View Full Version : Virtumonde Help...
Hello.
I have virtumonde (sb1 $7342f9d9) settings
HKEY_users/s-1-5-21-117609710-1844823847-725345543-1003/software/microsoft
I have done a online scan (eset) did find some other crap but did not help with this virtumonde..
any help would be great.
it also comes up at start up Rundll Error loading C;/windows/system32/rutrscct.dii
the specified module could not be found
thanks in advance
Keith
hello all.
I ran combo fix on comp and this is what came out of it.
I tried to on line scan with kaspersky but 50% down load in 4hrs I'm on a very slow dial up connection 26.4kps (fun eh)
please tell me what i have to do next..
thanks Keith
ComboFix 08-03-09.1 - Keith 2008-03-10 22:12:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.54 [GMT -4:00]
Running from: C:\Documents and Settings\Keith\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM0777d63f.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ajmeytec.dll
C:\WINDOWS\system32\cetyemja.ini
C:\WINDOWS\system32\fccyvts.dll
C:\WINDOWS\system32\fjphtssr.dll
C:\WINDOWS\system32\gyxqfhmp.ini
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.ini2
C:\WINDOWS\system32\jkklmlk.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\nayoneid.dll
C:\WINDOWS\system32\oamawajn.dll
C:\WINDOWS\system32\pmhfqxyg.dll
C:\WINDOWS\system32\sokbesdq.dll
C:\WINDOWS\system32\vomqspvl.dll
C:\WINDOWS\system32\xslgcpsc.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.
2008-03-10 19:46 . 2008-03-10 19:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-10 19:46 . 2008-03-10 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-10 17:33 . 2008-03-10 18:40 153 --a------ C:\WINDOWS\wininit.ini
2008-03-09 12:55 . 2008-03-09 16:44 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-09 08:52 . 2008-03-09 08:53 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-03-09 00:36 . 2008-03-09 20:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-08 09:37 . 2008-03-08 09:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-08 00:49 . 2008-03-08 21:59 895 ---hs---- C:\WINDOWS\system32\tccsrtur.ini
2008-03-07 23:40 . 2008-03-07 22:19 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-07 23:40 . 2008-03-07 23:40 2,546 --a------ C:\WINDOWS\unins000.dat
2008-03-07 20:31 . 2008-03-08 00:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-07 20:31 . 2008-03-08 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-07 17:46 . 2008-03-08 09:37 <DIR> d-------- C:\Documents and Settings\Keith\Application Data\Ahead
2008-03-07 17:41 . 2008-03-07 17:41 <DIR> d-------- C:\Program Files\Nero
2008-03-07 17:41 . 2008-03-07 17:43 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-07 17:41 . 2008-03-07 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-07 16:39 . 2008-03-07 16:39 <DIR> d-------- C:\WINDOWS\SpywarePro
2008-03-06 22:13 . 2008-03-08 00:44 775 ---hs---- C:\WINDOWS\system32\wthwngnf.ini
2008-03-05 10:35 . 1999-09-10 12:06 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-03-05 10:35 . 1999-09-10 12:06 25,244 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-03-05 10:35 . 1999-09-10 12:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-03-05 10:35 . 1999-09-10 12:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-03-05 09:41 . 2008-03-05 12:08 <DIR> d-------- C:\Program Files\RegCure
2008-02-26 21:46 . 2008-02-26 21:46 244 --ah----- C:\sqmnoopt04.sqm
2008-02-26 21:46 . 2008-02-26 21:46 232 --ah----- C:\sqmdata04.sqm
2008-02-19 21:03 . 2008-02-19 21:03 <DIR> d-------- C:\Documents and Settings\Brad & Hilary\Application Data\FaxCtr
2008-02-12 11:31 . 2008-02-12 11:31 268 --ah----- C:\sqmdata03.sqm
2008-02-12 11:31 . 2008-02-12 11:31 244 --ah----- C:\sqmnoopt03.sqm
2008-02-11 09:40 . 2008-02-11 09:40 2,715,648 --a------ C:\WINDOWS\system32\OnlineScanner.ocx
2008-02-11 09:39 . 2008-02-11 09:39 253,952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 . 2008-02-11 09:39 237,568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 02:19 --------- d-----w C:\Program Files\lx_cats
2008-03-07 21:28 --------- d-----w C:\Program Files\Xilisoft
2008-03-07 21:24 --------- d-----w C:\Program Files\Ahead
2008-03-03 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-02-20 02:29 --------- d-----w C:\Program Files\XP Smoker
2008-02-18 20:43 --------- d-----w C:\Documents and Settings\Keith\Application Data\MSN6
2008-02-18 16:52 --------- d-----w C:\Program Files\Bezerk
2008-02-18 16:52 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-18 16:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-18 16:02 --------- d-----w C:\Documents and Settings\Keith\Application Data\RipIt4Me
