View Full Version : Virtumonde
Systems:
Norton Ghost no longer does backup on my external USB drive.
Earthlink Tool bar stopped working.
McAfee found Virtumonde and quarantined it. But the quarantine dissappared. Not sure if it got out of quarantine.
Spybot S&D reports Virtumonde and a Microsoft security change in the Registry.
First time user of this (and any forum).
Hope you can help! Thank you.
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:23 AM, on 10/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: {3b05896b-0c21-963a-7ec4-77dbf4cddd3b} - {b3dddc4f-bd77-4ce7-a369-12c0b69850b3} - C:\WINDOWS\system32\sqyhhp.dll (file missing)
O2 - BHO: (no name) - {E8679FF5-F159-4816-BD60-5BC29E8C1B34} - C:\WINDOWS\system32\hgGYPijk.dll (file missing)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Picture Motion Browser Media Check Tool.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132591893359
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?AuthParam=1219947970_07b116d5ff37027b39785aafb0377ff3&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O23 - Service: McAfee Application Installer Cleanup (0145631222861890) (0145631222861890mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\014563~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 9896 bytes
pskelley
2008-10-02, 16:00
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
I see Vundo leftovers but nothing active, that is not unusual, the infection is usually hidden. Let's see if combofix can find it.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
Thank you for replying! I noticed something about "F:\Autorun.inf" being deleted? "F:" is my external USB hard drive - used only by Norton Ghost Backup software. Doesn't Ghost need this file? I can worry about this later. Just wanted you to know. By the way, I only use the external drive for backup and have never recovered anything from it - yet. (Ghost does a complete image backup of "C:" drive.)
Here's the requested logs:
ComboFix 08-10-02.04 - RICHARDSONS 2008-10-03 6:09:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.462 [GMT -7:00]
Running from: C:\Documents and Settings\RICHARDSONS\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\richardsons\cookies\richardsons@2o7[1].txt
c:\documents and settings\richardsons\cookies\richardsons@2o7[3].txt
c:\documents and settings\richardsons\cookies\richardsons@a.hasbro[2].txt
c:\documents and settings\richardsons\cookies\richardsons@ad.yieldmanager[2].txt
c:\documents and settings\richardsons\cookies\richardsons@ads.pointroll[1].txt
c:\documents and settings\richardsons\cookies\richardsons@ads.revsci[2].txt
c:\documents and settings\richardsons\cookies\richardsons@advertising[2].txt
c:\documents and settings\richardsons\cookies\richardsons@allrecipes[2].txt
c:\documents and settings\richardsons\cookies\richardsons@circuitcity[1].txt
c:\documents and settings\richardsons\cookies\richardsons@collective-media[1].txt
c:\documents and settings\richardsons\cookies\richardsons@ehg-lifefitness.hitbox[2].txt
c:\documents and settings\richardsons\cookies\richardsons@insightexpressai[2].txt
c:\documents and settings\richardsons\cookies\richardsons@interclick[2].txt
c:\documents and settings\richardsons\cookies\richardsons@media6degrees[2].txt
c:\documents and settings\richardsons\cookies\richardsons@questionmarket[3].txt
c:\documents and settings\richardsons\cookies\richardsons@revsci[1].txt
c:\documents and settings\richardsons\cookies\richardsons@server.cpmstar[2].txt
c:\documents and settings\richardsons\cookies\richardsons@serving-sys[2].txt
c:\documents and settings\richardsons\cookies\richardsons@specificclick[1].txt
c:\documents and settings\richardsons\cookies\richardsons@track.bestbuy[2].txt
c:\documents and settings\richardsons\cookies\richardsons@trafficmp[2].txt
c:\documents and settings\richardsons\cookies\richardsons@turn[1].txt
c:\documents and settings\richardsons\cookies\richardsons@www.addictinggames[1].txt
c:\documents and settings\richardsons\cookies\richardsons@www.stereohyped[2].txt
c:\documents and settings\richardsons\cookies\richardsons@www.xxx-humor[2].txt
c:\documents and settings\richardsons\cookies\richardsons@zap2it[1].txt
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
F:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.
2008-10-01 05:45 . 2008-10-01 05:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-29 19:28 . 2008-09-29 19:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-23 11:02 . 2008-09-29 10:56 36,020 --a------ C:\VETlog.dmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 11:54 --------- d-----w C:\Program Files\McAfee
2008-09-30 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 19:51 --------- d-----w C:\Program Files\Viewpoint
2008-09-17 19:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-28 18:25 --------- d-----w C:\Program Files\Java
2008-08-28 16:35 --------- d-----w C:\Program Files\NOS
2008-08-28 16:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-28 16:33 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-28 16:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-28 00:12 --------- d-----w C:\Documents and Settings\RICHARDSONS\Application Data\Symantec
2008-08-27 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-27 23:50 --------- d-----w C:\Program Files\Symantec
2008-08-27 23:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-27 23:48 --------- d-----w C:\Program Files\Norton Ghost
2008-08-26 22:33 90,112 ----a-w C:\WINDOWS\DUMP7f32.tmp
2008-08-26 22:28 90,112 ----a-w C:\WINDOWS\DUMP705d.tmp
2008-08-25 20:19 90,112 ----a-w C:\WINDOWS\DUMP1df7.tmp
2008-08-25 20:16 90,112 ----a-w C:\WINDOWS\DUMP4bed.tmp
2008-08-25 20:14 90,112 ----a-w C:\WINDOWS\DUMP6f34.tmp
2008-08-25 19:07 90,112 ----a-w C:\WINDOWS\DUMP8731.tmp
2008-08-25 18:55 90,112 ----a-w C:\WINDOWS\DUMP9f3d.tmp
2008-08-25 18:05 90,112 ----a-w C:\WINDOWS\DUMPa6bf.tmp
2008-08-24 22:34 90,112 ----a-w C:\WINDOWS\DUMP7213.tmp
2008-08-24 14:08 90,112 ----a-w C:\WINDOWS\DUMP19a2.tmp
2008-08-24 13:41 90,112 ----a-w C:\WINDOWS\DUMP801c.tmp
2008-08-21 16:17 --------- d-----w C:\Documents and Settings\RICHARDSONS\Application Data\AdobeUM
2008-08-15 01:37 --------- d-----w C:\Documents and Settings\RICHARDSONS\Application Data\OfficeUpdate12
2008-08-15 01:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-14 00:07 38,112 ----a-w C:\WINDOWS\system32\drivers\v2imount.sys
2008-08-13 23:55 215,144 ----a-r C:\WINDOWS\pw32a.dll
2008-08-13 23:55 215,144 ----a-r C:\WINDOWS\patchw32.dll
2008-08-08 00:31 138,080 ----a-w C:\WINDOWS\system32\drivers\symsnap.sys
2008-07-21 19:52 524,288 ----a-w C:\WINDOWS\opuc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2004-06-18 913408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-05 98304]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-08 7110656]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Norton Ghost 14.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-08-13 2245984]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"CTHelper"="CTHELPER.EXE" [2004-03-11 C:\WINDOWS\system32\CTHELPER.EXE]
C:\Documents and Settings\RICHARDSONS\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk.disabled [2008-03-08 1985]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= "C:\Program Files\Metamail Inc\Metamail Reader\OE\OESHook.dll" [2003-04-07 36864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\WINDOWS\system32\dllhost.exe [2008-04-13 5120]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 SymSnapService;SymSnapService;C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2008-08-07 1558000]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{b3dddc4f-bd77-4ce7-a369-12c0b69850b3} - C:\WINDOWS\system32\sqyhhp.dll
BHO-{E8679FF5-F159-4816-BD60-5BC29E8C1B34} - C:\WINDOWS\system32\hgGYPijk.dll
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 06:13:11
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\ComboFix\pv.cfexe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-03 6:16:56 - machine was rebooted [RICHARDSONS]
ComboFix-quarantined-files.txt 2008-10-03 13:16:52
Pre-Run: 140,301,897,728 bytes free
Post-Run: 140,558,778,368 bytes free
188 --- E O F --- 2008-09-11 00:55:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:26 AM, on 10/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Picture Motion Browser Media Check Tool.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132591893359
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?AuthParam=1219947970_07b116d5ff37027b39785aafb0377ff3&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8737 bytes
pskelley
2008-10-03, 15:59
Thanks for retuning your infomation, I have never run Norton Ghost (or Norton/Symantec for that matter) so can tell you nothing about it.
F:\Autorun.inf <<< combofix finds this file to be infected, if you believe it is not, scan it to find out using: http://virusscan.jotti.org/
That file is here: C:\Qoobox\Quarantine\ If you find it is not infected, return it to the originial position.
http://www.google.com/search?hl=en&q=Autorun.inf&btnG=Google+Search&aq=f&oq=
1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Right click Start > Explore and navigate to these files and delete them if there.
C:\WINDOWS\DUMP7f32.tmp
C:\WINDOWS\DUMP705d.tmp
C:\WINDOWS\DUMP1df7.tmp
C:\WINDOWS\DUMP4bed.tmp
C:\WINDOWS\DUMP6f34.tmp
C:\WINDOWS\DUMP8731.tmp
C:\WINDOWS\DUMP9f3d.tmp
C:\WINDOWS\DUMPa6bf.tmp
C:\WINDOWS\DUMP7213.tmp
C:\WINDOWS\DUMP19a2.tmp
C:\WINDOWS\DUMP801c.tmp
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
How is the computer running?
Thanks
Thanks for replying.
Ok, I had some problems booting this morning.
Got a blue screen (produced by XP) saying Volume (C:) was 'dirty'.
It proceeded to correct everything, and it looks like it may have undone some of fixes that were made yesterday. Indeed, the quarantined file AUTORUN.INF was not in the quarantine folder. I found it back in the F: drive (my external hard drive). I had it scanned at the place where you said. Two scanners thought it was a problem.
Anyway I thought I'd better run Combofix and HJT again becasue of what happened this morning. I did, however, remove Viewpoint Manager as you suggested. I think this came from AOL's AIM by daughter downloaded (always blame it on the kids!).
So I have yet to ask HJT to fix anything, and I have not run ATF yet.
Sorry for setback, but I wanted to be that we're still on the same page before proceeding (considering what happened this morning).
Kind of afraid to turn my computer off until all this gets fixed.
Here are the logs:
====================
ComboFix 08-10-02.04 - RICHARDSONS 2008-10-04 9:03:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.635 [GMT -7:00]
Running from: C:\Documents and Settings\RICHARDSONS\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))
.
2008-10-01 05:45 . 2008-10-01 05:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-29 19:28 . 2008-09-29 19:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-23 11:02 . 2008-09-29 10:56 36,020 --a------ C:\VETlog.dmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-02 11:54 --------- d-----w C:\Program Files\McAfee
2008-09-30 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-28 18:25 --------- d-----w C:\Program Files\Java
2008-08-28 16:35 --------- d-----w C:\Program Files\NOS
2008-08-28 16:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-28 16:33 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-28 16:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-28 00:12 --------- d-----w C:\Documents and Settings\RICHARDSONS\Application Data\Symantec
2008-08-27 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-27 23:50 --------- d-----w C:\Program Files\Symantec
2008-08-27 23:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-27 23:48 --------- d-----w C:\Program Files\Norton Ghost
2008-08-26 22:33 90,112 ----a-w C:\WINDOWS\DUMP7f32.tmp
2008-08-26 22:28 90,112 ----a-w C:\WINDOWS\DUMP705d.tmp
2008-08-25 20:19 90,112 ----a-w C:\WINDOWS\DUMP1df7.tmp
2008-08-25 20:16 90,112 ----a-w C:\WINDOWS\DUMP4bed.tmp
2008-08-25 20:14 90,112 ----a-w C:\WINDOWS\DUMP6f34.tmp
2008-08-25 19:07 90,112 ----a-w C:\WINDOWS\DUMP8731.tmp
2008-08-25 18:55 90,112 ----a-w C:\WINDOWS\DUMP9f3d.tmp
2008-08-25 18:05 90,112 ----a-w C:\WINDOWS\DUMPa6bf.tmp
2008-08-24 22:34 90,112 ----a-w C:\WINDOWS\DUMP7213.tmp
2008-08-24 14:08 90,112 ----a-w C:\WINDOWS\DUMP19a2.tmp
2008-08-24 13:41 90,112 ----a-w C:\WINDOWS\DUMP801c.tmp
2008-08-21 16:17 --------- d-----w C:\Documents and Settings\RICHARDSONS\Application Data\AdobeUM
2008-08-15 01:37 --------- d-----w C:\Documents and Settings\RICHARDSONS\Application Data\OfficeUpdate12
2008-08-15 01:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-14 00:07 38,112 ----a-w C:\WINDOWS\system32\drivers\v2imount.sys
2008-08-13 23:55 215,144 ----a-r C:\WINDOWS\pw32a.dll
2008-08-13 23:55 215,144 ----a-r C:\WINDOWS\patchw32.dll
2008-08-08 00:31 138,080 ----a-w C:\WINDOWS\system32\drivers\symsnap.sys
2008-07-21 19:52 524,288 ----a-w C:\WINDOWS\opuc.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
.
