers\dajuvtsnyovw.sys
C:\WINDOWS\system32\drivers\fbeqfgcqedpq.sys
C:\WINDOWS\system32\drivers\pyjilqvwjqjc.sys
C:\WINDOWS\system32\drivers\rmjtbgiurfir.sys
C:\WINDOWS\system32\drivers\tmtdntdxcojw.sys
C:\WINDOWS\Tasks\zvszdg.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\dajuvtsnyovw.sys
C:\WINDOWS\system32\drivers\fbeqfgcqedpq.sys
C:\WINDOWS\system32\drivers\pyjilqvwjqjc.sys
C:\WINDOWS\system32\drivers\rmjtbgiurfir.sys
C:\WINDOWS\system32\drivers\tmtdntdxcojw.sys
C:\WINDOWS\Tasks\zvszdg.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DAJUVTSNYOVW
-------\LEGACY_FBEQFGCQEDPQ
-------\LEGACY_PYJILQVWJQJC
-------\LEGACY_RMJTBGIURFIR
-------\LEGACY_TMTDNTDXCOJW
-------\dajuvtsnyovw
-------\fbeqfgcqedpq
-------\pyjilqvwjqjc
-------\rmjtbgiurfir
-------\tmtdntdxcojw
((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.
2007-12-17 08:12 . 2007-12-17 08:12 <DIR> d-------- C:\Documents and Settings\ADeacon\Application Data\Grisoft
2007-12-17 08:11 . 2007-12-17 08:11 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-12-17 08:11 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-14 08:53 . 2007-12-14 09:59 250 --a------ C:\WINDOWS\gmer.ini
2007-12-12 08:57 . 2007-12-12 08:57 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-11 08:44 . 2007-12-11 10:34 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-04 13:30 . 2007-12-04 13:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 13:30 . 2007-12-04 13:30 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-12-03 17:15 . 2007-12-04 13:11 287 --a------ C:\WINDOWS\wininit.ini
2007-12-03 16:34 . 2007-12-03 16:34 2,196 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-03 16:33 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-03 16:33 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-03 16:33 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-03 16:33 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-03 16:33 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-03 13:50 . 2007-12-11 15:40 140,668 --a------ C:\WINDOWS\system32\pguard.dat
2007-12-03 13:50 . 2007-12-11 15:40 75,636 --a------ C:\WINDOWS\system32\pghash.dat
2007-12-03 13:45 . 2007-12-03 13:50 <DIR> d-------- C:\Program Files\ProcessGuard
2007-12-03 13:45 . 2004-10-13 17:06 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2007-12-03 13:45 . 2005-01-20 14:13 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2007-12-03 12:48 . 2007-12-04 12:57 2,849 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-12-03 11:38 . 2007-12-03 11:55 <DIR> d-------- C:\Documents and Settings\ADeacon\Pavark
2007-12-03 09:23 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-11-30 17:06 . 2007-11-30 17:06 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-30 15:39 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-30 08:21 . 2007-11-30 11:26 <DIR> d-------- C:\Documents and Settings\ADeacon\.housecall6.6
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 22:07 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-29 20:32 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 20:01 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-10-31 20:01 --------- d-----w C:\Program Files\AutoCAD 2008
2007-10-31 14:23 --------- d-----w C:\Program Files\Steelcase FSL
1997-06-23 16:06 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.
