View Full Version : Windows Update Help!
Ok my windows update will not turn on! It gives me an error when i try to do it and i looked it up and it lead me to this site. When I try turn it on manually it says its already on. I useda hijack software and I guess I'm supposed to upload here, I appreciate whoever helps me.
Hello djomar
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You have some infections on this computer that are preventing you from updating windows.
Please copy and paste your Hijackthis log into the forum as well as any other reports we ask for, do not attach them
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
Thanks, sorry about the attachment. I guess I missed that part when I was reading the read before you post thread. Ok, I will do that as soon as I can.
Ok, heres the mbam log:
Malwarebytes' Anti-Malware 1.28
Database version: 1185
Windows 5.1.2600 Service Pack 2
9/21/2008 9:20:14 AM
mbam-log-2008-09-21 (09-20-14).txt
Scan type: Quick Scan
Objects scanned: 48249
Time elapsed: 11 minute(s), 31 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 5
Registry Keys Infected: 37
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 37
Memory Processes Infected:
C:\WINDOWS\faceback.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\Config\csrss.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\dfgprymt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMffDuU.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ejavkp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jkkKawxw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iehlpr32.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28d0ef2b-41ff-4e45-ab90-398bc0428896} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkkawxw (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{28d0ef2b-41ff-4e45-ab90-398bc0428896} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b4a9a5c-ad88-447a-98ac-f0be24532e59} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8b4a9a5c-ad88-447a-98ac-f0be24532e59} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrhwvlj (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aa854157-2168-4d53-b9f8-ebed9cb2d88b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aa854157-2168-4d53-b9f8-ebed9cb2d88b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\winsurf.avideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d263b532-c528-49e5-8bb6-80fa67332c9a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7165223d-d2c9-422b-8126-411b11842b8b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{53e30863-280f-4cfa-99ab-55caeb95271c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8afb9239-69fd-43be-a131-7463be40b1f6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b06df51c-e9f4-427e-ad24-6ab9b13389b2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c6c335a3-e186-4456-9886-1163a09c20ca} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ps16sys.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7cdcd136 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{28d0ef2b-41ff-4e45-ab90-398bc0428896} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm7fefe2aa (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\qomffduu -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomffduu -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Data: c:\windows\config\csrss.exe -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\jkkKawxw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMffDuU.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\UuDffMoq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UuDffMoq.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRHwVlJ.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ejavkp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dfgprymt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tmyrpgfd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\huscewrm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mrwecsuh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lrsxqgtw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtgqxsrl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nuhddgrm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mrgddhun.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wdvxreds.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sderxvdw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\faceback.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\ps16sys.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJBrPHY.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hbmetvtb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXOEtTk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\A17-tmpaoi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\A19-tmpaoi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Config\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iehlpr32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Media\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shpeamgn.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM7fefe2aa.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM7fefe2aa.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\wxvgsdbq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\wdpoefan.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\vadokmxt.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\olgdqarf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:55 PM, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Config\csrss.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\faceback.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link\Wireless G WNA-1330\AIRPLUS.exe
C:\Program Files\Zune\Zune.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4PJA1FZ4\hijackthis[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {28D0EF2B-41FF-4E45-AB90-398BC0428896} - C:\WINDOWS\system32\jkkKawxw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7EF80EA3-211F-48ED-94F9-522CB4E7DB41} - C:\WINDOWS\system32\qoMffDuU.dll
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\rqRHwVlJ.dll (file missing)
O2 - BHO: {b88d2bc9-debe-8f9b-35d4-8612751458aa} - {aa854157-2168-4d53-b9f8-ebed9cb2d88b} - C:\WINDOWS\system32\ejavkp.dll
O2 - BHO: (no name) - {CB0EF67C-CF6E-4293-9581-D2F322E6A437} - C:\WINDOWS\system32\cbXPiGvS.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\faceback.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [7cdcd136] rundll32.exe "C:\WINDOWS\system32\dfgprymt.dll",b
O4 - HKLM\..\Run: [BM7fefe2aa] Rundll32.exe "C:\WINDOWS\system32\shpeamgn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221937884381
O18 - Filter hijack: text/html - {8afb9239-69fd-43be-a131-7463be40b1f6} - C:\WINDOWS\system32\iehlpr32.dll
O20 - AppInit_DLLs: ejavkp.dll
O20 - Winlogon Notify: jkkKawxw - C:\WINDOWS\SYSTEM32\jkkKawxw.dll
O20 - Winlogon Notify: rqRHwVlJ - rqRHwVlJ.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe
--
End of file - 8433 bytes
Hello,
Not a problem with attachments but it makes it easier and faster for us to analyze logs and reports when you paste them right in.
Malwarebytes removed a ton of bad stuff :bigthumb: But what you have done was to post your original HJT log, I always need you to rescan with HJT and post a fresh log so we can see what was removed and what was not so we know how to proceed. Hijackthis is also in a temporary directory, it needs to be in its own folder so that anything we remove that may cause an issue can be restored.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4PJA1FZ4\hijackthis[1].exe<---Delete this
Lets reinstall it properly.
Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
Ok sorry about that, here is the new Hijackthis log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:01 PM, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\Wireless G WNA-1330\AIRPLUS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {CB0EF67C-CF6E-4293-9581-D2F322E6A437} - C:\WINDOWS\system32\cbXPiGvS.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221937884381
O18 - Filter hijack: text/html - {8afb9239-69fd-43be-a131-7463be40b1f6} - (no file)
O20 - AppInit_DLLs: ejavkp.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe
--
End of file - 7377 bytes
That's better, thank you.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {CB0EF67C-CF6E-4293-9581-D2F322E6A437} - C:\WINDOWS\system32\cbXPiGvS.dll (file missing)
O18 - Filter hijack: text/html - {8afb9239-69fd-43be-a131-7463be40b1f6} - (no file)
O20 - AppInit_DLLs: ejavkp.dll
This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Ok, I did all you asked, thanks again for your time and help. One thing I want to say though is right after the script finished and my icons loaded, a balloon popped up saying "your computer is at risk, your virus protections is unkown".
Here are the logs you asked for:
Report.txt:
SDFix: Version 1.227
Run by Owner on Sun 09/21/2008 at 04:05 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpC.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp13.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp14.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp15.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp16.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpA9.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmpC.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\removalfile.bat - Deleted
C:\smp.bat - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 16:17:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Fri 27 Feb 2004 233,472 A..H. --- "C:\Program Files\Image-Line\FL Studio 7\REX Shared Library.dll"
Thu 20 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 17 Dec 2007 36,352 ...H. --- "C:\Documents and Settings\Owner\My Documents\Chandler High School\History\~WRL1522.tmp"
Mon 17 Dec 2007 35,840 ...H. --- "C:\Documents and Settings\Owner\My Documents\Chandler High School\History\~WRL2352.tmp"
Finished!
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:02 PM, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\Wireless G WNA-1330\AIRPLUS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221937884381
O18 - Filter hijack: text/html - {8afb9239-69fd-43be-a131-7463be40b1f6} - (no file)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe
--
End of file - 7225 bytes
A bit more to do, we're not done yet.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Alright, thanks again for the reply.
Here is the combofix log:
ComboFix 08-09-20.05 - Owner 2008-09-21 19:38:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\My Documents\SMBOLS~1
C:\update.exe
C:\WINDOWS\pppatc~1
C:\WINDOWS\system32\agcdbabe.ini
C:\WINDOWS\system32\ahfwhluv.ini
C:\WINDOWS\system32\bcboqxpw.ini
C:\WINDOWS\system32\huewvxvf.ini
C:\WINDOWS\system32\iainvica.ini
C:\WINDOWS\system32\kdqkgbkd.ini
C:\WINDOWS\system32\lkvvbvpf.ini
C:\WINDOWS\system32\nphhooop.ini
C:\WINDOWS\system32\pqbpbdva.ini
C:\WINDOWS\system32\qwlvqjii.ini
C:\WINDOWS\system32\SvGiPXbc.ini
C:\WINDOWS\system32\tfqomsje.ini
C:\WINDOWS\system32\ufrkfubw.ini
C:\WINDOWS\system32\uxqadedv.ini
C:\WINDOWS\system32\wmpkaeyi.ini
C:\WINDOWS\system32\ygqfbspo.ini
.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.
2008-09-21 16:00 . 2008-09-21 16:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-21 15:50 . 2008-09-21 16:23 <DIR> d-------- C:\SDFix
2008-09-21 14:31 . 2008-05-02 06:30 464,384 --------- C:\WINDOWS\system32\imapi2fs.dll
2008-09-21 14:31 . 2008-05-02 06:30 464,384 -----c--- C:\WINDOWS\system32\dllcache\imapi2fs.dll
2008-09-21 14:31 . 2008-05-02 06:30 317,952 --------- C:\WINDOWS\system32\imapi2.dll
2008-09-21 14:31 . 2008-05-02 06:30 317,952 -----c--- C:\WINDOWS\system32\dllcache\imapi2.dll
2008-09-21 14:31 . 2008-05-02 02:05 62,592 -----c--- C:\WINDOWS\system32\dllcache\cdrom.sys
2008-09-21 14:21 . 2008-09-21 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-21 09:04 . 2008-09-21 09:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-21 09:04 . 2008-09-21 09:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-21 09:04 . 2008-09-21 09:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 09:04 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-21 09:04 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 11:44 . 2008-09-20 11:44 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-09-12 18:48 . 2008-09-12 18:48 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-09-12 18:46 . 2008-09-12 18:46 61,856 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe
2008-09-12 15:48 . 2008-09-12 16:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-27 19:21 . 2008-09-01 10:22 <DIR> d-------- C:\Program Files\Common Files\Vernier Software
2008-08-27 19:21 . 2008-08-27 19:21 <DIR> d-------- C:\Program Files\Common Files\TI Shared
2008-08-27 19:21 . 2007-06-08 13:15 194,362 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys
2008-08-27 19:21 . 2007-06-08 13:15 102,400 --a------ C:\WINDOWS\system32\wdapi811.dll
2008-08-27 19:21 . 2004-02-04 11:27 49,536 --a------ C:\WINDOWS\system32\drivers\tiehdusb.sys
2008-08-27 19:21 . 2007-01-10 13:23 17,424 --a------ C:\WINDOWS\system32\drivers\ezusb.sys
2008-08-27 19:21 . 2003-11-14 15:53 11,520 --a------ C:\WINDOWS\system32\drivers\wdmstub.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 02:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-21 22:53 --------- d-----w C:\Program Files\Zune
2008-09-21 15:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-15 00:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-09-13 01:32 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-09-01 17:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-30 15:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA
2008-08-30 15:37 --------- d-----w C:\Program Files\DNA
2008-08-24 21:51 --------- d-----w C:\Program Files\HyCam2
2008-08-16 21:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Orbit
2008-08-16 21:25 --------- d-----w C:\Program Files\LimeWire
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-11 00:19 32 --sha-w C:\WINDOWS\{D08F5659-ACA0-43CC-B88D-7EC565D3CBDD}.dat
2007-04-17 04:33 1,248,526 --sha-w C:\WINDOWS\system32\SvGiPXbc.ini2
2007-12-11 00:19 32 --sha-w C:\WINDOWS\system32\{5BF3A7B6-EEB9-4163-9F80-7D9E344AD5B4}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"SMART Mirror Driver Monitor Service"="C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe" [2004-08-26 319488]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-05-31 1283608]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\Wireless G WNA-1330\AIRPLUS.exe [2007-12-12 2859008]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-09-12 40832]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-09-12 61856]
R3 smrtdrv;SMART Technologies Inc. Mirror Driver;C:\WINDOWS\system32\DRIVERS\smrtdrv.sys [2004-04-22 2432]
S2 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe [2004-08-26 319488]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Owner\Desktop\MoonLightEngine___RENAMEDTOAVOIDGGFILTER\IlvMoney1129.sys [ ]
S3 zenx1;zenx1;C:\Documents and Settings\Owner\Desktop\ZenxEngine LATEST\ZenxEngine_LATEST\zenx.sys [ ]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-09-12 245664]
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xvowuyet.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 19:44:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-09-21 19:48:22
ComboFix-quarantined-files.txt 2008-09-22 02:47:18
Pre-Run: 4,666,392,576 bytes free
Post-Run: 4,638,711,808 bytes free
155 --- E O F --- 2008-09-10 04:50:33
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:32 PM, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221937884381
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe
--
End of file - 6882 bytes
Good Morning,
Your logs look fine but you have entries that show that P2P (File Sharing) programs were or are still installed. Limewire and Bit Torrent , I would like you to read and fully understand the dangers of these types of programs as they are the latest avenue of attacks by malware writers. Our policy as most of the other malware removal forums is that these have to be uninstalled before help can be offered ( looks like just leftover entries on your log) Our policy also states that if you get infected again in the future and these programs are installed that help will not be offered.
We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.
Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.
We do not ask you to do this without reason.
P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
This fix will remove them completely and if you look at it closely you will see that your firewall has given these programs access to download anything they wish.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::
Folder::
C:\Program Files\DNA
C:\Program Files\LimeWire
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\DNA\\btdna.exe"=-
"C:\\Program Files\\LimeWire\\LimeWire.exe"=-
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Hey thanks for the reply once again. Sorry about that, I had them uninstalled already because I read that section from viewing other posts. I didn't know it would have leftover files.