((((((((((((((((((((((((((((( snapshot@2008-10-03_ 6.16.34.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-03 12:07:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-04 14:14:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-03 12:07:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-04 14:14:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-04 14:32:18 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_454.dat
+ 2008-10-04 14:31:51 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_72c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2004-06-18 913408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-05 98304]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-08 7110656]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Norton Ghost 14.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-08-13 2245984]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"CTHelper"="CTHELPER.EXE" [2004-03-11 C:\WINDOWS\system32\CTHELPER.EXE]
C:\Documents and Settings\RICHARDSONS\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk.disabled [2008-03-08 1985]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= "C:\Program Files\Metamail Inc\Metamail Reader\OE\OESHook.dll" [2003-04-07 36864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\WINDOWS\system32\dllhost.exe [2008-04-13 5120]
R3 SymSnapService;SymSnapService;C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2008-08-07 1558000]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 09:05:23
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-04 9:06:14
ComboFix-quarantined-files.txt 2008-10-04 16:06:10
ComboFix2.txt 2008-10-03 13:16:57
Pre-Run: 140,298,874,880 bytes free
Post-Run: 140,559,761,408 bytes free
152 --- E O F --- 2008-09-11 00:55:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:35 AM, on 10/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Picture Motion Browser Media Check Tool.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132591893359
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?AuthParam=1219947970_07b116d5ff37027b39785aafb0377ff3&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
--
End of file - 8398 bytes
pskelley
2008-10-04, 19:41
I have this gut feeling that you have either hardware or software issues that I am not going to be able to help you resolve.
Got a blue screen (produced by XP) saying Volume (C was 'dirty'.
I must have error messages "word for word" exactly as Windows presents them to you, this is the only way they can be researched.
I would like to collect some information.
1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
2) Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here along with that Uninstall List and any error message you are receiving "word for word".
Thanks
Thanks for replying.
Here are the reports you requested. See what you think. Don't want to restart my computer until you have had a chance to look at them.
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Reader 9
AOLIcon
Banctec Service Agreement
Canon MP Navigator 2.0
Canon MP500
Canon Utilities Easy-PhotoPrint
Condes
CorelDRAW Graphics Suite 12
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.1
Digital Content Portal
EarthLink setup files
EarthLink Software
Easy-WebPrint
EducateU
ESPNMotion
GemMaster Mystic
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Intel(R) 537EP V9x DF PCI Modem
InterActual Player
Internet Explorer Default Page
Jasc Paint Shop Pro Studio, Dell Editon
Jasc Paint Shop Pro Studio.01 , Dell Edition 1.0.1.1 Patch
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 7
Learn2 Player (Uninstall Only)
LiveUpdate 3.2 (Symantec Corporation)
LTspice/SwCADIII
Macromedia Flash Player
Mathcad 13
Mathsoft Signal Processing Extension Pack
McAfee SecurityCenter
Metamail
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
MyWay Search Assistant
Norton Ghost
NVIDIA Drivers
OmniPage SE 2.0
Otto
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Photovista Panorama 3.0
Picture Package Music Transfer
PowerDVD 5.5
QuickTime
RealPlayer Basic
Roxio MyDVD Essentials 8
SafeCast Shared Components
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony Picture Utility
Sound Blaster Audigy 2 ZS
Spybot - Search & Destroy
TaxCut California 2007
TaxCut Premium + State 2007
TaxCut Premium 2006
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update Rollup 2 for Windows XP Media Center Edition 2005
WebCyberCoach 3.2 Dell
Windows Genuine Advantage v1.3.0254.0
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Media Center Edition 2005 KB908250
Windows XP Service Pack 3
===============================
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, October 04, 2008 23:17:25
Records in database: 1290424
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
Scan statistics:
Files scanned: 98895
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:18:20
File name / Threat name / Threats count
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP925\A0071984.exe Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP962\A0074308.dll Infected: Trojan.Win32.Monder.lab 1
The selected area was scanned.
pskelley
2008-10-05, 11:41
Uninstall list: I look for malware and security issues only.
Java 2 Runtime Environment, SE v1.4.2_03 <<< VERY old, uninstall, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
If you have problems removing that, this tool will help: http://raproducts.org/
Java(TM) 6 Update 7 <<< newest, leave that
MyWay Search Assistant <<< adware, uninstall
Kaspersky Online Scan (KOS)
(may or may not be bad, scan those here: http://virusscan.jotti.org/ if you wish to be sure)
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz ------> RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz ------> RiskTool.Win32.Deleter.f 1
(System Restore, cleaning those soon)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP925\A0071984.exe ------> RiskTool.Win32.Deleter.f 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP962\A0074308.dll ------> Trojan.Win32.Monder.lab 1
Pleas follow the directions in #5 to download and run MBAM and post the results and a new HJT log. Please describe any issues at that time, make sure error messages are posted word for word.
Thanks
Hello again,
Computer booted this morning - no problems booting.
Uninstalled old Java 2 Runtime Environment.
Uninstalled MyWay Search Assistant.
MBAM results posted.
New HJT log posted.
===================================
Malwarebytes' Anti-Malware 1.28
Database version: 1235
Windows 5.1.2600 Service Pack 3
10/6/2008 7:11:44 PM
mbam-log-2008-10-06 (19-11-44).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 136351
Time elapsed: 39 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:45 PM, on 10/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Picture Motion Browser Media Check Tool.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132591893359
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
--
End of file - 8191 bytes
pskelley
2008-10-07, 12:36
Thanks for returning your information and the feedback, let's do this:
1) Things did not proceed like I wanted them to and I want to be sure we missed nothing. Look back at the instructions and make sure they were all completed. If anything was not, let me know.
2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(just leftover junk, not malware)
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
3) Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
4) Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
5) Update MBAM and scan to make sure we missed none of the junk, there is no need to post a clean scan result.
6) You may also scan with KOS to be sure if you wish.
7) Update McAfee and scan the system, both to make sure it is running right and scanning clean. If you have any problems with the program, contact tech support for instructions.
http://www.mcafee.com/us/support/
If all is well at this point, let me know and I will close your topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
Things we missed #4: Ran ATF Cleaner - Done.
Fixed Search Hooks with HJT.
Deleted ComboFix.
Cleaned System Restore Files.
Ran MBAM - no detections.
Updated and ran McAfee - no detections.
FYI: North Ghost still not working right, but now I can work on this without thinking "virus" all the time!
FYI: Computer boots ok and internet seems a little faster!!
Questions:
What do I do with HJT?
What do I do with ATF Cleaner?
What's the difference between MBAM and Spybot SD?
Thanks for your help.
pskelley
2008-10-08, 13:56
Thanks for taking the time to give me some feedback and your questions.
Norton Ghost <<< can not help with that program and I suggest (do you pay for it?) you contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp
They will probably have you reinstall the program, but I prefer to let them make that call since I know nothing about NG.
Computer boots ok <<< information that should help performance impprove if applied.
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
HJT <<< I have had HJT on all of my computers for about ten years, the tool does much more than we have used it for, a tutorial:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
(uses no resources unless you run it and only a little disk space) <<< this applies to all four programs you mention.
ATF Cleaner <<< your to keep or delete, I will say this...you will not find a better small cleaner anywhere.
MBAM <<< this one is being blocked by hackers (who can read everything we say) the malware fighters who created it point it towards rouge junk so the data base is smaller that that of Spybot S&D which looks for a vast variety of malware/adware/spyware.
http://www.safer-networking.org/en/faq/index.html
Hope that helps...Phil