((((((((((((((((((((((((((((( snapshot@2007-12-11_15.58.33.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-06 09:52:38 72,960 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqac.sys
+ 2007-07-06 13:08:11 138,240 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqad.dll
+ 2007-07-06 13:08:11 47,104 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqdscli.dll
+ 2007-07-06 13:08:11 16,896 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqise.dll
+ 2007-07-06 13:08:11 660,992 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqqm.dll
+ 2007-07-06 13:08:11 177,152 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqrt.dll
+ 2007-07-06 13:08:11 95,744 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqsec.dll
+ 2007-07-06 13:08:11 48,640 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqupgrd.dll
+ 2007-07-06 13:08:11 471,552 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqutil.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB937894\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB937894\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\updspapi.dll
+ 2007-10-29 22:35:13 1,287,680 ----a-w C:\WINDOWS\$hf_mig$\KB941568\SP2QFE\quartz.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\updspapi.dll
+ 2007-10-10 23:47:27 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\advpack.dll
+ 2007-10-10 23:47:27 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\dxtrans.dll
+ 2007-10-10 23:47:27 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\extmgr.dll
+ 2007-10-10 23:47:27 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\icardie.dll
+ 2007-10-10 08:16:47 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ie4uinit.exe
+ 2007-10-10 23:47:27 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakeng.dll
+ 2007-10-10 23:47:27 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieaksie.dll
+ 2007-10-10 05:47:20 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:28:12 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dat
+ 2007-10-10 23:47:27 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dll
+ 2007-10-10 23:47:27 388,096 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iedkcs32.dll
+ 2007-10-10 23:47:27 6,067,200 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieframe.dll
+ 2007-10-10 23:47:27 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iernonce.dll
+ 2007-10-10 23:47:27 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iertutil.dll
+ 2007-10-10 08:16:47 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieudinit.exe
+ 2007-10-10 08:16:56 625,664 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
+ 2007-10-10 23:47:28 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\jsproxy.dll
+ 2007-10-10 23:47:28 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeeds.dll
+ 2007-10-10 23:47:28 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeedsbs.dll
+ 2007-10-30 23:48:49 3,593,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
+ 2007-10-10 23:47:28 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtmled.dll
+ 2007-10-10 23:47:28 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msrating.dll
+ 2007-10-10 23:47:28 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mstime.dll
+ 2007-10-10 23:47:28 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\occache.dll
+ 2007-10-10 23:47:28 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\url.dll
+ 2007-10-10 23:47:29 1,162,240 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\urlmon.dll
+ 2007-10-10 23:47:29 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\webcheck.dll
+ 2007-10-10 23:47:29 825,344 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\updspapi.dll
+ 2007-11-13 11:02:46 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB942763\SP2QFE\tzchange.exe
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\updspapi.dll
+ 2007-11-13 08:47:45 20,480 ----a-w C:\WINDOWS\$hf_mig$\KB944653\SP2QFE\secdrv.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\updspapi.dll
+ 2007-12-12 02:15:23 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-12 13:58:07 843,776 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-12 13:58:07 77,824 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-12 02:15:23 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-12 13:57:51 843,776 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-12-12 13:57:51 77,824 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
Modman_4
2007-12-21, 16:26
Here is the 2nd half of the combofix logfile:
+ 2007-12-14 13:53:00 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 14:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
+ 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2007-08-20 10:04:34 214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-08-20 10:04:34 132,608 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-08-20 10:04:34 153,088 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-08-20 10:04:35 230,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-08-17 07:34:25 161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-08-20 10:04:38 44,544 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-08-17 10:21:21 625,152 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-08-20 10:04:39 27,648 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-08-20 10:04:41 3,584,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-08-20 10:04:41 477,696 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-08-20 10:04:41 193,024 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-08-20 10:04:42 671,232 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-08-20 10:04:42 1,152,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-08-20 10:04:43 824,832 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
- 2007-11-14 22:01:09 12,288 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-12-13 13:05:37 12,288 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-11-14 22:01:09 135,168 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-12-13 13:05:37 135,168 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-11-14 22:01:09 11,264 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-12-13 13:05:37 11,264 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-11-14 22:01:09 27,136 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-12-13 13:05:37 27,136 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-11-14 22:01:09 4,096 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-12-13 13:05:37 4,096 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-11-14 22:01:09 794,624 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-12-13 13:05:38 794,624 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-11-14 22:01:09 249,856 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-12-13 13:05:37 249,856 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-11-14 22:01:09 61,440 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-12-13 13:05:37 61,440 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-11-14 22:01:09 23,040 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-12-13 13:05:38 23,040 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-11-14 22:01:09 286,720 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-13 13:05:37 286,720 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-11-14 22:01:09 409,600 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-12-13 13:05:37 409,600 ----a-r C:\WINDOWS\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-10-10 23:55:51 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-20 10:04:34 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-20 10:04:34 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2007-10-10 23:55:51 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-20 10:04:35 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-08-17 07:34:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 05:46:55 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-08-20 10:04:38 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-10-10 23:55:55 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2007-10-10 23:55:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-08-17 10:21:21 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-10-10 10:59:52 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-20 10:04:39 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-07-06 10:05:47 72,960 -c----w C:\WINDOWS\system32\dllcache\mqac.sys
