View Full Version : Need help with Vitumonde plus others
First time here. In trying to fix my computor after my son had been on it doing who knows what :fear: (not sure how he by pass the firewall) I found your forum. I have ran T/M Housecall (did some good) friends trying to help (Reg Mech, WinClean) SoSO. Re-install XP-Pro SP2. In following your advise I installed Spybot S&D all green. big diffrence:bigthumb: and the Kaspersky + HJT. I look forward to any help you can give me.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 13, 2008 1:38:00 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/01/2008
Kaspersky Anti-Virus database records: 509607
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
E:\
Scan Statistics:
Total number of scanned objects: 65489
Number of viruses found: 10
Number of infected objects: 41
Number of suspicious objects: 0
Duration of the scan process: 01:43:27
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark Frost\Application Data\Business Logic\UWC\Backup\J39449.6746287153.WCU/C:/Program Files/Trend Micro/Internet Security/Quarantine/2547.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.ba skipped
C:\Documents and Settings\Mark Frost\Application Data\Business Logic\UWC\Backup\J39449.6746287153.WCU/C:/Program Files/Trend Micro/Internet Security/Quarantine/2548.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.ba skipped
C:\Documents and Settings\Mark Frost\Application Data\Business Logic\UWC\Backup\J39449.6746287153.WCU ZIP: infected - 2 skipped
C:\Documents and Settings\Mark Frost\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mark Frost\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mark Frost\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark Frost\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark Frost\Local Settings\History\History.IE5\MSHist012008011320080114\index.dat Object is locked skipped
C:\Documents and Settings\Mark Frost\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark Frost\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mark Frost\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0012236.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0012237.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\eljkdugq.exe Infected: Backdoor.Win32.Agent.dbm skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\flwxspyb.exe Infected: Backdoor.Win32.Agent.dbm skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\hffiqdyn.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\ixlmlqrs.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\kisymlqw.exe Infected: Backdoor.Win32.Agent.dbm skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\pgqnnobe.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\qyvbkiaw.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\tmygtvef.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\umgbhamp.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\vmeuigjo.exe Infected: Backdoor.Win32.Agent.dbm skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\vmyvvlla.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Program Files\Trend Micro\Internet Security\Trusted.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012290.exe Infected: Trojan-Downloader.Win32.Tibs.rl skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012293.exe/data0011/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012293.exe/data0011/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012293.exe/data0011 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012293.exe/data0012/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012293.exe/data0012/stream Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012293.exe/data0012 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012293.exe NSIS: infected - 6 skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012294.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012295.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012296.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP16\A0012297.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dim skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012301.exe Infected: Trojan-Downloader.Win32.Tibs.rl skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012302.exe/data0011/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012302.exe/data0011/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012302.exe/data0011 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012302.exe/data0012/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012302.exe/data0012/stream Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012302.exe/data0012 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012302.exe NSIS: infected - 6 skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012303.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012304.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012305.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012306.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dim skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\A0012309.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{510C97FC-2988-41FA-89A7-437120769512}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{D5289D94-23D7-4076-A92B-2B734369F41A}\RP17\change.log Object is locked skipped
Scan process completed.
Can not hold both reports on this post
only applying part of HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:01 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C19F206-ACB6-4E80-BEC9-4C2D96CBBAB9} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A870E8D9-6CFD-4069-BBC2-D42811AFE14B} - C:\WINDOWS\system32\gebcd.dll (file missing)
O2 - BHO: (no name) - {C360EFFA-B529-482A-8CBD-18245A841DDF} - (no file)
O3 - Toolbar: (no name) - {E9407738-A996-421A-A309-5C93C699E10A} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
--
End of file - 12194 bytes
MFrost
MFrost
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You have a few Issues going on, you can take as many replies as you need to post the logs, make sure you use the Submit reply and not start any new topics.
Lets do a few things.
Download the HostsXpert 4.2 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).
Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix log, the Combofix report and also I need to see a complete HJT log please.
Hello Ken545
Thank you for your assistance and help. I did read before you post section.
I have been looking in on the forum for several weeks before I registered. I belive from what seen and read you and your team do alot of great things for others.
Here is the log on vundofix and HJT
VundoFix V6.7.7
Checking Java version...
Scan started at 5:36:57 PM 1/14/2008
Listing files found while scanning....
C:\WINDOWS\system32\blwatcie.dll
C:\WINDOWS\system32\evyfjmla.dll
C:\WINDOWS\system32\imqdmyrb.dll
C:\WINDOWS\system32\ljxnneuv.dll
C:\WINDOWS\system32\mjniltdf.dll
C:\WINDOWS\system32\odnywfdf.dll
C:\windows\system32\okbtsrhj.dllbox
C:\WINDOWS\system32\pfxpeuvw.dll
C:\WINDOWS\system32\qajvogam.dll
C:\WINDOWS\system32\qkqenoyw.dll
C:\WINDOWS\system32\rjiamxud.dll
C:\WINDOWS\system32\rwltkasw.dll
C:\WINDOWS\system32\rwonhynl.dll
C:\WINDOWS\system32\uciqrpgu.dll
C:\WINDOWS\system32\wtsbcuuf.dll
C:\WINDOWS\system32\wwwrmcue.dll
C:\WINDOWS\system32\ylythtaw.dll
C:\WINDOWS\system32\yuafgbmw.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\blwatcie.dll
C:\WINDOWS\system32\blwatcie.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\evyfjmla.dll
C:\WINDOWS\system32\evyfjmla.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\imqdmyrb.dll
C:\WINDOWS\system32\imqdmyrb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljxnneuv.dll
C:\WINDOWS\system32\ljxnneuv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mjniltdf.dll
C:\WINDOWS\system32\mjniltdf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\odnywfdf.dll
C:\WINDOWS\system32\odnywfdf.dll Has been deleted!
Attempting to delete C:\windows\system32\okbtsrhj.dllbox
C:\windows\system32\okbtsrhj.dllbox Has been deleted!
Attempting to delete C:\WINDOWS\system32\pfxpeuvw.dll
C:\WINDOWS\system32\pfxpeuvw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qajvogam.dll
C:\WINDOWS\system32\qajvogam.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qkqenoyw.dll
C:\WINDOWS\system32\qkqenoyw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rjiamxud.dll
C:\WINDOWS\system32\rjiamxud.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rwltkasw.dll
C:\WINDOWS\system32\rwltkasw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rwonhynl.dll
C:\WINDOWS\system32\rwonhynl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\uciqrpgu.dll
C:\WINDOWS\system32\uciqrpgu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wtsbcuuf.dll
C:\WINDOWS\system32\wtsbcuuf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wwwrmcue.dll
C:\WINDOWS\system32\wwwrmcue.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ylythtaw.dll
C:\WINDOWS\system32\ylythtaw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yuafgbmw.dll
C:\WINDOWS\system32\yuafgbmw.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:00 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Firebird\bin\ibserver.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\HijackThis\MFrost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C19F206-ACB6-4E80-BEC9-4C2D96CBBAB9} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A870E8D9-6CFD-4069-BBC2-D42811AFE14B} - C:\WINDOWS\system32\gebcd.dll (file missing)
O2 - BHO: (no name) - {C360EFFA-B529-482A-8CBD-18245A841DDF} - (no file)
O3 - Toolbar: (no name) - {E9407738-A996-421A-A309-5C93C699E10A} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/264b9403b90d8ec40805/netzip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194060446718
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194060439406
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pervasive.SQL 2000 (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 8213 bytes
Ken545 I will post the combofix and new HJT shortly
I,m back
System is coming back running smother.
Here is the ComboFix plus a new HJT
ComboFix 08-01-15.3 - Mark Frost 2008-01-14 18:56:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.52 [GMT -6:00]
Running from: C:\Documents and Settings\Mark Frost\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Mark Frost\Application Data\WinTouch
C:\Documents and Settings\Mark Frost\Application Data\WinTouch\wintouch.cfg
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~1\?racle\
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\ecurit~1
C:\WINDOWS\hosts
C:\WINDOWS\system32\arvdlkhw.dll
C:\WINDOWS\system32\cefwdkdn.dll
C:\WINDOWS\system32\dbpoypdq.ini
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.bak2
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dcbeg.ini2
C:\WINDOWS\system32\dcbeg.tmp
C:\WINDOWS\system32\ejtrrvev.dll
C:\WINDOWS\system32\eouuiwcx.ini
C:\WINDOWS\system32\fvvajdxs.ini
C:\WINDOWS\system32\gmqseije.ini
C:\WINDOWS\system32\herngstd.ini
C:\WINDOWS\system32\hpvhxvdf.dll
C:\WINDOWS\system32\iifawxij.dll
C:\WINDOWS\system32\jboqbkxs.dll
C:\WINDOWS\system32\jlwukofy.ini
C:\WINDOWS\system32\jtmcrlxw.ini
C:\WINDOWS\system32\jxmdccbe.ini
C:\WINDOWS\system32\kporsumd.dll
C:\WINDOWS\system32\linqeiac.ini
C:\WINDOWS\system32\mpwoeoyi.dll
C:\WINDOWS\system32\mtmevvlf.dll
C:\WINDOWS\system32\noracrar.ini
C:\WINDOWS\system32\ppiokart.ini
C:\WINDOWS\system32\pwyoymcw.ini
C:\WINDOWS\system32\qlsmture.ini
C:\WINDOWS\system32\rkafrmmd.dll
C:\WINDOWS\system32\sbpycbej.ini
C:\WINDOWS\system32\ssembl~1
C:\WINDOWS\system32\tafcgpjq.ini
C:\WINDOWS\system32\ukjqtngh.ini
C:\WINDOWS\system32\uqraeush.dll
C:\WINDOWS\system32\wbijuihn.ini
C:\WINDOWS\system32\wmyyukyn.ini
C:\WINDOWS\system32\wnsapii.exe
C:\WINDOWS\system32\wtykhuux.ini
C:\WINDOWS\system32\xcfnhsyg.dll
C:\WINDOWS\system32\xggwgujj.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\nm
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.
2008-01-14 18:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 17:36 . 2008-01-14 17:36 <DIR> d-------- C:\VundoFix Backups
2008-01-14 15:42 . 2008-01-14 15:42 <DIR> d-------- C:\WINDOWS\Profiles
2008-01-14 15:25 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-14 15:23 . 2008-01-14 15:23 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-14 15:21 . 2008-01-14 15:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-14 13:08 . 2008-01-14 13:08 <DIR> d-------- C:\HostsXpert 4.2 - Host File Manager
2008-01-12 23:34 . 2008-01-12 23:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-12 23:18 . 2008-01-12 23:18 5,757 --a------ C:\WINDOWS\system32\dkchlqsh.dll
2008-01-12 23:18 . 2008-01-12 23:18 5,717 --a------ C:\WINDOWS\system32\icbqfoax.dll
2008-01-12 18:12 . 2008-01-12 18:12 5,757 --a------ C:\WINDOWS\system32\ylrdxmyi.dll
2008-01-12 17:33 . 2008-01-12 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 21:30 . 2008-01-14 19:02 3,612,704 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-11 21:30 . 2008-01-14 19:02 105,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-11 21:30 . 2008-01-14 19:00 51,500 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-11 21:30 . 2008-01-14 19:00 11,960 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-11 21:27 . 2008-01-11 21:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-11 21:27 . 2008-01-14 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 21:26 . 2008-01-11 21:26 <DIR> d-------- C:\KAV
2008-01-11 10:08 . 2008-01-11 10:08 5,757 --a------ C:\WINDOWS\system32\llgdyxvw.dll
2008-01-10 20:41 . 2008-01-10 20:41 5,757 --a------ C:\WINDOWS\system32\qykjigow.dll
2008-01-10 13:44 . 2008-01-10 13:44 5,757 --a------ C:\WINDOWS\system32\qoocnrvj.dll
2008-01-09 23:28 . 2008-01-09 23:28 <DIR> d-------- C:\WUAGENT
2008-01-09 22:52 . 2008-01-09 22:52 5,757 --a------ C:\WINDOWS\system32\vgmdhglj.dll
2008-01-09 18:57 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-09 18:57 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-09 18:56 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-09 18:56 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-09 18:56 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-01-09 18:56 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-09 18:56 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-09 18:56 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-09 18:55 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-01-09 18:55 . 2004-08-03 22:31 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-01-09 18:55 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-01-09 18:55 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-01-09 18:55 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-01-09 18:55 . 2004-08-03 23:10 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2008-01-09 18:55 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-01-09 18:55 . 2004-08-03 23:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-01-09 18:55 . 2004-08-04 00:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-01-09 18:53 . 2001-08-17 13:28 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-01-09 18:53 . 2001-08-17 13:28 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2008-01-09 18:53 . 2001-08-17 13:28 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2008-01-09 18:53 . 2001-08-17 13:28 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2008-01-09 18:53 . 2001-08-17 12:14 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2008-01-09 18:53 . 2001-08-17 13:28 113,762 --a--c--- C:\WINDOWS\system32\dllcache\usrpda.sys
2008-01-09 18:53 . 2001-08-17 13:28 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2008-01-09 18:53 . 2004-08-04 00:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-01-09 18:53 . 2001-08-17 13:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2008-01-09 18:51 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-01-09 18:51 . 2001-08-17 14:56 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2008-01-09 18:51 . 2001-08-17 12:51 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2008-01-09 18:51 . 2001-08-17 22:36 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2008-01-09 18:51 . 2001-08-17 22:36 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2008-01-09 18:51 . 2001-08-17 12:51 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2008-01-09 18:51 . 2001-08-17 12:51 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2008-01-09 18:51 . 2001-08-17 22:36 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2008-01-09 18:51 . 2001-08-17 22:36 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2008-01-09 18:51 . 2001-08-17 13:58 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2008-01-09 18:51 . 2001-08-17 13:48 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2008-01-09 18:50 . 2001-08-17 14:56 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2008-01-09 18:50 . 2001-08-17 14:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-01-09 18:50 . 2001-08-17 14:02 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2008-01-09 18:50 . 2001-08-17 12:14 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2008-01-09 18:50 . 2004-08-04 00:56 82,432 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2008-01-09 18:50 . 2001-08-17 22:35 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2008-01-09 18:50 . 2001-08-17 12:12 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2008-01-09 18:50 . 2001-08-17 22:36 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2008-01-09 18:50 . 