2008-02-18 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-13 01:01 --------- d-----w C:\Documents and Settings\Keith\Application Data\Image Zone Express
2008-01-23 22:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-23 22:35 --------- d-----w C:\Documents and Settings\Keith\Application Data\AdobeUM
2008-01-20 19:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-13 22:47 --------- d-----w C:\Documents and Settings\Keith\Application Data\dvdcss
2008-01-11 00:09 --------- d-----w C:\Program Files\Hasbro
2007-08-26 22:36 87,608 ----a-w C:\Documents and Settings\Keith\Application Data\inst.exe
2007-08-26 22:36 47,360 ----a-w C:\Documents and Settings\Keith\Application Data\pcouffin.sys
2007-04-08 22:18 2,027,029 ----a-w C:\WINDOWS\inf\Rar.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0052fb94-5ea5-4255-a5f9-6125536b8e89}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74088EBA-1811-469E-B2A9-E86D5D10F79D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3ADDB7B-3DF5-4672-82DD-775FFF180134}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6a9b545-402d-4ece-a16e-efad0a0c0bda}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6E28C7B-0F89-41AD-B984-B3AA2F7EF124}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2008-03-04 20:00 1465280]
"SpywareProMFC"="C:\Program Files\SpywarePro\SpywarePro.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14 147456]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 17:52 74832]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 09:47 57344]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2007-01-11 14:57 291760]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-12-11 12:11 82864]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 13:27 106496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"0444e5a3"="C:\WINDOWS\system32\rutrscct.dll" [ ]
"BM0777d63f"="C:\WINDOWS\system32\oamawajn.dll" [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklmlk]
jkklmlk.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dial-up Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dial-up Accelerator.lnk
backup=C:\WINDOWS\pss\Dial-up Accelerator.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 C:\Program Files\Adobe\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2006-12-11 12:12 295856 C:\Program Files\Lexmark Fax Solutions\fm3032.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 01:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-20 19:44 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\lxcrcoms.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 22:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-08 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-03-07 21:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Common Files\Symantec Shared\NMAIN.EXEK /dat:C:\Program Files\Norton SystemWorks\swplugin.nsi /NSWCMD:OBCSchedule
"2008-03-11 02:18:44 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-06 19:31:46 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-11 02:27:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 22:18:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-03-10 22:29:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-11 02:29:43
.
2007-06-29 10:07:59 --- E O F ---
sorry
I also tried to run hijackthis and it would not let me save the file or analize this it kept coming up with errors.
now since I ran combofix it seems to be working and this is what it came out with if its any help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:49 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Keith\Desktop\Keith\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [0444e5a3] rundll32.exe "C:\WINDOWS\system32\rutrscct.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpywareProMFC] C:\Program Files\SpywarePro\SpywarePro.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Dial-up Accelerator.lnk = C:\Program Files\Sympatico Dial-up Accelerator\slipaccel.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174362047918
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174363006215
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{406B65A9-7712-4D3C-B5F0-6F3B8FBB893E}: NameServer = 207.164.234.193 206.47.244.138
O20 - Winlogon Notify: jkklmlk - jkklmlk.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 9800 bytes
any one...
The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)
what needs to be done to my comp or have I done it wright I have'nt seen combofix open up a box to tell me what needs to be re installed on my machine is there something that i have missed or is this ok.
thanks
hello all.
I ran combo fix on comp and this is what came out of it.