+ 2007-07-06 12:46:59 138,240 -c----w C:\WINDOWS\system32\dllcache\mqad.dll
+ 2007-07-06 12:46:59 47,104 -c----w C:\WINDOWS\system32\dllcache\mqdscli.dll
+ 2007-07-06 12:46:59 16,896 -c----w C:\WINDOWS\system32\dllcache\mqise.dll
+ 2007-07-06 12:46:59 660,992 -c----w C:\WINDOWS\system32\dllcache\mqqm.dll
+ 2007-07-06 12:46:59 177,152 -c----w C:\WINDOWS\system32\dllcache\mqrt.dll
+ 2007-07-06 12:46:59 95,744 -c----w C:\WINDOWS\system32\dllcache\mqsec.dll
+ 2007-07-06 12:46:59 48,640 -c----w C:\WINDOWS\system32\dllcache\mqupgrd.dll
+ 2007-07-06 12:46:59 471,552 -c----w C:\WINDOWS\system32\dllcache\mqutil.dll
- 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-20 10:04:41 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-20 10:04:41 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-10 23:55:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-20 10:04:42 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:55:59 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-10 23:55:59 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-29 22:43:03 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-10-10 23:55:59 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-20 10:04:42 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-10-10 23:56:00 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-20 10:04:43 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-10 23:56:00 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2004-09-22 23:46:12 229,376 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-27 22:40:06 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-12-14 13:53:00 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2004-08-04 05:58:20 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
+ 2007-07-06 10:05:47 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
- 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2004-08-04 07:56:42 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
+ 2007-07-06 12:46:59 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
- 2004-08-04 07:56:42 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
- 2004-08-04 07:56:42 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
+ 2007-07-06 12:46:59 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
- 2004-08-04 07:56:42 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
+ 2007-07-06 12:46:59 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
- 2004-08-04 07:56:42 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
+ 2007-07-06 12:46:59 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
- 2004-08-04 07:56:42 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
+ 2007-07-06 12:46:59 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
- 2004-08-04 07:56:42 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
- 2004-08-04 07:56:42 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
+ 2007-07-06 12:46:59 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
- 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:55:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:55:59 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:55:59 102,400 ----a-w C:\WINDOWS\system32\occache.dll
- 2007-11-05 12:57:40 63,392 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-13 14:07:16 63,392 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-05 12:57:40 404,298 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-13 14:07:16 404,298 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2005-08-30 03:54:26 1,287,168 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
- 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-12-14 02:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
- 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ------w C:\WINDOWS\system32\tzchange.exe
- 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
- 2004-09-22 23:46:12 229,376 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-27 22:40:06 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2005-11-03 03:30:32 172,099 ----a-w C:\WINDOWS\Temp\EFD2A2.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}
[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2007-02-12 01:12 44648 --a------ C:\WINDOWS\system32\AcSignIcon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!1_ProcessGuard_Startup"="C:\Program Files\ProcessGuard\procguard.exe" [2005-01-20 14:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-02 22:32]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"nwiz"="C:\WINDOWS\system32\nwiz.exe" [2007-07-13 07:34]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"!1_pgaccount"="C:\Program Files\ProcessGuard\pgaccount.exe" [2005-01-20 14:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 23:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-16 23:00:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1390067357-764733703-725345543-1111\Scripts\Logon\0\0]
"Script"=LOGON.BAT
R2 APCPBEAgent;APC PBE Agent;C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe [2006-08-22 08:19]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;"C:\Program Files\ProcessGuard\dcsuserprot.exe" [2005-01-20 14:25]
R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 14:13]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
.
Modman_4
2007-12-21, 16:27
...and here is the tail end of the combofix logfile:
Contents of the 'Scheduled Tasks' folder
"2007-10-26 14:59:53 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
"2007-12-03 12:56:16 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-21 14:04:18 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 09:03:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-21 9:06:36 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-11 15:59
.
2007-12-21 12:59:25 --- E O F ---
Modman_4
2007-12-21, 16:28
...and here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22, on 2007-12-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\EFD2A2.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] C:\WINDOWS\system32\nwiz.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152801665465
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://download.autodesk.com/esd/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = OLYMPIA.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = OLYMPIA.LOCAL
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
--
End of file - 9022 bytes
Modman_4
2007-12-21, 16:46
...um at the risk of sounding ridiculous, I checked a few other random computers here and found the same process. Then I checked our server and found the same process. It follows right after winagent.exe and winagentwatchdog.exe on the server (the other computers don't show these 2 processes as running).
This process (right now it is EFD2A2.EXE) -- is it possible that the server has (as part of its security suite) a program that allows one of the owners to watch activity on everybody's computers? (and this is just part of that?)
little eagle
2007-12-22, 15:23
This process (right now it is EFD2A2.EXE) -- is it possible that the server has (as part of its security suite) a program that allows one of the owners to watch activity on everybody's computers? (and this is just part of that?)
Could be. Could be that the server is infected.
Disconnect your PC from the network see if you get the same results.
Reboot and run spybot and avg antispyware.
Modman_4
2007-12-22, 16:47
I am off for the holiday weekend but will post back on Tuesday. I n the meantime thanks for all of the help you have provided so far, and I wish you and yours a wonderful holiday!:santa:
little eagle
2007-12-23, 19:41
Thanks have a nice Christmas. :angel:
Modman_4
2007-12-26, 18:39
Okay I am back and duly stuffed with turkey etc....I rebooted "unplugged" and still have the "mystery process". I made sure both Spybot and AVG were updated first, then while still unplugged I ran both. Spybot came back clean once again, and AVG picked up 4 objects with 5 "traces". It still won't let me generate a report, but this time before I "applied all actions" I wrote down the following:
Object -- Adware.Generic
1 trace -- HKU\S-1-5-21-1390067357-764733703-725345543-1111\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38}
Object -- TrackingCookie.2o7
2 traces -- C:\Documents and Settings\ADeacon\Cookies\adeacon@2o7[2].txt
-- C:\Documents and Settings\ADeacon\Cookies\adeacon@msnportal.112.2o7[1].txt
Object -- TrackingCookie.msn
1 trace -- C:\Documents and Settings\ADeacon\Cookies\adeacon@search.msn[2].txt
Object -- TrackingCookie.Liveperson
1 trace -- C:\Documents and Settings\ADeacon\Cookies\adeacon@server.iad.liveperson[2].txt
Now, today the "mystery process" is named TT6837.exe and since I got the impression the other day that it was related to this "ofcdog" thing I mentioned, I did an online search for "ofcdog" and they all say it is part of Trend Micro's OfficeScan, which is part of what we are indeed running -- and not to kill it. Some of the things I read were people describing my own situation where the program creates these versions with fictitious names. On a hunch I did find ofcdog.exe in my C:Program Files\Trend Micro\Client Server Security Agent folder, and sure enough it has the same doggie icon. In addition, the properties of both files are identical (169 Kb in size, and both modified on 2005-11-02 at 22:30).
The more I see the more I think we are now down to chasing our tails (pun intended), but I do appreciate all that you have done and I still await your response :cowboy:
little eagle
2007-12-27, 04:05
The more I see the more I think we are now down to chasing our tails (pun intended), but I do appreciate all that you have done and I still await your response :cowboy:
http://www.nutnworks.com/forums//images/smilies/z7shysterical.gif I think your right Was not sure if you had a rootkit guess you don't :bigthumb:
Modman_4
2007-12-27, 15:15
I just want to thank you Little Eagle and all of the rest of the volunteers here. You have been very thorough in your assistance, and I even managed to learn a bit! Now, what of all of the fixit stuff I have downloaded is safe to keep, and what should I get rid of?
little eagle
2007-12-28, 02:21
what of all of the fixit stuff I have downloaded is safe to keep, and what should I get rid of?Thank you now let's remove combofix.
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
If shown the disclaimer, Select "2"
That should do it. :bigthumb:
Modman_4
2007-12-28, 15:19
Okay done! Again, many thanks :)
little eagle
2007-12-28, 17:49
One more step and will close this thread.
Windows XP hasa System Restore option, however if a virus or spyware infection.
There can be backups made in the System Restore folder.
Therefore, clearing the restore points is necessary after a virus or spyware removal.
To reset your restore points, please note that you will need to log into your computer with an account
which has full administrator access. You will know if the account has administrator access because
you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Modman_4
2008-01-02, 15:52
Done and thanks again! And have a safe, prosperous and happy New Year! :)
little eagle
2008-01-03, 02:59
Your welcome.
Safe surfing :crowned: