View Full Version : TESLLAR A C:\windows\system32\drivers\core.cache.dsk
josecanusee
2008-04-08, 16:21
Cant get rid of this TESLLAR A
Can someone help me following is hijackthis log
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 8:51:08 AM, on 4/8/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\CompuMaster\Print2000\Pr2KService.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dndchb.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Steven DeCore\Application Data\Mozilla\Profiles\default\lujtzkfw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Application Data\Mozilla\Profiles\default\lujtzkfw.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Print2000.lnk = C:\Program Files\CompuMaster\Print2000\Pr2KIcon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: SEAGULL J Walk Java Client 4_0C11 - http://www.rateexplorer.com/jwalk/jwalk_ie.cab
O16 - DPF: {1FE5F6CD-7490-4428-9E79-830E8CC55B8B} (VCView Class) - http://192.168.1.105/control/VCViewAtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136722792687
O16 - DPF: {B0E1526D-A0C8-417E-9F8D-E8D11ADFAFC6} (_NetIPCam Control) - http://camerademo.dyndns.org:86/img/IPCamActiveX_Setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{790F195E-594F-4DEF-8568-88B98246B1E2}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
pskelley
2008-04-08, 17:45
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Appears you missed the information pinned to the top of the forum, so I posted it above. Your HJT version is out of date as is your Windows version.
Follow the posted directions and Update Your Windows XP.
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, and your HJT version, post a new HijackThis log and the required Kaspersky Online Scan results, using the Post Reply button.
Thanks
josecanusee
2008-04-08, 21:07
Here is the updated hijackthis log. I did upgrade to sp 1a and rebooted my machine as told.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:00:28 PM, on 4/8/2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\CompuMaster\Print2000\Pr2KIcon.exe
C:\Program Files\CompuMaster\Print2000\Pr2KService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\ATPJGETX\HiJackThis_v2[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dndchb.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Application Data\Mozilla\Profiles\default\lujtzkfw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Application Data\Mozilla\Profiles\default\lujtzkfw.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Print2000.lnk = C:\Program Files\CompuMaster\Print2000\Pr2KIcon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: SEAGULL J Walk Java Client 4_0C11 - http://www.rateexplorer.com/jwalk/jwalk_ie.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {1FE5F6CD-7490-4428-9E79-830E8CC55B8B} (VCView Class) - http://192.168.1.105/control/VCViewAtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136722792687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207669857467
O16 - DPF: {B0E1526D-A0C8-417E-9F8D-E8D11ADFAFC6} (_NetIPCam Control) - http://camerademo.dyndns.org:86/img/IPCamActiveX_Setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{790F195E-594F-4DEF-8568-88B98246B1E2}: NameServer = 192.168.1.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
--
End of file - 7630 bytes
Here is the Kaspersky online scan results
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 08, 2008 1:54:09 PM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/04/2008
Kaspersky Anti-Virus database records: 619361
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 20026
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:26:39
Infected Object Name Virus Name Last Action
C:\WINDOWS\$NtUninstallQ308387$\autolfn.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308387$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308387$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308402$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308402$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308402$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\userenv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\syssetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\netsetup.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\ssdpapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\ssdpsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\upnp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\atgban.dll Object is locked skipped
C:\WINDOWS\system32\bharebio01\bharebio011065.exe Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\kbdclasss.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Thanks
pskelley
2008-04-08, 21:10
Logfile of Trend Micro HijackThis v2.0.0 (BETA) <<< out of date
Scan saved at 2:00:28 PM, on 4/8/2008
Platform: Windows XP (no service pack) (WinNT 5.01.2600)
Boot mode: Normal
Thanks
josecanusee
2008-04-08, 21:25
Is this any better??
Thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:32 PM, on 4/8/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\CompuMaster\Print2000\Pr2KIcon.exe
C:\Program Files\CompuMaster\Print2000\Pr2KService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dndchb.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Application Data\Mozilla\Profiles\default\lujtzkfw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Application Data\Mozilla\Profiles\default\lujtzkfw.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Print2000.lnk = C:\Program Files\CompuMaster\Print2000\Pr2KIcon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: SEAGULL J Walk Java Client 4_0C11 - http://www.rateexplorer.com/jwalk/jwalk_ie.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {1FE5F6CD-7490-4428-9E79-830E8CC55B8B} (VCView Class) - http://192.168.1.105/control/VCViewAtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136722792687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207669857467
O16 - DPF: {B0E1526D-A0C8-417E-9F8D-E8D11ADFAFC6} (_NetIPCam Control) - http://camerademo.dyndns.org:86/img/IPCamActiveX_Setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{790F195E-594F-4DEF-8568-88B98246B1E2}: NameServer = 192.168.1.1
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
--
End of file - 7249 bytes
pskelley
2008-04-08, 21:38
No it is not, see this link:
http://forums.spybot.info/showthread.php?t=425
http://www.microsoft.com/genuine/downloads/faq.aspx
If your copy of Windoes XP is valid, you will be able to update to SP1a
If you can not update, contact Microsoft for help:
http://support.microsoft.com/
Thanks
josecanusee
2008-04-09, 15:35
I downloaded sp1a however it only shows sp1 I dont know if this is good.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:09 AM, on 4/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\CompuMaster\Print2000\Pr2KService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dndchb.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Application Data\Mozilla\Profiles\default\lujtzkfw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Application Data\Mozilla\Profiles\default\lujtzkfw.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Print2000.lnk = C:\Program Files\CompuMaster\Print2000\Pr2KIcon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: SEAGULL J Walk Java Client 4_0C11 - http://www.rateexplorer.com/jwalk/jwalk_ie.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {1FE5F6CD-7490-4428-9E79-830E8CC55B8B} (VCView Class) - http://192.168.1.105/control/VCViewAtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136722792687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207669857467
O16 - DPF: {B0E1526D-A0C8-417E-9F8D-E8D11ADFAFC6} (_NetIPCam Control) - http://camerademo.dyndns.org:86/img/IPCamActiveX_Setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{790F195E-594F-4DEF-8568-88B98246B1E2}: NameServer = 192.168.1.1
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
--
End of file - 7545 bytes
pskelley
2008-04-09, 15:43
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
josecanusee
2008-04-09, 16:11
ComboFix 08-04-08.10 - Steven DeCore 2008-04-09 8:49:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.671 [GMT -4:00]
Running from: C:\Documents and Settings\Steven DeCore\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\adaway.lic
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\kbdclasss.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_kbdclasss
-------\Legacy_kbdclasss
-------\kbdclasss
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.
2008-04-09 07:46 . 2002-08-28 21:22 33,808 --a------ C:\WINDOWS\system32\ntio.sys
2008-04-09 07:46 . 2008-04-09 07:46 0 --a----t- C:\WINDOWS\000001_.tmp
2008-04-08 18:07 . 2008-04-08 18:07 12,598 --a------ C:\WINDOWS\system32\wpa.bak
2008-04-08 18:02 . 2002-03-27 00:19 151,552 --a------ C:\WINDOWS\system32\igfxres.dll
2008-04-08 17:55 . 2003-07-16 16:50 48,256 --a--c--- C:\WINDOWS\system32\dllcache\w32.dll
2008-04-08 17:55 . 2003-07-16 16:51 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-04-08 17:55 . 2003-07-16 16:51 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-04-08 17:55 . 2003-07-16 16:48 14,336 --a--c--- C:\WINDOWS\system32\dllcache\tsprof.exe
2008-04-08 17:53 . 2003-07-16 16:37 111,104 --a--c--- C:\WINDOWS\system32\dllcache\mtstocom.exe