Anyways here is the ComboFix log:
ComboFix 08-09-20.05 - Owner 2008-09-22 16:09:55.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\DNA
C:\Program Files\DNA\btdna.exe
C:\Program Files\DNA\DNAcpl.cpl
C:\Program Files\DNA\plugins\npbtdna.dll
C:\Program Files\LimeWire\.NetworkShare\LimeWireWin4.18.5.exe
C:\Program Files\LimeWire\aopalliance.jar.tmp
C:\Program Files\LimeWire\Buy LimeWire PRO.url
C:\Program Files\LimeWire\clink.jar.tmp
C:\Program Files\LimeWire\commons-codec-1.3.jar.tmp
C:\Program Files\LimeWire\commons-logging.jar.tmp
C:\Program Files\LimeWire\commons-net.jar.tmp
C:\Program Files\LimeWire\COPYING
C:\Program Files\LimeWire\daap.jar.tmp
C:\Program Files\LimeWire\data.ser
C:\Program Files\LimeWire\dnsjava.jar.tmp
C:\Program Files\LimeWire\forms.jar.tmp
C:\Program Files\LimeWire\foxtrot.jar.tmp
C:\Program Files\LimeWire\gettext-commons.jar.tmp
C:\Program Files\LimeWire\guice-1.0.jar.tmp
C:\Program Files\LimeWire\hsqldb.jar.tmp
C:\Program Files\LimeWire\httpclient-4.0-alpha5-20080522.192134-5.jar.tmp
C:\Program Files\LimeWire\httpcore-4.0-beta2-20080510.140437-10.jar.tmp
C:\Program Files\LimeWire\httpcore-nio-4.0-beta2-20080510.140437-10.jar.tmp
C:\Program Files\LimeWire\icu4j.jar.tmp
C:\Program Files\LimeWire\inspection.props
C:\Program Files\LimeWire\install.log
C:\Program Files\LimeWire\jaudiotagger.jar.tmp
C:\Program Files\LimeWire\jcraft.jar.tmp
C:\Program Files\LimeWire\jdic.jar.tmp
C:\Program Files\LimeWire\jdic_stub.jar.tmp
C:\Program Files\LimeWire\jflac.jar.tmp
C:\Program Files\LimeWire\jl.jar.tmp
C:\Program Files\LimeWire\jmdns.jar.tmp
C:\Program Files\LimeWire\jogg.jar.tmp
C:\Program Files\LimeWire\jorbis.jar.tmp
C:\Program Files\LimeWire\language.prop
C:\Program Files\LimeWire\lib\aopalliance.jar
C:\Program Files\LimeWire\lib\clink.jar
C:\Program Files\LimeWire\lib\commons-codec-1.3.jar
C:\Program Files\LimeWire\lib\commons-httpclient.jar
C:\Program Files\LimeWire\lib\commons-logging.jar
C:\Program Files\LimeWire\lib\commons-net.jar
C:\Program Files\LimeWire\lib\commons-pool.jar
C:\Program Files\LimeWire\lib\daap.jar
C:\Program Files\LimeWire\lib\dnsjava.jar
C:\Program Files\LimeWire\lib\forms.jar
C:\Program Files\LimeWire\lib\foxtrot.jar
C:\Program Files\LimeWire\lib\gettext-commons.jar
C:\Program Files\LimeWire\lib\guice-1.0.jar
C:\Program Files\LimeWire\lib\hashes
C:\Program Files\LimeWire\lib\hsqldb.jar
C:\Program Files\LimeWire\lib\httpclient-4.0-alpha5-20080522.192134-5.jar
C:\Program Files\LimeWire\lib\httpcore-4.0-beta2-20080510.140437-10.jar
C:\Program Files\LimeWire\lib\httpcore-nio-4.0-beta2-20080510.140437-10.jar
C:\Program Files\LimeWire\lib\httpcore-nio.jar