I tried to on line scan with kaspersky but 50% down load in 4hrs I'm on a very slow dial up connection 26.4kps (fun eh)
please tell me what i have to do next..
thanks Keith
ComboFix 08-03-09.1 - Keith 2008-03-10 22:12:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.54 [GMT -4:00]
Running from: C:\Documents and Settings\Keith\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM0777d63f.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ajmeytec.dll
C:\WINDOWS\system32\cetyemja.ini
C:\WINDOWS\system32\fccyvts.dll
C:\WINDOWS\system32\fjphtssr.dll
C:\WINDOWS\system32\gyxqfhmp.ini
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.ini2
C:\WINDOWS\system32\jkklmlk.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\nayoneid.dll
C:\WINDOWS\system32\oamawajn.dll
C:\WINDOWS\system32\pmhfqxyg.dll
C:\WINDOWS\system32\sokbesdq.dll
C:\WINDOWS\system32\vomqspvl.dll
C:\WINDOWS\system32\xslgcpsc.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.
2008-03-10 19:46 . 2008-03-10 19:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-10 19:46 . 2008-03-10 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-10 17:33 . 2008-03-10 18:40 153 --a------ C:\WINDOWS\wininit.ini
2008-03-09 12:55 . 2008-03-09 16:44 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-09 08:52 . 2008-03-09 08:53 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-03-09 00:36 . 2008-03-09 20:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-08 09:37 . 2008-03-08 09:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-08 00:49 . 2008-03-08 21:59 895 ---hs---- C:\WINDOWS\system32\tccsrtur.ini
2008-03-07 23:40 . 2008-03-07 22:19 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-07 23:40 . 2008-03-07 23:40 2,546 --a------ C:\WINDOWS\unins000.dat
2008-03-07 20:31 . 2008-03-08 00:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-07 20:31 . 2008-03-08 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-07 17:46 . 2008-03-08 09:37 <DIR> d-------- C:\Documents and Settings\Keith\Application Data\Ahead
2008-03-07 17:41 . 2008-03-07 17:41 <DIR> d-------- C:\Program Files\Nero
2008-03-07 17:41 . 2008-03-07 17:43 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-07 17:41 . 2008-03-07 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-07 16:39 . 2008-03-07 16:39 <DIR> d-------- C:\WINDOWS\SpywarePro
2008-03-06 22:13 . 2008-03-08 00:44 775 ---hs---- C:\WINDOWS\system32\wthwngnf.ini
2008-03-05 10:35 . 1999-09-10 12:06 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-03-05 10:35 . 1999-09-10 12:06 25,244 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-03-05 10:35 . 1999-09-10 12:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-03-05 10:35 . 1999-09-10 12:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-03-05 09:41 . 2008-03-05 12:08 <DIR> d-------- C:\Program Files\RegCure
2008-02-26 21:46 . 2008-02-26 21:46 244 --ah----- C:\sqmnoopt04.sqm
2008-02-26 21:46 . 2008-02-26 21:46 232 --ah----- C:\sqmdata04.sqm
2008-02-19 21:03 . 2008-02-19 21:03 <DIR> d-------- C:\Documents and Settings\Brad & Hilary\Application Data\FaxCtr
2008-02-12 11:31 . 2008-02-12 11:31 268 --ah----- C:\sqmdata03.sqm
2008-02-12 11:31 . 2008-02-12 11:31 244 --ah----- C:\sqmnoopt03.sqm
2008-02-11 09:40 . 2008-02-11 09:40 2,715,648 --a------ C:\WINDOWS\system32\OnlineScanner.ocx
2008-02-11 09:39 . 2008-02-11 09:39 253,952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 . 2008-02-11 09:39 237,568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 02:19 --------- d-----w C:\Program Files\lx_cats
2008-03-07 21:28 --------- d-----w C:\Program Files\Xilisoft
2008-03-07 21:24 --------- d-----w C:\Program Files\Ahead
2008-03-03 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-02-20 02:29 --------- d-----w C:\Program Files\XP Smoker
2008-02-18 20:43 --------- d-----w C:\Documents and Settings\Keith\Application Data\MSN6
2008-02-18 16:52 --------- d-----w C:\Program Files\Bezerk
2008-02-18 16:52 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-18 16:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-18 16:02 --------- d-----w C:\Documents and Settings\Keith\Application Data\RipIt4Me
2008-02-18 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-13 01:01 --------- d-----w C:\Documents and Settings\Keith\Application Data\Image Zone Express
2008-01-23 22:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-23 22:35 --------- d-----w C:\Documents and Settings\Keith\Application Data\AdobeUM
2008-01-20 19:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-13 22:47 --------- d-----w C:\Documents and Settings\Keith\Application Data\dvdcss
2008-01-11 00:09 --------- d-----w C:\Program Files\Hasbro
2007-08-26 22:36 87,608 ----a-w C:\Documents and Settings\Keith\Application Data\inst.exe
2007-08-26 22:36 47,360 ----a-w C:\Documents and Settings\Keith\Application Data\pcouffin.sys
2007-04-08 22:18 2,027,029 ----a-w C:\WINDOWS\inf\Rar.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0052fb94-5ea5-4255-a5f9-6125536b8e89}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74088EBA-1811-469E-B2A9-E86D5D10F79D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3ADDB7B-3DF5-4672-82DD-775FFF180134}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6a9b545-402d-4ece-a16e-efad0a0c0bda}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6E28C7B-0F89-41AD-B984-B3AA2F7EF124}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2008-03-04 20:00 1465280]
"SpywareProMFC"="C:\Program Files\SpywarePro\SpywarePro.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14 147456]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 17:52 74832]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 09:47 57344]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2007-01-11 14:57 291760]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-12-11 12:11 82864]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 13:27 106496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"0444e5a3"="C:\WINDOWS\system32\rutrscct.dll" [ ]
"BM0777d63f"="C:\WINDOWS\system32\oamawajn.dll" [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklmlk]
jkklmlk.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dial-up Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dial-up Accelerator.lnk
backup=C:\WINDOWS\pss\Dial-up Accelerator.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 C:\Program Files\Adobe\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2006-12-11 12:12 295856 C:\Program Files\Lexmark Fax Solutions\fm3032.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 01:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-20 19:44 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\lxcrcoms.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 22:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-08 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-03-07 21:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Common Files\Symantec Shared\NMAIN.EXEK /dat:C:\Program Files\Norton SystemWorks\swplugin.nsi /NSWCMD:OBCSchedule
"2008-03-11 02:18:44 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-06 19:31:46 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-11 02:27:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 22:18:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-03-10 22:29:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-11 02:29:43
.
2007-06-29 10:07:59 --- E O F ---
here is the other part
sorry
I also tried to run hijackthis and it would not let me save the file or analize this it kept coming up with errors.
now since I ran combofix it seems to be working and this is what it came out with if its any help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:49 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Keith\Desktop\Keith\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [0444e5a3] rundll32.exe "C:\WINDOWS\system32\rutrscct.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpywareProMFC] C:\Program Files\SpywarePro\SpywarePro.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Dial-up Accelerator.lnk = C:\Program Files\Sympatico Dial-up Accelerator\slipaccel.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1174362047918
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174363006215
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{406B65A9-7712-4D3C-B5F0-6F3B8FBB893E}: NameServer = 207.164.234.193 206.47.244.138
O20 - Winlogon Notify: jkklmlk - jkklmlk.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 9800 bytes
any one...
pskelley
2008-03-11, 12:53
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Hi Keith, all forums that I know of pin the instructions they need followed at the top, appears you did not see those.
http://forums.spybot.info/showthread.php?t=16806
NOTE! We do NOT ask Users to run 'fixes' before helpers have analyzed HJT/KAV scans
This program: SpywarePro <<< did you install it on purpose? I can't find anything here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
but read some of these comments: http://forums.pcworld.com/thread/26177
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
4) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\rutrscct.dll
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot) post the contents of Combofix.txt in your next reply together with a new HijackThis log.
(wait until you finish to post the logs)
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(if an item is gone, not to worry)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [0444e5a3] rundll32.exe "C:\WINDOWS\system32\rutrscct.dll",b
O20 - Winlogon Notify: jkklmlk - jkklmlk.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Please tell me how the computer is running.
Thanks
first things first thanks for the reply.
when I boot up it is now saying
RUNDLL
error loading C:/windows/system32/oamawajn.dll
the specified module could not be found
I followed you instructions and this is what combofix came up with and also HJT.
Thanks again
Keith
ComboFix 08-03-09.1 - Keith 2008-03-11 20:24:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.59 [GMT -4:00]
Running from: C:\Documents and Settings\Keith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Keith\Desktop\New Briefcase\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\rutrscct.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Keith\Application Data\inst.exe
.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.
2008-03-10 19:46 . 2008-03-10 19:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-10 19:46 . 2008-03-10 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-10 17:33 . 2008-03-10 18:40 153 --a------ C:\WINDOWS\wininit.ini
2008-03-09 12:55 . 2008-03-09 16:44 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-09 08:52 . 2008-03-09 08:53 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-03-09 00:36 . 2008-03-09 20:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-08 09:37 . 2008-03-08 09:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-08 00:49 . 2008-03-08 21:59 895 ---hs---- C:\WINDOWS\system32\tccsrtur.ini
2008-03-07 23:40 . 2008-03-07 22:19 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-07 23:40 . 2008-03-07 23:40 2,546 --a------ C:\WINDOWS\unins000.dat
2008-03-07 20:31 . 2008-03-08 00:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-07 20:31 . 2008-03-08 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-07 17:46 . 2008-03-08 09:37 <DIR> d-------- C:\Documents and Settings\Keith\Application Data\Ahead
2008-03-07 17:41 . 2008-03-07 17:41 <DIR> d-------- C:\Program Files\Nero
2008-03-07 17:41 . 2008-03-07 17:43 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-07 17:41 . 2008-03-07 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-07 16:39 . 2008-03-07 16:39 <DIR> d-------- C:\WINDOWS\SpywarePro
2008-03-06 22:13 . 2008-03-08 00:44 775 ---hs---- C:\WINDOWS\system32\wthwngnf.ini
2008-03-05 10:35 . 1999-09-10 12:06 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-03-05 10:35 . 1999-09-10 12:06 25,244 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-03-05 10:35 . 1999-09-10 12:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-03-05 10:35 . 1999-09-10 12:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-03-05 09:41 . 2008-03-05 12:08 <DIR> d-------- C:\Program Files\RegCure
2008-02-26 21:46 . 2008-02-26 21:46 244 --ah----- C:\sqmnoopt04.sqm
2008-02-26 21:46 . 2008-02-26 21:46 232 --ah----- C:\sqmdata04.sqm
2008-02-19 21:03 . 2008-02-19 21:03 <DIR> d-------- C:\Documents and Settings\Brad & Hilary\Application Data\FaxCtr
2008-02-12 11:31 . 2008-02-12 11:31 268 --ah----- C:\sqmdata03.sqm
2008-02-12 11:31 . 2008-02-12 11:31 244 --ah----- C:\sqmnoopt03.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 00:18 --------- d-----w C:\Program Files\lx_cats
2008-03-07 21:28 --------- d-----w C:\Program Files\Xilisoft
2008-03-07 21:24 --------- d-----w C:\Program Files\Ahead
2008-03-03 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-02-20 02:29 --------- d-----w C:\Program Files\XP Smoker
2008-02-18 20:43 --------- d-----w C:\Documents and Settings\Keith\Application Data\MSN6
2008-02-18 16:52 --------- d-----w C:\Program Files\Bezerk
2008-02-18 16:52 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-18 16:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-18 16:02 --------- d-----w C:\Documents and Settings\Keith\Application Data\RipIt4Me
2008-02-18 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-13 01:01 --------- d-----w C:\Documents and Settings\Keith\Application Data\Image Zone Express
2008-02-11 13:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 13:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 17:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 12:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-23 22:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-23 22:35 --------- d-----w C:\Documents and Settings\Keith\Application Data\AdobeUM
2008-01-20 19:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-13 22:47 --------- d-----w C:\Documents and Settings\Keith\Application Data\dvdcss
2007-08-26 22:36 47,360 ----a-w C:\Documents and Settings\Keith\Application Data\pcouffin.sys
2007-04-08 22:18 2,027,029 ----a-w C:\WINDOWS\inf\Rar.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0052fb94-5ea5-4255-a5f9-6125536b8e89}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74088EBA-1811-469E-B2A9-E86D5D10F79D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6a9b545-402d-4ece-a16e-efad0a0c0bda}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6E28C7B-0F89-41AD-B984-B3AA2F7EF124}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2008-03-04 20:00 1465280]
"SpywareProMFC"="C:\Program Files\SpywarePro\SpywarePro.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14 147456]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 17:52 74832]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 09:47 57344]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2007-01-11 14:57 291760]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-12-11 12:11 82864]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 13:27 106496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"0444e5a3"="C:\WINDOWS\system32\rutrscct.dll" [ ]
"BM0777d63f"="C:\WINDOWS\system32\oamawajn.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-01-20 15:38:47 25214]
Dial-up Accelerator.lnk - C:\Program Files\Sympatico Dial-up Accelerator\slipaccel.exe [2007-03-19 23:33:15 233472]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-03-19 21:16:04 389120]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklmlk]
jkklmlk.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dial-up Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dial-up Accelerator.lnk
backup=C:\WINDOWS\pss\Dial-up Accelerator.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 C:\Program Files\Adobe\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2006-12-11 12:12 295856 C:\Program Files\Lexmark Fax Solutions\fm3032.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 01:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-20 19:44 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\lxcrcoms.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 22:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-08 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-03-07 21:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Common Files\Symantec Shared\NMAIN.EXEK /dat:C:\Program Files\Norton SystemWorks\swplugin.nsi /NSWCMD:OBCSchedule
"2008-03-12 00:18:18 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-06 19:31:46 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-12 00:27:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 20:27:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-11 20:28:45
ComboFix-quarantined-files.txt 2008-03-12 00:28:42
ComboFix2.txt 2008-03-11 02:29:48
.
2007-06-29 10:07:59 --- E O F ---
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:01 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Sympatico Dial-up Accelerator\slipaccel.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Keith\Desktop\Keith\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0052fb94-5ea5-4255-a5f9-6125536b8e89} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74088EBA-1811-469E-B2A9-E86D5D10F79D} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {b6a9b545-402d-4ece-a16e-efad0a0c0bda} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D6E28C7B-0F89-41AD-B984-B3AA2F7EF124} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BM0777d63f] Rundll32.exe "C:\WINDOWS\system32\oamawajn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpywareProMFC] C:\Program Files\SpywarePro\SpywarePro.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Dial-up Accelerator.lnk = C:\Program Files\Sympatico Dial-up Accelerator\slipaccel.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174362047918
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174363006215
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 9882 bytes
pskelley
2008-03-12, 12:33
Hi Keith, you understand this junk can morph and return if we don't get it all, it is a hard infection to remove. Please follow these instructions.
1) Make sure TeaTimer is disabled as instructed earlier.
Download ResetTeaTimer.bat.
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer.
2) All files and folders must be visable.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {0052fb94-5ea5-4255-a5f9-6125536b8e89} - (no file)
O2 - BHO: (no name) - {74088EBA-1811-469E-B2A9-E86D5D10F79D} - (no file)
O2 - BHO: (no name) - {b6a9b545-402d-4ece-a16e-efad0a0c0bda} - (no file)
O2 - BHO: (no name) - {D6E28C7B-0F89-41AD-B984-B3AA2F7EF124} - (no file)
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\oamawajn.dll",s
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\WINDOWS\system32\oamawajn.dll <<< delete that file
5) If that file gives you trouble, use the instructions in #6
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: [B]C:\WINDOWS\SYSTEM32\oamawajn.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
Restart and post a new HJT log and some feedback.
Thanks
Hi.
I've done everything that you have told me to do.
But when I searched for C:/windows/system32/oamawajn.dll I can't find it anywhere.thanks for the heads up on spywarepro.
I am now trying out superantispyware. my comp seems to be running ok sometimes it's a little slow it takes it's time to refresh or load ie.
now when I reboot my comp I get
RUNDLL
Error loading C:/windows/system32/rutrscct.dll
the specified module could not be found..
Here is the HJT that was just run.
thanks again
Keith
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:38 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sympatico Dial-up Accelerator\slipaccel.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\Keith\Desktop\Keith\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D6E28C7B-0F89-41AD-B984-B3AA2F7EF124} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [0444e5a3] rundll32.exe "C:\WINDOWS\system32\rutrscct.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpywareProMFC] C:\Program Files\SpywarePro\SpywarePro.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Dial-up Accelerator.lnk = C:\Program Files\Sympatico Dial-up Accelerator\slipaccel.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174362047918
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174363006215
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkklmlk - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 10054 bytes
pskelley
2008-03-13, 00:24
Hi Keith, something did not go right in the last instructions you were posted? I am going to post them again and it is very important you read and follow them exactly as I post them.
You need to know that we cleaned Prefetch recently, see this information:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
The computer will boot slow a few times until Windows repopulates the Prefetch folder.
What I am seeing looks like TeaTimer instructions were not followed, it MUST be disabled and the instructions for using the batch file must be done as posted.
Vundo is hard to remove, it will morph and return if it is not all removed, expect that this can take some time and effort. If you can not complete any part of the instructions, make me aware of that in your next post.
1) SUPERAntiSpyware must be turned off, I do not have instructions for this program, turn it off, you can probably exit the program in the System tray.
2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
3) In some cases it's sometimes quite usefull to reset TeaTimer, once you've had it disabled to remove HijackThis entries :
Download ResetTeaTimer.bat.
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} - (no file)
O2 - BHO: (no name) - {D6E28C7B-0F89-41AD-B984-B3AA2F7EF124} - (no file
O4 - HKLM\..\Run: [0444e5a3] rundll32.exe "C:\WINDOWS\system32\rutrscct.dll",b
(this is Vundo)
O20 - Winlogon Notify: jkklmlk - C:\WINDOWS\
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\WINDOWS\system32\rutrscct.dll <<< delete that file (that is Vundo)
run CleanManager: http://spyware-free.us/tutorials/cleanmgr/
Restart and post a new HJT log and your feedback.
Thanks
Hi pskelley.
I think I have it... no RUNDLL error loading .......
I shut everything down again checked spybit s&d teatimer was Not checked re checked it and went through the shut down process again unchecked it again still no ok prompt..
ran resetteatimer. it said close teatimer and spybot s&d hit any key. done
I went through to make sure that all files are not hidden
ran HJT checked the boxes that had the proper string then clicked "fix checked"
I still cannot find C:/WINDOWS/system32/rutrscct.dll..
I ran cleanmgr and cleaned the temp files..
here is the last scan from HJT.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:34 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Sympatico Dial-up Accelerator\slipaccel.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Keith\Desktop\Keith\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Dial-up Accelerator.lnk = C:\Program Files\Sympatico Dial-up Accelerator\slipaccel.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174362047918
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174363006215
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 9661 bytes
thanks Keith
pskelley
2008-03-13, 03:08
Thanks a clean HJT log, great job with those complex instructions:bigthumb:
Let's have a look at a Kaspersky Online Scan to make sure nothing hides from us. Before you scan, remove combofix and any other tools we use. You may keep ATF-Cleaner if you wish.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from
http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks...Phil
Hi Phil.
here it is. I have to split the report as it is too big
Keith
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 13, 2008 6:22:13 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/03/2008
Kaspersky Anti-Virus database records: 566154
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 138864
Number of viruses found: 15
Number of infected objects: 65
Number of suspicious objects: 0
Duration of the scan process: 03:13:15
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Keith\Application Data\sdi.db Object is locked skipped
C:\Documents and Settings\Keith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-12-2008( 21-6-29 ).LOG Object is locked skipped
C:\Documents and Settings\Keith\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Keith\Desktop\Keith\RRT\RRT.rar/RAR Repair Tool Version v3.1/RarRepairSetup.exe Infected: Backdoor.Win32.PoisonIvy.r skipped
C:\Documents and Settings\Keith\Desktop\Keith\RRT\RRT.rar RAR: infected - 1 skipped
C:\Documents and Settings\Keith\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Application Data\Identities\{3CC4EE6D-B656-441A-86A6-A77BEB7A8803}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Application Data\Identities\{3CC4EE6D-B656-441A-86A6-A77BEB7A8803}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Temp\me_bUnLGKLbMaAMZ6F Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Temp\me_jBiAA9Zod7zuOfp Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Temp\me_KHvprbbKMLHj93w Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Temp\me_zJ4kJzcer8VCth2 Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Temp\me_ZMFtzk9w8JFFrHK Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Keith\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Keith\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A504719.exe Infected: Backdoor.Win32.Bifrose.acs skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A59450E.exe Infected: Backdoor.Win32.Bifrose.acs skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2146459E.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\32A972CA.exe Infected: Trojan-Downloader.Win32.Small.irm skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\37CE41AE.htm Infected: Exploit.Win32.IMG-ANI.ak skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\37D515A6.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\37D515A6.htm Infected: Trojan-Downloader.VBS.Agent.u skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\37D83FA3.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3A5B7F9E.exe Infected: Backdoor.Win32.PoisonIvy.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\669F2AD1.exe Infected: Backdoor.Win32.Bifrose.acs skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP318\A0045547.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP318\A0045552.exe Infected: Backdoor.Win32.Bifrose.acs skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP318\A0045553.exe Infected: Backdoor.Win32.PoisonIvy.r skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP318\A0045555.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP318\A0045557.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP318\A0045559.exe Infected: Backdoor.Win32.Bifrose.acs skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP318\A0045560.exe Infected: Backdoor.Win32.Bifrose.acs skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP343\A0047206.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048252.exe Infected: Backdoor.Win32.Bifrose.acs skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048253.exe Infected: Backdoor.Win32.PoisonIvy.r skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048255.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048262.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048265.exe Infected: Backdoor.Win32.Bifrose.acs skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048266.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048268.exe Infected: Backdoor.Win32.Bifrose.acs skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048534.exe Infected: Trojan-Downloader.Win32.Small.irm skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048551.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048551.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048551.exe/data.rar Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048551.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048552.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048552.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048552.exe/data.rar Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048552.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048553.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048554.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048557.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048557.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048557.exe/data.rar Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048557.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048559.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048560.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048562.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048563.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048563.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.irm skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048563.exe/data.rar Infected: Trojan-Downloader.Win32.Small.irm skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP347\A0048563.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP348\A0048689.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP348\A0048689.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP348\A0048689.exe/data.rar Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP348\A0048689.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP348\A0048690.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP348\A0048716.EXE Infected: Trojan-Downloader.Win32.Agent.krh skipped
C:\System Volume Information\_restore{56B85D10-1124-4982-8AA6-57087F7FA535}\RP350\A0049066.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_U.S. Robotics 56K Voice Host Int.txt Object is locked skipped
C:\WINDOWS\S8EB5BECA.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
part 2.
F:\Documents and Settings\All Users\Documents\Config\desktop2.idf Object is locked skipped
F:\Documents and Settings\All Users\Documents\Fonts\SwUniNew.tff Object is locked skipped
F:\Program Files\DAP\History\Bradley Hilary\_lasthist.dat Object is locked skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DDA6B6D.tmp Infected: Trojan.Java.ClassLoader.h skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DE46963.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1FF83231.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\31B910B6.htm/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\31B910B6.htm/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\31B910B6.htm ZIP: infected - 2 skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\31B910B6.htm Crypt.Quarantine: infected - 2 skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5A2A239B.tmp Infected: P2P-Worm.Win32.VB.dw skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\660C2596.tmp Infected: Trojan.Java.ClassLoader.d skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001457.inf Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001458.inf Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001459.inf Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001460.exe Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001461.exe Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001462.dll Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001463.dll Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001464.dll Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001465.ver Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001466.inf Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001467.cat Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001468.cat Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001469.cat Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001470.exe Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001471.dll Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001472.dll Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001473.dll Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001474.dll Object is locked skipped
F:\System Volume Information\_restore{A164E982-F2D0-4813-82D1-9E0760414586}\RP15\A0001475.cat Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Keith
pskelley
2008-03-13, 11:54
Hello Keith, let's clean these up like this.
1) Showing you this one because it looks like it was downloaded and you were send an infected file:
C:\Documents and Settings\Keith\Desktop\Keith\RRT\RRT.rar/RAR Repair Tool Version v3.1/RarRepairSetup.exe ------> Backdoor.Win32.PoisonIvy.r
http://www.google.com/search?hl=en&q=+Backdoor.Win32.PoisonIvy.r&btnG=Google+Search
Delete that folder in red and I suggest you stay away from where ever you got this.
2) For some reason you are showing NAV running on two drives? Delete everything in those quarantine folders
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506
3) Empty the Recycle Bin on the Desktop
4) Restart the computer
5) Clean the infected System Restore files.
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
If the directions were followed, the next KOS will be clean and I do not need to see a clean scan.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Phil
Just want to say Thank you again my pc is finally clean
Thanks Keith