2001-08-17 12:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-01-09 18:50 . 2001-08-17 13:51 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2008-01-09 18:49 . 2006-02-28 06:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-01-09 18:49 . 2004-08-03 23:00 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2008-01-09 18:49 . 2001-08-17 12:51 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-01-09 18:49 . 2001-08-17 14:56 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-01-09 18:49 . 2001-08-17 12:13 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2008-01-09 18:49 . 2001-08-17 12:13 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2008-01-09 18:47 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-09 18:47 . 2001-08-17 22:36 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2008-01-09 18:47 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2008-01-09 18:47 . 2001-08-17 22:36 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2008-01-09 18:47 . 2001-08-17 22:36 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2008-01-09 18:47 . 2001-08-17 13:51 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2008-01-09 18:47 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2008-01-09 18:47 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpidflt.dll
2008-01-09 18:47 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpdflt2.dll
2008-01-09 18:46 . 2001-08-17 22:36 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-01-09 18:46 . 2001-08-17 22:36 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-01-09 18:46 . 2001-08-17 22:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-01-09 18:46 . 2001-08-17 13:51 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-01-09 18:46 . 2001-08-17 12:11 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2008-01-09 18:46 . 2001-08-17 12:51 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-01-09 18:46 . 2001-08-17 22:36 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-01-09 18:46 . 2001-08-17 12:51 20,752 --a--c--- C:\WINDOWS\system32\dllcache\sonync.sys
2008-01-09 18:46 . 2001-08-17 14:07 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-01-09 18:46 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-01-09 18:45 . 2001-08-17 13:53 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2008-01-09 18:45 . 2004-08-03 23:00 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonyait.sys
2008-01-09 18:45 . 2001-08-17 13:53 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2008-01-09 18:44 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 20:44 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-14 00:09 --------- d-s---w C:\DOCUME~1\MARKFR~1\APPLIC~1\Microsoft
2008-01-09 18:03 --------- d-----w C:\Program Files\Ahead
2008-01-09 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 03:18 --------- d-----w C:\Program Files\ATI Multimedia
2008-01-09 00:58 --------- d-----w C:\Program Files\TDK
2008-01-04 16:41 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-03 16:59 --------- d-----w C:\Program Files\World of Warcraft
2008-01-03 16:59 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-01-03 16:59 --------- d-----w C:\Program Files\Java
2008-01-03 16:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-03 16:59 --------- d-----w C:\Program Files\ACT
2008-01-03 16:59 --------- d-----w C:\DOCUME~1\MARKFR~1\APPLIC~1\Adobe
2008-01-02 22:19 --------- d-----w C:\Program Files\Quicken
2007-12-21 17:03 --------- d-----w C:\Program Files\Common Files\zikf
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C19F206-ACB6-4E80-BEC9-4C2D96CBBAB9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A870E8D9-6CFD-4069-BBC2-D42811AFE14B}]
C:\WINDOWS\system32\gebcd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C360EFFA-B529-482A-8CBD-18245A841DDF}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-17 09:29 488712]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-09-10 20:57 46592 C:\WINDOWS\SOUNDMAN.EXE]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-17 09:24 1393928]
"RegistryMechanic"="" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 08:50 155648]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 23:59 44544]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2005-06-20 16:51:14]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Search"= 2 (0x2)
"NoBandCustomize"= 1 (0x1)
"NoToolbarCustomize"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2002-04-11 19:06 282624 C:\WINDOWS\system32\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 21:26 368706 C:\Program Files\BroadJump\Client Foundation\CFD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 06:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-12-17 23:20 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\meve]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 08:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryCleanFixMFC]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe
R2 InterBaseGuardian;Firebird Guardian Service;C:\Program Files\Firebird\bin\ibguard []
R2 Pervasive.SQL 2000 (relational);Pervasive.SQL 2000 (relational);"C:\PVSW\BIN\W3SQLMGR.EXE" [2001-03-21 22:40]
R2 Pervasive.SQL 2000 (transactional);Pervasive.SQL 2000 (transactional);"C:\PVSW\BIN\NTBTRV.EXE" [2001-03-21 23:38]
R3 InterBaseServer;Firebird Server;C:\Program Files\Firebird\bin\ibserver []
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 19:05:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-14 19:08:19 - machine was rebooted [Mark Frost]
ComboFix-quarantined-files.txt 2008-01-15 01:08:05
.
2008-01-14 16:20:06 --- E O F ---
I will apply the HJT on next post
Ken545
Here is the HJT list after ComboFix was ran.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:35 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Firebird\bin\ibserver.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\MFrost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A870E8D9-6CFD-4069-BBC2-D42811AFE14B} - C:\WINDOWS\system32\gebcd.dll (file missing)
O3 - Toolbar: (no name) - {E9407738-A996-421A-A309-5C93C699E10A} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/264b9403b90d8ec40805/netzip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194060446718
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194060439406
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pervasive.SQL 2000 (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 8224 bytes
Hello,
Your doing fine, a few more things to do.
Can you answer a few questions for me.
Is this your ISP ?
69.50.160.0 - 69.50.191.255
InterCage, Inc.
810 Oak Grove Road #86
Concord, CA
US
Firebird Guardian Service <-- What can you tell me about this, I am getting mixed results.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
O3 - Toolbar: (no name) - {E9407738-A996-421A-A309-5C93C699E10A} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/264b9403...p/RdxIE601.cab
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space above and to the left of File::
File::
C:\WINDOWS\system32\dkchlqsh.dll
C:\WINDOWS\system32\icbqfoax.dll
C:\WINDOWS\system32\ylrdxmyi.dll
C:\WINDOWS\system32\llgdyxvw.dll
C:\WINDOWS\system32\qykjigow.dll
C:\WINDOWS\system32\qoocnrvj.dll
C:\WINDOWS\system32\vgmdhglj.dll
C:\WINDOWS\system32\gebcd.dll
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C19F206-ACB6-4E80-BEC9-4C2D96CBBAB9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A870E8D9-6CFD-4069-BBC2-D42811AFE14B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C360EFFA-B529-482A-8CBD-18245A841DDF}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryCleanFixMFC]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Hello Ken
Not sure what my ISP is. My e-mail is delivered to me by thrid party thru my internet provider AT&T. But I am in Fort Worth Texas.
The Firebird Guardian Service <-- I notice that last night that it was still here thru all those reports. I was looking at some software that needed this Firebird for the demo, I was told that it was some kind of data base engine that worked with that software. It's not needed. I need to finish removing it. It was to have been removed when I removed the software.
I wanted to answer your questions and let you know that I will be back later today to run your next request.
Mark
Hello, Ken
I was wondering, where did that ISP come from you were asking about?
I removed the Firebrid you asked about. I originally removed that demo software back in 2003.
I was noticing tonight that my system was loading up programs slowly like IE, Start, S&D etc.
I have a question:
With what we are doing will this or could this fix my Auto update problem? (Auto update will down load but fails to install updates.)
And how are looking so far?
Here is the ComboFix and HJT:
ComboFix 08-01-15.3 - Mark Frost 2008-01-15 18:09:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.93 [GMT -6:00]
Running from: C:\Documents and Settings\Mark Frost\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Frost\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\system32\dkchlqsh.dll
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\icbqfoax.dll
C:\WINDOWS\system32\llgdyxvw.dll
C:\WINDOWS\system32\qoocnrvj.dll
C:\WINDOWS\system32\qykjigow.dll
C:\WINDOWS\system32\vgmdhglj.dll
C:\WINDOWS\system32\ylrdxmyi.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\blwatcie.dll.bad
C:\VundoFix Backups\evyfjmla.dll.bad
C:\VundoFix Backups\imqdmyrb.dll.bad
C:\VundoFix Backups\ljxnneuv.dll.bad
C:\VundoFix Backups\mjniltdf.dll.bad
C:\VundoFix Backups\odnywfdf.dll.bad
C:\VundoFix Backups\okbtsrhj.dllbox.bad
C:\VundoFix Backups\pfxpeuvw.dll.bad
C:\VundoFix Backups\qajvogam.dll.bad
C:\VundoFix Backups\qkqenoyw.dll.bad
C:\VundoFix Backups\rjiamxud.dll.bad
C:\VundoFix Backups\rwltkasw.dll.bad
C:\VundoFix Backups\rwonhynl.dll.bad
C:\VundoFix Backups\uciqrpgu.dll.bad
C:\VundoFix Backups\wtsbcuuf.dll.bad
C:\VundoFix Backups\wwwrmcue.dll.bad
C:\VundoFix Backups\ylythtaw.dll.bad
C:\VundoFix Backups\yuafgbmw.dll.bad
C:\WINDOWS\system32\dkchlqsh.dll
C:\WINDOWS\system32\icbqfoax.dll
C:\WINDOWS\system32\llgdyxvw.dll
C:\WINDOWS\system32\qoocnrvj.dll
C:\WINDOWS\system32\qykjigow.dll
C:\WINDOWS\system32\vgmdhglj.dll
C:\WINDOWS\system32\ylrdxmyi.dll
F:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.
2008-01-15 17:36 . 2008-01-15 17:36 58 --a------ C:\WINDOWS\PROGMAN.INI
2008-01-15 17:29 . 2008-01-15 17:29 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-14 18:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 15:42 . 2008-01-14 15:42 <DIR> d-------- C:\WINDOWS\Profiles
2008-01-14 15:25 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-14 15:23 . 2008-01-14 15:23 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-14 15:21 . 2008-01-14 15:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-14 13:08 . 2008-01-14 13:08 <DIR> d-------- C:\HostsXpert 4.2 - Host File Manager
2008-01-12 23:34 . 2008-01-12 23:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-12 17:33 . 2008-01-12 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 21:30 . 2008-01-15 18:11 3,745,312 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-11 21:30 . 2008-01-15 18:11 117,536 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-11 21:30 . 2008-01-15 14:09 52,340 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-11 21:30 . 2008-01-15 14:09 12,416 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-11 21:27 . 2008-01-11 21:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-11 21:27 . 2008-01-15 17:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 21:26 . 2008-01-11 21:26 <DIR> d-------- C:\KAV
2008-01-09 23:28 . 2008-01-09 23:28 <DIR> d-------- C:\WUAGENT
2008-01-09 18:57 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-09 18:57 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-09 18:56 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-09 18:56 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-09 18:56 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-01-09 18:56 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-09 18:56 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-09 18:56 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-09 18:55 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-01-09 18:55 . 2004-08-03 22:31 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-01-09 18:55 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-01-09 18:55 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-01-09 18:55 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-01-09 18:55 . 2004-08-03 23:10 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2008-01-09 18:55 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-01-09 18:55 . 2004-08-03 23:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-01-09 18:55 . 2004-08-04 00:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-01-09 18:53 . 2001-08-17 13:28 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-01-09 18:53 . 2001-08-17 13:28 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2008-01-09 18:53 . 2001-08-17 13:28 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2008-01-09 18:53 . 2001-08-17 13:28 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2008-01-09 18:53 . 2001-08-17 12:14 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2008-01-09 18:53 . 2001-08-17 13:28 113,762 --a--c--- C:\WINDOWS\system32\dllcache\usrpda.sys
2008-01-09 18:53 . 2001-08-17 13:28 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2008-01-09 18:53 . 2004-08-04 00:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-01-09 18:53 . 2001-08-17 13:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2008-01-09 18:51 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-01-09 18:51 . 2001-08-17 14:56 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2008-01-09 18:51 . 2001-08-17 12:51 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2008-01-09 18:51 . 2001-08-17 22:36 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2008-01-09 18:51 . 2001-08-17 22:36 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2008-01-09 18:51 . 2001-08-17 12:51 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2008-01-09 18:51 . 2001-08-17 12:51 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2008-01-09 18:51 . 2001-08-17 22:36 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2008-01-09 18:51 . 2001-08-17 22:36 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2008-01-09 18:51 . 2001-08-17 13:58 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2008-01-09 18:51 . 2001-08-17 13:48 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2008-01-09 18:50 . 2001-08-17 14:56 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2008-01-09 18:50 . 2001-08-17 14:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-01-09 18:50 . 2001-08-17 14:02 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2008-01-09 18:50 . 2001-08-17 12:14 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2008-01-09 18:50 . 2004-08-04 00:56 82,432 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2008-01-09 18:50 . 2001-08-17 22:35 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2008-01-09 18:50 . 2001-08-17 12:12 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2008-01-09 18:50 . 2001-08-17 22:36 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2008-01-09 18:50 . 2001-08-17 12:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-01-09 18:50 . 2001-08-17 13:51 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2008-01-09 18:49 . 2006-02-28 06:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-01-09 18:49 . 2004-08-03 23:00 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2008-01-09 18:49 . 2001-08-17 12:51 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-01-09 18:49 . 2001-08-17 14:56 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-01-09 18:49 . 2001-08-17 12:13 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2008-01-09 18:49 . 2001-08-17 12:13 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2008-01-09 18:47 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-09 18:47 . 2001-08-17 22:36 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2008-01-09 18:47 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2008-01-09 18:47 . 2001-08-17 22:36 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2008-01-09 18:47 . 2001-08-17 22:36 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2008-01-09 18:47 . 2001-08-17 13:51 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2008-01-09 18:47 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2008-01-09 18:47 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpidflt.dll
2008-01-09 18:47 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpdflt2.dll
2008-01-09 18:46 . 2001-08-17 22:36 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-01-09 18:46 . 2001-08-17 22:36 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-01-09 18:46 . 2001-08-17 22:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-01-09 18:46 . 2001-08-17 13:51 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-01-09 18:46 . 2001-08-17 12:11 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2008-01-09 18:46 . 2001-08-17 12:51 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-01-09 18:46 . 2001-08-17 22:36 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-01-09 18:46 . 2001-08-17 12:51 20,752 --a--c--- C:\WINDOWS\system32\dllcache\sonync.sys
2008-01-09 18:46 . 2001-08-17 14:07 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-01-09 18:46 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-01-09 18:45 . 2001-08-17 13:53 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2008-01-09 18:45 . 2004-08-03 23:00 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonyait.sys
2008-01-09 18:45 . 2001-08-17 13:53 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2008-01-09 18:44 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-01-09 18:44 . 2001-08-17 12:51 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2008-01-09 18:44 . 2001-08-17 12:10 35,913 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2008-01-09 18:44 . 2001-08-17 12:12 25,034 --a--c--- C:\WINDOWS\system32\dllcache\smcpwr2n.sys
2008-01-09 18:44 . 2001-08-17 12:12 24,576 --a--c--- C:\WINDOWS\system32\dllcache\smc8000n.sys
2008-01-09 18:44 . 2001-08-17 13:57 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2008-01-09 18:42 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 18:19 --------- d-----w C:\Program Files\Firebird
2008-01-14 20:44 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-09 18:03 --------- d-----w C:\Program Files\Ahead
2008-01-09 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 03:18 --------- d-----w C:\Program Files\ATI Multimedia
2008-01-09 00:58 --------- d-----w C:\Program Files\TDK
2008-01-04 16:41 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-03 16:59 --------- d-----w C:\Program Files\World of Warcraft
2008-01-03 16:59 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-01-03 16:59 --------- d-----w C:\Program Files\Java
2008-01-03 16:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-03 16:59 --------- d-----w C:\Program Files\ACT
2008-01-02 22:19 --------- d-----w C:\Program Files\Quicken
2007-12-21 17:03 --------- d-----w C:\Program Files\Common Files\zikf
2007-11-02 17:46 80,105 ----a-w C:\WINDOWS\system32\dcads-remove.exe
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
.
((((((((((((((((((((((((((((( snapshot@2008-01-14_19.07.26.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-15 00:56:27 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-16 00:08:56 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 00:56:27 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-16 00:08:56 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 00:56:27 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-16 00:08:56 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 00:56:27 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-16 00:08:56 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 00:56:27 5,980,160 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-16 00:08:56 5,980,160 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-15 00:56:28 155,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-16 00:08:57 155,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 23:32:16 6,788 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{2107BEBF-7993-4946-A683-A6D8C53DCEF4}.bin
- 2008-01-14 15:05:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-15 14:44:27 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-14 15:05:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-15 14:44:27 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-14 15:05:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-15 14:44:27 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-17 09:29 488712]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-09-10 20:57 46592 C:\WINDOWS\SOUNDMAN.EXE]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-17 09:24 1393928]
"RegistryMechanic"="" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 08:50 155648]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 23:59 44544]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2005-06-20 16:51:14]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Search"= 2 (0x2)
"NoBandCustomize"= 1 (0x1)
"NoToolbarCustomize"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2002-04-11 19:06 282624 C:\WINDOWS\system32\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 21:26 368706 C:\Program Files\BroadJump\Client Foundation\CFD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 06:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-12-17 23:20 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\meve]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 08:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe
R2 Pervasive.SQL 2000 (relational);Pervasive.SQL 2000 (relational);"C:\PVSW\BIN\W3SQLMGR.EXE" [2001-03-21 22:40]
R2 Pervasive.SQL 2000 (transactional);Pervasive.SQL 2000 (transactional);"C:\PVSW\BIN\NTBTRV.EXE" [2001-03-21 23:38]
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 18:12:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-15 18:13:42
ComboFix-quarantined-files.txt 2008-01-16 00:13:27
ComboFix2.txt 2008-01-15 01:08:19
.
2008-01-15 14:46:40 --- E O F ---
Text to long post HJT on next reply
Now here is the HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:03 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\MFrost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194060446718
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194060439406
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pervasive.SQL 2000 (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 6984 bytes
Hi,
Your log is looking good :bigthumb: But let me explain one of the basic rules of protection. You should have ONE and only ONE Antivirus and Firewall installed. I am looking at Symantec, Trendmicro and Kaspersky. All these together are using a ton of system resources and can cause you all sorts of problems.
Kaspersky Anti-Virus 6.0 <-- this appears as a stand alone anti virus progam with no firewall
Trendmicro Internet Security <-- This suite most likely includes a firewall.
Symantec <-- Appears as leftover after a borked uninstall
You need to decide which one you want to keep and uninstall the other.
This is pointing towards that IP address and is not needed so remove it with HJT
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
As far as windows updates, that may be another issue and I can direct you to some forums that deal with issues like that.
Post a new HJT log when you cleaned up your Anti Virus issue and if some is still left we can clean it up
Hello again,
Man looking at all these log remind's me of the movie Matrix. Who where and whos what. Who bellongs and who doesn't. I bet you dream this stuff in your sleep. I'm glad you are helping me out.
Kaspersky Anti-Virus 6.0<--- Was installed thinking it was the online scanner instead it was free 30 day use. Removed.
Had to restart after removal. Notice that IE took approx. 3 min. to load up (I did it twice) After loading message at bottom said Done but errors on page.
Symantec <-- That's correct it is a leftover after a borked uninstall.
When I went in to delete it I received an error message. "Cannot delete Symlcnet.dll access is denied"
Trendmicro Internet Security(--- I will be using this one.
Has been removed:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
Any help in pointing me in the right direction for windows update would be great. Thank's
Here's the HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:14 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\MFrost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A870E8D9-6CFD-4069-BBC2-D42811AFE14B} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194060446718
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194060439406
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pervasive.SQL 2000 (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 7029 bytes
The 023 entries are services running on your system, Symantec is still running as a service even though you uninstalled the program. Symantec has a removal tool for borked installs and uninstall, you can download and run it.
First remove this with HJT, it won't remove the program but will stop it from running
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Norton Removal Tool
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
Post a new log and lets see if its gone, then we can address Windows Updates
ALL right that was great improve :2thumb:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:53 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\MFrost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A870E8D9-6CFD-4069-BBC2-D42811AFE14B} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194060446718
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194060439406
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pervasive.SQL 2000 (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 6569 bytes
Log looks good :bigthumb:
Tell me about Windows Updates, what are you doing to run it, what is not happening?? Are you getting any error messages??
Open Up Internet Explorer and go to Tools> Windows Updates and tell me what happens
Ken
Hi. Ken
I have automatic windows update on, the yellow shield shows updates are ready, click on it to install, window pops open shows installation ststus, then the window goes away. Than about a minute later the windows pops up and says installed failed some update did not install, and if there is 2 than 2 faild if there 7 all seven failed. non of the updates install.
When I go to windows update site and check for updates. Windows scans system for updates, finds updates needed, then I run into the same problem. There is no error message given. Other than a red circle with a white X in it. failed updates Check update history and no history there.
Mark
Hmmm, this appears to be a windows issue so this is as far as I can go as this forum is for malware removal only. I suggest you try posting in one of these forums for help, they deal with windows issues quite well. Be sure to tell them you posted here and that we cleaned malware off your system and at this time your system is clean. Before you post in a windows support forum, run this system cleaner and see if it makes a difference, you system may be pretty clogged up with temp files and what not.
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Windows Tech Support Forums
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
Mark, you can also try this site from Microsoft, there is contact info up on the top right with a number you can call and ask for help installing the updates.
http://support.microsoft.com/default.aspx?pr=windowsxpsp2 <-- Contact a support person
Good Luck :bigthumb:
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken
Ken,
Thanks again for all your help, and thanks for the links, to better help me. My system is doing alot better :bigthumb:
except for the windows. I'll start working on that now. I got the CCleaner could not find the Temp File, I'll dig around alittle more. It may be the newer version and it's in a diffrent place.
Once again thanks for all your help and keep :)
Mark
Hello,
I got the CCleaner could not find the Temp File Not following you on this one???
Hi,
Sorry, I was not that clear.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
I have not figured this out at the moment. But I,m looking into again right now.
Hey Ken,
Just figured out what you was telling me. It helps to slow down and just look.
Sorry about that.
Mark
OK Mark :p:
Thats a good program to run , I run it on my own systems about once a week or so. Gets rid of all the garbage that can clog up your system and slow it down.
Take Care,
Ken
Hello Ken
I have question
Is there some kind of program one could use on a USB drive that would scan a used computor that is for sell to see if it was all working and to check weather it was infected or not before you buy it?
The reason I ask is I bought a used computor for what I thought was good deal for my family to use instead of mine, thought it was OK, but I got surprised. :eek:
Now I'm stuck :banghead: on what I thought was a great ideal.
Mark
Hello Mark,
You didn't say if this computer you bought has internet access. If not you can download Hijackthis to any computer or directly to a thumb drive from one of your computers that has internet access, transfer it to that computer and run it to scan and save a log file, when it it opens in Notepad, you can select File> Save As and save it to your Thumbdrive, then copy the log from the thumbdrive and paste it here for me to see.
Download
Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop, double click it to install, follow the prompts
and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the
Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or
even required.
Ken
I think I missed up then, I posted a new problem already, about two hours ago. (Need help with Trojan.Win32 plus others) Not thinking that I could have posted here instead. Sorry, I was frustrated, I finally just shut it down and got on my comp. just to send that last post to you and now.
Ken
Is there anyway to close the new post I made. I guess I was thinking New problem new post.
Lets just archive this one and I will pick up your new post unless someone else has gotten it already. Either way, we have a great staff and one of us will get it.
Ken