C:\Program Files\LimeWire\lib\httpcore.jar
C:\Program Files\LimeWire\lib\icu4j.jar
C:\Program Files\LimeWire\lib\id3v2.jar
C:\Program Files\LimeWire\lib\jaudiotagger.jar
C:\Program Files\LimeWire\lib\jcraft.jar
C:\Program Files\LimeWire\lib\jdic.dll
C:\Program Files\LimeWire\lib\jdic.jar
C:\Program Files\LimeWire\lib\jdic_stub.jar
C:\Program Files\LimeWire\lib\jflac.jar
C:\Program Files\LimeWire\lib\jl.jar
C:\Program Files\LimeWire\lib\jl011.jar
C:\Program Files\LimeWire\lib\jmdns.jar
C:\Program Files\LimeWire\lib\jogg.jar
C:\Program Files\LimeWire\lib\jorbis.jar
C:\Program Files\LimeWire\lib\LimeWire.ico
C:\Program Files\LimeWire\lib\LimeWire.jar
C:\Program Files\LimeWire\lib\log4j.jar
C:\Program Files\LimeWire\lib\log4j.properties
C:\Program Files\LimeWire\lib\looks.jar
C:\Program Files\LimeWire\lib\messages.jar
C:\Program Files\LimeWire\lib\MessagesBundles.jar
C:\Program Files\LimeWire\lib\mp3sp14.jar
C:\Program Files\LimeWire\lib\mp3spi.jar
C:\Program Files\LimeWire\lib\onion-common.jar
C:\Program Files\LimeWire\lib\onion-fec.jar
C:\Program Files\LimeWire\lib\ProgressTabs.jar
C:\Program Files\LimeWire\lib\swt.jar
C:\Program Files\LimeWire\lib\SystemUtilities.dll
C:\Program Files\LimeWire\lib\SystemUtilitiesA.dll
C:\Program Files\LimeWire\lib\themes.jar
C:\Program Files\LimeWire\lib\tray.dll
C:\Program Files\LimeWire\lib\tritonus.jar
C:\Program Files\LimeWire\lib\UnpackedJars.7z
C:\Program Files\LimeWire\lib\vorbis.jar
C:\Program Files\LimeWire\lib\vorbisspi.jar
C:\Program Files\LimeWire\LimeWire On Startup.lnk
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\LimeWire\LimeWire.ico
C:\Program Files\LimeWire\LimeWire.jar.tmp
C:\Program Files\LimeWire\log4j.jar.tmp
C:\Program Files\LimeWire\looks.jar.tmp
C:\Program Files\LimeWire\messages.jar.tmp
C:\Program Files\LimeWire\mp3spi.jar.tmp
C:\Program Files\LimeWire\onion-common.jar.tmp
C:\Program Files\LimeWire\onion-fec.jar.tmp
C:\Program Files\LimeWire\pmf.ico
C:\Program Files\LimeWire\ProgressTabs.jar.tmp
C:\Program Files\LimeWire\root\magnet10\badge.img
C:\Program Files\LimeWire\root\magnet10\canHandle.img
C:\Program Files\LimeWire\root\magnet10\limewire.gif
C:\Program Files\LimeWire\root\magnet10\options.js
C:\Program Files\LimeWire\root\magnet10\silentdetect.js
C:\Program Files\LimeWire\SOURCE
C:\Program Files\LimeWire\spacer.gif
C:\Program Files\LimeWire\swt.jar.tmp
C:\Program Files\LimeWire\themes.jar.tmp
C:\Program Files\LimeWire\tritonus.jar.tmp
C:\Program Files\LimeWire\uninstall.exe
C:\Program Files\LimeWire\unpack.log
C:\Program Files\LimeWire\vorbisspi.jar.tmp
.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.
2008-09-21 16:00 . 2008-09-21 16:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-21 15:50 . 2008-09-21 16:23 <DIR> d-------- C:\SDFix
2008-09-21 14:31 . 2008-05-02 06:30 464,384 --------- C:\WINDOWS\system32\imapi2fs.dll
2008-09-21 14:31 . 2008-05-02 06:30 464,384 -----c--- C:\WINDOWS\system32\dllcache\imapi2fs.dll
2008-09-21 14:31 . 2008-05-02 06:30 317,952 --------- C:\WINDOWS\system32\imapi2.dll
2008-09-21 14:31 . 2008-05-02 06:30 317,952 -----c--- C:\WINDOWS\system32\dllcache\imapi2.dll
2008-09-21 14:31 . 2008-05-02 02:05 62,592 -----c--- C:\WINDOWS\system32\dllcache\cdrom.sys
2008-09-21 14:21 . 2008-09-21 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-21 09:04 . 2008-09-21 09:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-21 09:04 . 2008-09-21 09:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-21 09:04 . 2008-09-21 09:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 09:04 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-21 09:04 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 11:44 . 2008-09-20 11:44 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-09-12 18:48 . 2008-09-12 18:48 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-09-12 18:46 . 2008-09-12 18:46 61,856 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe
2008-09-12 15:48 . 2008-09-12 16:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-27 19:21 . 2008-09-01 10:22 <DIR> d-------- C:\Program Files\Common Files\Vernier Software
2008-08-27 19:21 . 2008-08-27 19:21 <DIR> d-------- C:\Program Files\Common Files\TI Shared
2008-08-27 19:21 . 2007-06-08 13:15 194,362 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys
2008-08-27 19:21 . 2007-06-08 13:15 102,400 --a------ C:\WINDOWS\system32\wdapi811.dll
2008-08-27 19:21 . 2004-02-04 11:27 49,536 --a------ C:\WINDOWS\system32\drivers\tiehdusb.sys
2008-08-27 19:21 . 2007-01-10 13:23 17,424 --a------ C:\WINDOWS\system32\drivers\ezusb.sys
2008-08-27 19:21 . 2003-11-14 15:53 11,520 --a------ C:\WINDOWS\system32\drivers\wdmstub.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 23:17 --------- d-----w C:\Program Files\LimeWire
2008-09-22 23:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 02:56 --------- d-----w C:\Program Files\Norton AntiVirus
2008-09-21 22:53 --------- d-----w C:\Program Files\Zune
2008-09-21 15:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-15 00:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-09-13 01:32 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-09-01 17:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-30 15:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA
2008-08-24 21:51 --------- d-----w C:\Program Files\HyCam2
2008-08-16 21:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Orbit
2007-12-11 00:19 32 --sha-w C:\WINDOWS\{D08F5659-ACA0-43CC-B88D-7EC565D3CBDD}.dat
2007-04-17 04:33 1,248,526 --sha-w C:\WINDOWS\system32\SvGiPXbc.ini2
2007-12-11 00:19 32 --sha-w C:\WINDOWS\system32\{5BF3A7B6-EEB9-4163-9F80-7D9E344AD5B4}.dat
.
((((((((((((((((((((((((((((( snapshot@2008-09-21_19.46.48.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 07:56:58 14,336 -c--a-w C:\WINDOWS\system32\dllcache\svchost.exe
- 2002-07-26 05:28:48 235,184 ----a-w C:\WINDOWS\system32\drivers\SAVRT.SYS
+ 2003-09-18 20:47:48 235,744 ----a-w C:\WINDOWS\system32\drivers\SAVRT.SYS
- 2002-07-26 05:28:54 34,992 ----a-w C:\WINDOWS\system32\drivers\SAVRTPEL.SYS
+ 2003-09-18 20:47:56 35,552 ----a-w C:\WINDOWS\system32\drivers\SAVRTPEL.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"SMART Mirror Driver Monitor Service"="C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe" [2004-08-26 319488]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-09-12 40832]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-09-12 61856]
R3 smrtdrv;SMART Technologies Inc. Mirror Driver;C:\WINDOWS\system32\DRIVERS\smrtdrv.sys [2004-04-22 2432]
S2 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe [2004-08-26 319488]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Owner\Desktop\MoonLightEngine___RENAMEDTOAVOIDGGFILTER\IlvMoney1129.sys [ ]
S3 zenx1;zenx1;C:\Documents and Settings\Owner\Desktop\ZenxEngine LATEST\ZenxEngine_LATEST\zenx.sys [ ]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-09-12 245664]
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 16:23:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\D-Link\Wireless G WNA-1330\AIRPLUS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-09-22 16:43:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-22 23:43:32
ComboFix2.txt 2008-09-22 02:48:23
Pre-Run: 4,583,759,872 bytes free
Post-Run: 4,565,131,264 bytes free
244 --- E O F --- 2008-09-10 04:50:33
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:59 PM, on 9/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\Wireless G WNA-1330\AIRPLUS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221937884381
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Program Files\D-Link\Wireless G WNA-1330\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe
--
End of file - 6827 bytes
Looking Good :bigthumb:
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java Runtime Environment (JRE) 6 Update 7 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Your Combofix log is showing that you have no Recovery Console, unless you have the windows CD to boot from to restore your computer this one would be nice to have in case of any future disasters. This is your call to install.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
Download the file & save it as its originally named, next to ComboFix.exe.
http://i24.photobucket.com/albums/c30/ken545/RC1-4.gif
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
No need to run Combofix again so when it asks you to scan say no
How is your computer running now??