View Full Version : My son's PC has lost all internet connection
jeff wren
2007-12-09, 18:09
I would be really grateful if you could help with my son's PC. He has lost all connection to the internet. When you plug the broadband cable into the ethernet connection it says 'unplugged' or doesn't recognise any connection. I've put in a seperate PCI card and the same thing happens with that. Both drivers are Ok and lights come on etc. I ran his version of Search & destroy and it detected Smittfraud C. I ran combofix and Hijack This - log of both below
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:40:47, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Sitecom\C2SLoad.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Sitecom\IFR_Share.exe
C:\Program Files\M-Audio Fast Track\GBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Install.exe
D:\installs\workflow.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.114.115:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {259BAD5E-2F37-49E1-8429-4AC73863B50B} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B62F5F4C-D83D-45A2-8A7A-4BEBBB988EF1} - C:\WINDOWS\system32\dbnmpntwa.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [workflow] D:\installs\workflow.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C2Share - Unknown owner - C:\Program Files\Sitecom\IFR_Share.exe
O23 - Service: Fast Track Installer (FastTrackInstallerService) - Nemesis - C:\Program Files\M-Audio Fast Track\GBInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SpywareBot Scanning Engine (SpywareBotSrv) - Unknown owner - C:\Program Files\SpywareBot\SpywareBotSrv.srv.exe (file missing)
ComboFix 07-12-09.1 - CharIie 2007-12-09 14:30:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.683 [GMT 0:00]
Running from: D:\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Structured Tasks\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Structured Tasks\summer 2001\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Structured Tasks\summer 2002\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Structured Tasks\Summer 2003\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Structured Tasks\Summer 2004\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Structured Tasks\Summer 2005\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Structured Tasks\Summer 2006\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Structured Tasks\Summer 2007\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Training 2001\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Training 2002\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Training 2003\A2 2003-2004\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Training 2003\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Training 2004\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Training 2005\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Training 2006\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Training 2006\Sample Answers\Desktop_.ini
C:\Documents and Settings\CharIie\My Documents\My Videos\Training\Training 2007\Desktop_.ini
C:\WINDOWS\system32\ati3d1agd.dll
C:\WINDOWS\system32\drivers\VCdControlTool.exe
C:\WINDOWS\Tasks.\At1.job
Any help you can provide would be much appreciated
Hello jeff
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen
You have SpywareBot installed which is a rogue program that masquerades as the legit Spybot Search and Destroy. You can try to uninstall this via the Add Remove Programs in the Control Panel.
I dont know if your internet connection is malware related or not, you can try running this program to fix it, if not you may have to have your provider come to your home and check all your setting and cables.
You can download this from another working computer and transfer it to the broken one via a CD or Thumb drive,
Winsockxpfix (http://www.snapfiles.com/get/winsockxpfix.html)
You have some questionable entries on your HJT log that we need to check but its going to be hard without internet access. I would also like to see the complete Combofix log please.
jeff wren
2007-12-10, 19:51
Thanks Ken545
I successfully removed SpywareBot via Add/Remove Programmes.
I downloaded, transferred and ran Winsockxpfix.
I have re-run Combofix. Log is:
ComboFix 07-12-09.1 - CharIie 2007-12-10 16:35:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.683 [GMT 0:00]
Running from: D:\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.
2007-12-09 14:29 . 2007-12-09 14:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 13:09 . 2007-12-09 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-09 12:55 . 2004-08-03 22:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-12-09 12:55 . 2004-08-03 22:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys
2007-12-09 11:09 . 2002-04-11 15:21 13,335 -ra------ C:\WINDOWS\system32\drivers\usbcm.sys
2007-12-05 22:10 . 2007-12-06 17:11 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-12-05 22:10 . 2004-08-03 23:56 84,992 --a------ C:\WINDOWS\system32\dbnmpntwa.dll
2007-11-25 21:14 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-25 21:12 . 2007-11-25 21:12 <DIR> d-------- C:\Program Files\Ubisoft
2007-11-25 17:50 . 2007-11-25 17:50 <DIR> d-------- C:\Program Files\iTunes
2007-11-25 17:50 . 2007-11-25 17:50 <DIR> d-------- C:\Program Files\iPod
2007-11-25 17:50 . 2007-12-10 16:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-25 17:50 . 2007-11-25 17:50 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-25 17:49 . 2007-11-25 17:49 <DIR> d-------- C:\Program Files\QuickTime
2007-11-25 16:59 . 2007-11-25 16:59 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-25 15:24 . 2007-11-25 15:24 <DIR> d-------- C:\Program Files\Xplosiv
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-13 22:54 . 2007-11-13 22:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-12 18:57 . 2003-10-03 16:28 45,056 --a------ C:\WINDOWS\system32\vusetup.dll
2007-11-12 18:57 . 2005-06-06 17:51 11,264 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys
2007-11-12 18:57 . 2005-01-05 18:02 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 15:01 --------- d-----w C:\Documents and Settings\CharIie\Application Data\MSN6
2007-12-06 18:06 --------- d-----w C:\Program Files\Virgin Broadband
2007-12-05 22:11 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-02 18:59 --------- d-----w C:\Documents and Settings\CharIie\Application Data\uTorrent
2007-12-02 18:59 --------- d-----w C:\Documents and Settings\CharIie\Application Data\AdobeUM
2007-11-25 21:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-09 22:50 --------- d-----w C:\Program Files\VirtualDJ
2007-11-09 21:26 11,976,829 ----a-w C:\Program Files\Virtua
2007-10-29 18:04 --------- d-----w C:\Program Files\Electronic Arts
2007-10-29 17:41 37,022 ----a-w C:\WINDOWS\lastnight.zip
2007-10-29 15:53 37,016 ----a-w C:\WINDOWS\img4851.zip
2007-10-17 21:12 --------- d-----w C:\Program Files\Audacity
2007-10-16 19:46 --------- d-----w C:\Program Files\World of Warcraft
2007-10-12 11:18 --------- d-----w C:\Documents and Settings\Deborah\Application Data\AdobeUM
2007-09-23 12:10 22,328 ----a-w C:\Documents and Settings\CharIie\Application Data\PnkBstrK.sys
2007-09-23 12:09 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-23 12:09 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{259BAD5E-2F37-49E1-8429-4AC73863B50B}]
2004-08-03 23:56 84992 --a------ C:\WINDOWS\system32\dbnmpntwa.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B62F5F4C-D83D-45A2-8A7A-4BEBBB988EF1}]
2004-08-03 23:56 84992 --a------ C:\WINDOWS\system32\dbnmpntwa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 16:16]
"Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 09:40]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-01-13 04:36]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 07:47 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 12:23]
"Click2Share"="C:\Program Files\Sitecom\C2SLoad.exe" [2002-10-17 14:59]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 09:14]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"workflow"="D:\installs\workflow.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
broadband medic.lnk - C:\Program Files\ntl\broadband medic\bin\matcli.exe [2007-08-08 20:20:42]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 17:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
R2 C2Share;C2Share;C:\Program Files\Sitecom\IFR_Share.exe
S2 eztoscxg;Mouse HID Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eztoscxg
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f2665a4-45e9-11dc-a9e3-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35b5db7-45c6-11dc-91e9-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbefe814-914a-11dc-86c8-000fea44c0f8}]
\Shell\AutoRun\command - J:\laucher.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 16:19:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 14:44:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1186666984.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2007-10-23 02:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
"2007-12-09 14:44:00 C:\WINDOWS\Tasks\WebReg 20070809144427.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe[/TaskName 20070809144427 /N
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 16:36:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-10 16:37:17
C:\ComboFix2.txt ... 2007-12-09 14:36
.
--- E O F ---
Where you able to restore your internet connection because you have to be connected to the internet for us to proceed.
you can try doing this.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
FileLook::
C:\WINDOWS\system32\dbnmpntwa.dll
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
jeff wren
2007-12-10, 23:37
Thank you again. No, all attempts at restoring the internet have failed. The problem remains that for both the ethernet point which is integrated into the motherboard and also the PCI card when you plug a cable in it is not recognised. It says 'network cable unplugged' in Control Panel/Network Connections. Despite this it says both are working properly in Control Panel/Systems/Hardware and ligths come on when a cable is plugged in. I'm getting depressed!
I have followed all of the steps you suggested. Here are both logs:
ComboFix 07-12-09.1 - CharIie 2007-12-10 19:56:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.690 [GMT 0:00]
Running from: D:\ComboFix.exe
Command switches used :: C:\Documents and Settings\CharIie\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.
2007-12-09 14:29 . 2007-12-09 14:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 13:09 . 2007-12-09 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-09 12:55 . 2004-08-03 22:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-12-09 12:55 . 2004-08-03 22:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys
2007-12-09 11:09 . 2002-04-11 15:21 13,335 -ra------ C:\WINDOWS\system32\drivers\usbcm.sys
2007-12-05 22:10 . 2007-12-06 17:11 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-12-05 22:10 . 2004-08-03 23:56 84,992 --a------ C:\WINDOWS\system32\dbnmpntwa.dll
2007-11-25 21:14 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-25 21:12 . 2007-11-25 21:12 <DIR> d-------- C:\Program Files\Ubisoft
2007-11-25 17:50 . 2007-11-25 17:50 <DIR> d-------- C:\Program Files\iTunes
2007-11-25 17:50 . 2007-11-25 17:50 <DIR> d-------- C:\Program Files\iPod
2007-11-25 17:50 . 2007-12-10 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-25 17:50 . 2007-11-25 17:50 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-25 17:49 . 2007-11-25 17:49 <DIR> d-------- C:\Program Files\QuickTime
2007-11-25 16:59 . 2007-11-25 16:59 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-25 15:24 . 2007-11-25 15:24 <DIR> d-------- C:\Program Files\Xplosiv
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-13 22:54 . 2007-11-13 22:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-12 18:57 . 2003-10-03 16:28 45,056 --a------ C:\WINDOWS\system32\vusetup.dll
2007-11-12 18:57 . 2005-06-06 17:51 11,264 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys
2007-11-12 18:57 . 2005-01-05 18:02 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 15:01 --------- d-----w C:\Documents and Settings\CharIie\Application Data\MSN6
2007-12-06 18:06 --------- d-----w C:\Program Files\Virgin Broadband
2007-12-05 22:11 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-02 18:59 --------- d-----w C:\Documents and Settings\CharIie\Application Data\uTorrent
2007-12-02 18:59 --------- d-----w C:\Documents and Settings\CharIie\Application Data\AdobeUM
2007-11-25 21:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-09 22:50 --------- d-----w C:\Program Files\VirtualDJ
2007-11-09 21:26 11,976,829 ----a-w C:\Program Files\Virtua
2007-10-29 18:04 --------- d-----w C:\Program Files\Electronic Arts
2007-10-29 17:41 37,022 ----a-w C:\WINDOWS\lastnight.zip
2007-10-29 15:53 37,016 ----a-w C:\WINDOWS\img4851.zip
2007-10-17 21:12 --------- d-----w C:\Program Files\Audacity
2007-10-16 19:46 --------- d-----w C:\Program Files\World of Warcraft
2007-10-12 11:18 --------- d-----w C:\Documents and Settings\Deborah\Application Data\AdobeUM
2007-09-23 12:10 22,328 ----a-w C:\Documents and Settings\CharIie\Application Data\PnkBstrK.sys
2007-09-23 12:09 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-23 12:09 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{259BAD5E-2F37-49E1-8429-4AC73863B50B}]
2004-08-03 23:56 84992 --a------ C:\WINDOWS\system32\dbnmpntwa.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43957C87-992C-4A92-84DB-B98A1972BF53}]
2004-08-03 23:56 84992 --a------ C:\WINDOWS\system32\dbnmpntwa.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EC84BC8-E508-4633-B3EF-1433D9F2E7BC}]
2004-08-03 23:56 84992 --a------ C:\WINDOWS\system32\dbnmpntwa.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DB4E47B-DD0A-48E5-8715-68D379DF7EFD}]
2004-08-03 23:56 84992 --a------ C:\WINDOWS\system32\dbnmpntwa.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B62F5F4C-D83D-45A2-8A7A-4BEBBB988EF1}]
2004-08-03 23:56 84992 --a------ C:\WINDOWS\system32\dbnmpntwa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 16:16]
"Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 09:40]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-01-13 04:36]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 07:47 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 12:23]
"Click2Share"="C:\Program Files\Sitecom\C2SLoad.exe" [2002-10-17 14:59]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 09:14]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"workflow"="D:\installs\workflow.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
broadband medic.lnk - C:\Program Files\ntl\broadband medic\bin\matcli.exe [2007-08-08 20:20:42]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 17:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
R2 C2Share;C2Share;C:\Program Files\Sitecom\IFR_Share.exe
S2 eztoscxg;Mouse HID Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eztoscxg
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f2665a4-45e9-11dc-a9e3-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35b5db7-45c6-11dc-91e9-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbefe814-914a-11dc-86c8-000fea44c0f8}]
\Shell\AutoRun\command - J:\laucher.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 16:19:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 14:44:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1186666984.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2007-10-23 02:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
"2007-12-09 14:44:00 C:\WINDOWS\Tasks\WebReg 20070809144427.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe[/TaskName 20070809144427 /N
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 19:58:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-10 19:58:49
C:\ComboFix2.txt ... 2007-12-10 16:37
C:\ComboFix3.txt ... 2Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:01:13, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Sitecom\C2SLoad.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Sitecom\IFR_Share.exe
C:\Program Files\M-Audio Fast Track\GBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.114.115:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {259BAD5E-2F37-49E1-8429-4AC73863B50B} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {43957C87-992C-4A92-84DB-B98A1972BF53} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {4EC84BC8-E508-4633-B3EF-1433D9F2E7BC} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {77DF2D83-DDB0-4BC6-BD96-AAA73C8DD33F} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8DB4E47B-DD0A-48E5-8715-68D379DF7EFD} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {B62F5F4C-D83D-45A2-8A7A-4BEBBB988EF1} - C:\WINDOWS\system32\dbnmpntwa.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [workflow] D:\installs\workflow.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C2Share - Unknown owner - C:\Program Files\Sitecom\IFR_Share.exe
O23 - Service: Fast Track Installer (FastTrackInstallerService) - Nemesis - C:\Program Files\M-Audio Fast Track\GBInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 7540 bytes007-12-09 14:36
.
--- E O F ---
Its going to be hard to help you without any internet connection. There are a lot of online scans we can run but you need internet access to run them. Let me ask you a few things.
C:\WINDOWS\system32\dbnmpntwa.dll Do you have any idea what this file is, when I Google it or the whole entry on your HJT log I am just getting one hit and its on your computer so I am doubtful of this file. It was installed on 12/05/07 along with this C:\WINDOWS\system32\AppCert Do you have any knowledge of what this is.
dbnmpntwa.dll <--Notice the A on the end, it will not Google
dbnmpntw.dll <-- without the A , it appears to be part of SQL Server.
What I suggest you do at this point is contact your Internet Provider and ask for help, you also have
C:\Program Files\Sitecom installed, if you need this for internet activity you may want to think about uninstalling it and re installing it and see if it makes a difference.
You can post in one of these forums also for help and after they get you up and running you can come back here and we can look further.
Windows Tech Support Forums
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Bleeping Computer (http://www.bleepingcomputer.com/forums/forum56.html) <--Good XP Forum
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
Hardwareguys (http://hwg.mazin.net/hardwareguys/hwgboard/ikonboard.cgi) <-- Another good one
Let me know your thoughts on the files I asked about.
Ken
jeff wren
2007-12-11, 00:46
Ken
I have no idea what those files are.
I think the virus has disabled the firewall because when I go to Windows Security Center I cannot turn it on. Maybe the LAN connections won't operate without the firewall being turned on?
I'm going to try to find a way to turn on the Firewall. Next I'll try the ISP. Otherwise it looks like a Windows re-install.
I have to say I've really appreciated your help, you have been truly great so many many thanks for everything.
Kind regards
Jeff
Maybe the LAN connections won't operate without the firewall being turned on? <-- This should not make a difference
Since you have no access and cannot upload this file for analysis, lets remove the entries with HJT. First I am going to show you how to restore them if they cause an issue.
To restore the backups:
Open HiJackThis
Click on "View the list of Backups"
Place a check mark next to anything you want to restore
Click Restore
Click Yes
Reboot your computer
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {259BAD5E-2F37-49E1-8429-4AC73863B50B} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {43957C87-992C-4A92-84DB-B98A1972BF53} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {4EC84BC8-E508-4633-B3EF-1433D9F2E7BC} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {77DF2D83-DDB0-4BC6-BD96-AAA73C8DD33F} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {8DB4E47B-DD0A-48E5-8715-68D379DF7EFD} - C:\WINDOWS\system32\dbnmpntwa.dll
O2 - BHO: (no name) - {B62F5F4C-D83D-45A2-8A7A-4BEBBB988EF1} - C:\WINDOWS\system32\dbnmpntwa.dll
Reboot and see if there are any problems, if not then delete this file but leave it in the Recycle Bin so you can restore it if needed.
C:\WINDOWS\system32\dbnmpntwa.dll
Reboot and let me know if it made a difference.
jeff wren
2007-12-11, 02:01
Ken
I did as you suggested. No problems noted on reboot but no improvement either. I haven't done anything re: "delete this file but leave it in the recycle bin" as I wasn't sure how to do this. Revised Hijack This file below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50:02, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Sitecom\C2SLoad.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Sitecom\IFR_Share.exe
C:\Program Files\M-Audio Fast Track\GBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.114.115:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [workflow] D:\installs\workflow.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C2Share - Unknown owner - C:\Program Files\Sitecom\IFR_Share.exe
O23 - Service: Fast Track Installer (FastTrackInstallerService) - Nemesis - C:\Program Files\M-Audio Fast Track\GBInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 6985 bytes
Do this...
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Go to My Computer and follow this path to the file
C:\WINDOWS\system32\dbnmpntwa.dll Right click on it and go to Properties and give me any information you find on this file. It should show who owns the file, the day it was installed or modified and such.
The rest of your HJT log looks fine, I see nothing wrong with it.
jeff wren
2007-12-11, 03:31
Ken
Did as you asked but could only find the file dbnmpntw.dll i.e. without the 'a' at the end.
The file without the 'a' is a microsoft file which, as you said before, is something to do with SQL
Off to bed now - it is 1.30 am. Many thanks again for trying to help. It IS appreciated!
Regards
Jeff
Jeff,
Where are ya going?? Its only 9 PM on this side of the pond.:laugh:
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\system32\dbnmpntwa.dll
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
jeff wren
2007-12-11, 10:38
Morning Ken. Here is the Hojack This log. 8.20 a.m. now so off to work. I've been switching power leads, monitors etc between the PCs and basically have run out of time to post the ComboFix report. Will follow this evening!
Jeff
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:11:30, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Sitecom\C2SLoad.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Sitecom\IFR_Share.exe
C:\Program Files\M-Audio Fast Track\GBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.114.115:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [workflow] D:\installs\workflow.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C2Share - Unknown owner - C:\Program Files\Sitecom\IFR_Share.exe
O23 - Service: Fast Track Installer (FastTrackInstallerService) - Nemesis - C:\Program Files\M-Audio Fast Track\GBInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 6952 bytes
jeff wren
2007-12-11, 21:00
and here is Combofix
ComboFix 07-12-09.1 - CharIie 2007-12-11 7:08:49.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.692 [GMT 0:00]
Running from: D:\ComboFix.exe
Command switches used :: C:\Documents and Settings\CharIie\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\dbnmpntwa.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.