2008-04-08 17:52 . 2003-07-16 16:22 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-04-08 17:43 . 2008-04-08 17:43 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-08 17:43 . 2008-04-08 17:43 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-08 17:43 . 2008-04-08 17:43 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-08 17:43 . 2008-04-08 17:43 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-08 17:43 . 2008-04-08 17:43 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-08 17:40 . 2003-07-16 16:53 189,440 --a------ C:\WINDOWS\system32\wuaueng.dll
2008-04-08 17:40 . 2003-07-16 16:53 189,440 --a--c--- C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-04-08 17:40 . 2003-07-16 16:53 139,776 --a------ C:\WINDOWS\system32\wuauclt.exe
2008-04-08 17:40 . 2003-07-16 16:53 139,776 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-04-08 17:40 . 2003-07-16 16:42 115,976 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-08 17:40 . 2003-07-16 16:42 115,976 --a--c--- C:\WINDOWS\system32\dllcache\rdpwd.sys
2008-04-08 17:38 . 2001-08-17 12:12 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-04-08 17:34 . 2003-07-16 16:46 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-04-08 17:34 . 2003-07-16 16:46 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-04-08 17:34 . 2003-07-16 16:30 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-04-08 17:34 . 2003-07-16 16:30 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-04-08 17:32 . 2008-04-08 18:23 1,793,768 --a------ C:\WINDOWS\setupapi.log.1.old
2008-04-08 15:29 . 2008-04-08 16:37 628,791 --a------ C:\WINDOWS\setupapi.old
2008-04-08 15:11 . 2002-06-12 19:14 827,438 --a------ C:\WINDOWS\system32\imjp81k.dll
2008-04-08 15:10 . 2002-08-29 03:41 534,016 --a------ C:\WINDOWS\system32\spider.exe
2008-04-08 15:08 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\001210_.tmp
2008-04-08 14:20 . 2008-04-08 14:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 12:44 . 2008-04-08 12:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-08 12:44 . 2008-04-08 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-08 12:18 . 2004-04-14 17:50 740,864 --a--c--- C:\WINDOWS\system32\dllcache\helpctr.exe
2008-04-08 12:16 . 2004-04-11 00:04 593,408 -----c--- C:\WINDOWS\system32\dllcache\xpsp2res.dll
2008-04-08 12:13 . 2004-05-12 18:29 214,528 --a------ C:\WINDOWS\system32\dplayx.dll
2008-04-08 12:13 . 2004-05-12 18:29 214,528 --a--c--- C:\WINDOWS\system32\dllcache\dplayx.dll
2008-04-08 12:13 . 2004-05-12 18:29 50,176 --a------ C:\WINDOWS\system32\dpwsockx.dll
2008-04-08 12:13 . 2004-05-12 18:29 50,176 --a--c--- C:\WINDOWS\system32\dllcache\dpwsockx.dll
2008-04-08 12:11 . 2003-10-21 19:06 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2008-04-08 12:11 . 2003-10-21 19:06 32,256 --a--c--- C:\WINDOWS\system32\dllcache\msgsvc.dll
2008-04-08 12:08 . 2003-07-24 16:40 477,696 --a--c--- C:\WINDOWS\system32\dllcache\cryptui.dll
2008-04-08 12:08 . 2003-07-24 16:40 477,696 --a------ C:\WINDOWS\system32\cryptui.dll
2008-04-08 12:06 . 2003-05-13 10:28 1,132,032 --a------ C:\WINDOWS\system32\quartz.dll
2008-04-08 12:06 . 2003-05-13 10:28 1,132,032 --a--c--- C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-08 12:05 . 2008-04-08 18:32 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-08 12:04 . 2008-04-08 12:04 123,392 --a------ C:\WINDOWS\system32\itss.dll
2008-04-08 12:03 . 2008-04-08 12:03 306,688 --a--c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-04-08 12:03 . 2008-04-08 12:03 260,096 --a------ C:\WINDOWS\system32\mstask.dll
2008-04-08 12:03 . 2008-04-08 12:03 260,096 --a--c--- C:\WINDOWS\system32\dllcache\mstask.dll
2008-04-08 12:03 . 2008-04-08 12:03 172,544 --a------ C:\WINDOWS\system32\schedsvc.dll
2008-04-08 12:03 . 2008-04-08 12:03 172,544 --a--c--- C:\WINDOWS\system32\dllcache\schedsvc.dll
2008-04-08 12:03 . 2008-04-08 12:03 10,752 --a------ C:\WINDOWS\system32\mstinit.exe
2008-04-08 12:03 . 2008-04-08 12:03 10,752 --a--c--- C:\WINDOWS\system32\dllcache\mstinit.exe
2008-04-07 12:36 . 2008-04-07 12:36 0 --a------ C:\WINDOWS\pestpatrol5.INI
2008-04-07 12:34 . 2008-04-08 15:27 1,418,688 --a------ C:\WINDOWS\setupapi.log.0.old
2008-04-07 10:09 . 2008-04-07 10:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-06 12:59 . 2008-04-07 12:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-06 12:59 . 2008-04-07 12:41 <DIR> d-------- C:\Documents and Settings\Application Data\SUPERAntiSpyware.com
2008-04-06 12:59 . 2008-04-06 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-06 11:43 . 2008-04-06 11:43 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-04-06 11:43 . 2008-04-06 11:45 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-04-06 11:41 . 2008-04-06 11:41 <DIR> d-------- C:\Documents and Settings\Application Data\Yahoo!
2008-04-06 08:17 . 2008-04-06 08:57 <DIR> d-------- C:\Program Files\Trojan Killer
2008-04-05 13:54 . 2008-04-05 16:21 164 --a------ C:\WINDOWS\wininit.ini
2008-04-05 12:45 . 2008-04-05 12:45 <DIR> d-------- C:\WINDOWS\system32\wii
2008-04-05 12:45 . 2008-04-06 08:51 <DIR> d-------- C:\WINDOWS\system32\pinz1
2008-04-05 12:45 . 2008-04-05 12:45 <DIR> d-------- C:\WINDOWS\system32\IDE2
2008-04-05 12:45 . 2008-04-06 08:51 <DIR> d-------- C:\WINDOWS\system32\ExTmp
2008-04-05 12:45 . 2008-04-08 13:46 <DIR> d-------- C:\WINDOWS\system32\bharebio01
2008-04-05 12:45 . 2008-04-06 08:51 <DIR> d-------- C:\WINDOWS\system32\axV
2008-04-05 12:45 . 2008-04-05 12:45 <DIR> d-------- C:\Temp\wdlw14
2008-04-05 12:45 . 2008-04-05 12:45 39,883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
2008-04-03 12:44 . 2008-04-03 13:09 <DIR> d-------- C:\Documents and Settings\Application Data\InfraRecorder
2008-04-03 12:41 . 2008-04-03 12:41 <DIR> d-------- C:\Program Files\InfraRecorder
2008-03-30 11:52 . 2008-03-30 11:53 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-03-30 11:52 . 2008-03-30 12:13 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-03-27 06:17 . 2008-03-27 06:17 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-08 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-07 16:12 --------- d-----w C:\Program Files\Yahoo!
2008-04-07 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-06 15:00 --------- d-----w C:\Program Files\Winamp
2008-04-05 18:17 --------- d-----w C:\Program Files\Adware Away
2008-04-02 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUIIMAGE
2008-03-05 14:37 --------- d-----w C:\Program Files\Java
2008-03-04 22:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-04 21:51 691,545 ----a-w C:\WINDOWS\unins000.exe
2007-10-16 16:42 6,016,952 ----a-w C:\Program Files\Firefox Setup 2.0.0.7.exe
2007-07-25 16:24 12,756 ----a-w C:\Program Files\Ultimate HTML Encryptor - HTML.txt
2007-07-06 18:20 1,604 ----a-w C:\Program Files\QuickTime Player.lnk
2006-10-25 10:06 17,207,032 ----a-w C:\Program Files\avg75free_428a818.exe
2006-09-05 20:55 525,709 ----a-w C:\Program Files\animg106.zip
2006-09-05 19:33 1,104,384 ----a-w C:\Program Files\gifsetup.exe
2006-08-07 18:16 2,232,256 ----a-w C:\Program Files\es32.zip
2006-07-11 20:00 650 ----a-w C:\Program Files\PDFCreator.lnk
2006-03-22 15:30 4,063,588 ----a-w C:\Program Files\P2K10626.exe
2005-09-30 16:53 1,740 ----a-w C:\Program Files\Adobe Reader 7.0.lnk
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 03:41 1511453]
"Eraser"="C:\Program Files\Eraser\Eraser.exe" [2007-07-28 17:05 277328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 07:18 579072]
"Client Access Service"="C:\Program Files\IBM\Client Access\CwbSvStr.Exe" [1999-01-08 05:40 6928]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [1999-01-08 05:40 15632]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [1999-01-08 05:40 44816]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 10:33 45108]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 11:07 36864]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-24 11:11 180269]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-03 16:31 45056]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-08-28 21:38 208953]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 08:00 44032]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-03-27 00:28 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-03-27 00:20 106496]
"SoundMan"="SOUNDMAN.EXE" [2002-06-29 19:05 46592 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 06:18 219136]
C:\Documents and Settings\Steven DeCore\Start Menu\Programs\Startup\
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-02-12 11:19:02 946176]
Print2000.lnk - C:\Program Files\CompuMaster\Print2000\Pr2KIcon.exe [2006-03-22 11:41:03 65536]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe [2006-03-15 12:52:09 1357016]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 18:13:18 972064]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 12:29:12 1568768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-10-31 12:01 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Steven DeCore^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Steven DeCore\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Steven DeCore^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Steven DeCore\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\nwinkldq.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{43-32-2D-D7-ZN}]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\System32\Drivers\CVPNDRV.sys [2003-07-17 21:17]
R3 WDMTwinax;WDMTwinax;C:\WINDOWS\System32\DRIVERS\nltwinax.sys [1999-06-08 06:20]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\System32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\System32\Drivers\BrSerWdm.sys [2003-03-13 20:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\System32\Drivers\BrUsbMdm.sys [2001-08-17 14:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\System32\Drivers\BrUsbScn.sys [2001-08-17 14:12]
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\System32\DRIVERS\snpp106.sys [2002-11-08 17:56]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 10:00:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 08:55:35
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CompuMaster\Print2000\Pr2KService.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-09 9:00:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 12:59:19
Pre-Run: 25,962,881,024 bytes free
Post-Run: 25,896,505,344 bytes free
.
2007-11-15 21:21:47 --- E O F ---
Here is HJT LOF
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:57 AM, on 4/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\CompuMaster\Print2000\Pr2KService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dndchb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\STEVEN DECORE\Application Data\Mozilla\Profiles\default\lujtzkfw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\STEVEN DECORE\Application Data\Mozilla\Profiles\default\lujtzkfw.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Print2000.lnk = C:\Program Files\CompuMaster\Print2000\Pr2KIcon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: SEAGULL J Walk Java Client 4_0C11 - http://www.rateexplorer.com/jwalk/jwalk_ie.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {1FE5F6CD-7490-4428-9E79-830E8CC55B8B} (VCView Class) - http://192.168.1.105/control/VCViewAtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136722792687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207669857467
O16 - DPF: {B0E1526D-A0C8-417E-9F8D-E8D11ADFAFC6} (_NetIPCam Control) - http://camerademo.dyndns.org:86/img/IPCamActiveX_Setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{790F195E-594F-4DEF-8568-88B98246B1E2}: NameServer = 192.168.1.1
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
--
End of file - 7941 bytes
pskelley
2008-04-09, 16:26
Thanks for returning your information, how is the computer running now? Some information for you.
1) See this: http://www.definitivesolutions.com/bhodemon.htm
2) Once we finish, you need to visit Windows Updates and download/install Service Pack #2. I strongly suggest you also upgrade to internet Explorer 7.
3) USE HJT to remove this dead line, like this:
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) I suggest you run Clean Manager:
http://spyware-free.us/tutorials/cleanmgr/
5) AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
6) I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
Thanks
josecanusee
2008-04-09, 16:57
Computer seems to running fine. I did remove that line with HJT and also installed Recovery Console.
Is that all I have to do ??
Thanks
pskelley
2008-04-09, 17:03
Thanks, the Kaspersky Scan earlier showed nothing, no reason to run it. If you wish to run a doublecheck, use this scan:
Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
If you don't think it is necessary, some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
josecanusee
2008-04-09, 17:43
Here is the log
Malwarebytes' Anti-Malware 1.11
Database version: 603
Scan type: Full Scan (C:\|)
Objects scanned: 76124
Time elapsed: 27 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 42
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\icasServ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adware away v3.1.3_is1 (Rogue.AdwareAway) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Adware Away\activex.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdAway.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdAway.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdwareAway.chm (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\autorun.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EnumAutoRun.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EnumDlls.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EProcess.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\explorerbar.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\fa.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\FixDesktopBackground.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\folderdll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\global.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iebhotoolbar.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iepage.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ietoolbarbutton.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ieurlprefix.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ieurlsearchhook.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\lsp.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\nameserver.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\notifydll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\overall.log (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\process.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\protocolfilter.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\proxy.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ScanAtStartup.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\screenshot.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\securitysite.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\service.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\shellextension.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\shellextensionhook.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\svchostdll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\sysrestriction.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\unins000.dat (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\unins000.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\uninstall.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\Update2.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Uninstall.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Update.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\User Manual.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\Desktop\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
pskelley
2008-04-09, 17:50
Thanks for returning your information, that's a rouge program MBAM removed:
http://www.malwarebytes.org/malwarenet.php?name=Rogue.AdwareAway
You can check programs here: http://spywarewarrior.com/
Thanks
josecanusee
2008-04-09, 18:26
Thank you for all your time and patience. I really do appreciate it..
Thanks Again