2007-12-09 14:29 . 2007-12-09 14:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 13:09 . 2007-12-09 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-09 12:55 . 2004-08-03 22:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-12-09 12:55 . 2004-08-03 22:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys
2007-12-09 11:09 . 2002-04-11 15:21 13,335 -ra------ C:\WINDOWS\system32\drivers\usbcm.sys
2007-12-05 22:10 . 2007-12-06 17:11 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-11-25 21:14 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-25 21:12 . 2007-11-25 21:12 <DIR> d-------- C:\Program Files\Ubisoft
2007-11-25 17:50 . 2007-11-25 17:50 <DIR> d-------- C:\Program Files\iTunes
2007-11-25 17:50 . 2007-11-25 17:50 <DIR> d-------- C:\Program Files\iPod
2007-11-25 17:50 . 2007-12-11 06:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-25 17:50 . 2007-11-25 17:50 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-25 17:49 . 2007-11-25 17:49 <DIR> d-------- C:\Program Files\QuickTime
2007-11-25 16:59 . 2007-11-25 16:59 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-25 15:24 . 2007-11-25 15:24 <DIR> d-------- C:\Program Files\Xplosiv
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-13 22:54 . 2007-11-13 22:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-12 18:57 . 2003-10-03 16:28 45,056 --a------ C:\WINDOWS\system32\vusetup.dll
2007-11-12 18:57 . 2005-06-06 17:51 11,264 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys
2007-11-12 18:57 . 2005-01-05 18:02 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 15:01 --------- d-----w C:\Documents and Settings\CharIie\Application Data\MSN6
2007-12-06 18:06 --------- d-----w C:\Program Files\Virgin Broadband
2007-12-05 22:11 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-02 18:59 --------- d-----w C:\Documents and Settings\CharIie\Application Data\uTorrent
2007-12-02 18:59 --------- d-----w C:\Documents and Settings\CharIie\Application Data\AdobeUM
2007-11-25 21:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-09 22:50 --------- d-----w C:\Program Files\VirtualDJ
2007-11-09 21:26 11,976,829 ----a-w C:\Program Files\Virtua
2007-10-29 18:04 --------- d-----w C:\Program Files\Electronic Arts
2007-10-29 17:41 37,022 ----a-w C:\WINDOWS\lastnight.zip
2007-10-29 15:53 37,016 ----a-w C:\WINDOWS\img4851.zip
2007-10-17 21:12 --------- d-----w C:\Program Files\Audacity
2007-10-16 19:46 --------- d-----w C:\Program Files\World of Warcraft
2007-10-12 11:18 --------- d-----w C:\Documents and Settings\Deborah\Application Data\AdobeUM
2007-09-23 12:10 22,328 ----a-w C:\Documents and Settings\CharIie\Application Data\PnkBstrK.sys
2007-09-23 12:09 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-23 12:09 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 16:16]
"Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 09:40]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-01-13 04:36]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 07:47 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 12:23]
"Click2Share"="C:\Program Files\Sitecom\C2SLoad.exe" [2002-10-17 14:59]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 09:14]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"workflow"="D:\installs\workflow.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
broadband medic.lnk - C:\Program Files\ntl\broadband medic\bin\matcli.exe [2007-08-08 20:20:42]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 17:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
R2 C2Share;C2Share;C:\Program Files\Sitecom\IFR_Share.exe
S2 eztoscxg;Mouse HID Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eztoscxg
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f2665a4-45e9-11dc-a9e3-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35b5db7-45c6-11dc-91e9-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbefe814-914a-11dc-86c8-000fea44c0f8}]
\Shell\AutoRun\command - J:\laucher.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 16:19:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 14:44:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1186666984.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2007-10-23 02:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
"2007-12-09 14:44:00 C:\WINDOWS\Tasks\WebReg 20070809144427.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe[/TaskName 20070809144427 /N
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 07:10:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 7:11:01
C:\ComboFix2.txt ... 2007-12-10 19:58
C:\ComboFix3.txt ... 2007-12-10 16:37
.
--- E O F ---
Jeff,
I am not looking at anything bad on your HJT log and Combofix did not find that file to delete. There are numerous scans we could run that may pick up and infection causing your problem but you need internet access to run them. I would suggest at this point that you call your internet provider and let them look over your system setting. I see you also have software installed for a router, that would be another option to get a hold of that company and see if they can help you.
I am going to give you some links to windows support sites that deal with your sort of issue, they may be better equipped to help you.
Windows Tech Support Forums
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Windows Helpnet (http://www.windowsbbs.com/) <-- they have a good network Forum
Wanted to add this one also, they have a great Networking forum and also one for Cable/ DSL support, its free but you have to sign up like you did on this forum
http://www.techsupportforum.com/
Be sure to tell them that you posted here and that with no internet we where limited on what we could do, also tell them that your HJT log appears clean of any malware or virues.
Hope you get the help you need, when you get it resolved, if you still feel that you may have malware on your system then we can run some scans and make sure your system is 100% clean.
Good Luck Jeff.
Ken:santa: