pskelley
2009-01-14, 12:24
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.
I have combofix installed also.
combofix is updated almost daily, delete the copy you have and download it fresh from the links I provide.
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
Ok thank you for your response.
ComboFix:
ComboFix 09-01-13.04 - Owner 2009-01-14 6:14:48.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1519.861 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\system32\~.exe
c:\windows\system32\aujarxud.dll
c:\windows\system32\cvlzst.dll
c:\windows\system32\dhwejxsx.ini
c:\windows\system32\dsdjfcrr.ini
c:\windows\system32\duxrajua.ini
c:\windows\system32\fkdlwtjf.dll
c:\windows\system32\hbtocp.dll
c:\windows\system32\hhdnroev.dll
c:\windows\system32\ikxtbq.dll
c:\windows\system32\iwfooblo.ini
c:\windows\system32\jbomimwk.dll
c:\windows\system32\jwahjcqx.dll
c:\windows\system32\ngyxuacs.dll
c:\windows\system32\nsvmckrx.dll
c:\windows\system32\olboofwi.dll
c:\windows\system32\oxxlehbj.dll
c:\windows\system32\pvngtmpi.dll
c:\windows\system32\qhdjwf.dll
c:\windows\system32\raimqm.dll
c:\windows\system32\rqRLbaaA.dll
c:\windows\system32\swtjyqra.ini
c:\windows\system32\tuvTliHW.dll
c:\windows\system32\WHilTvut.ini
c:\windows\system32\WHilTvut.ini2
c:\windows\system32\wpv291231602518.cpx
c:\windows\system32\xfagbe.dll
c:\windows\system32\xsxjewhd.dll
c:\windows\system32\ydfffthd.dll
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.
2009-01-13 17:16 . 2009-01-13 17:16 88 --a------ c:\windows\MSREGUSR.INI
2009-01-13 17:13 . 2009-01-13 17:13 <DIR> d-------- c:\program files\Mindscape
2009-01-13 17:13 . 1998-06-23 16:34 73,856 --a------ c:\windows\system\hlp256.dll
2009-01-13 17:13 . 1998-06-23 16:34 9,136 --a------ c:\windows\system\Inetwh16.dll
2009-01-04 14:14 . 2009-01-04 14:14 <DIR> d-------- c:\program files\Webtools
2009-01-01 13:54 . 2009-01-01 13:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Acreon
2008-12-31 02:30 . 2008-12-31 02:30 268 --ah----- C:\sqmdata11.sqm
2008-12-31 02:30 . 2008-12-31 02:30 244 --ah----- C:\sqmnoopt11.sqm
2008-12-24 19:16 . 2007-12-26 21:25 94,208 -ra------ c:\windows\system32\ZDCN50.dll
2008-12-24 19:16 . 2007-12-26 21:25 20,736 -ra------ c:\windows\system32\ZDCndis5.sys
2008-12-24 19:16 . 2004-12-02 21:32 17,744 -ra------ c:\windows\system32\PCANDIS4.SYS
2008-12-24 19:16 . 2007-12-26 21:25 15,941 -ra------ c:\windows\system32\ZDCNDIS3.VXD
2008-12-24 19:16 . 2008-12-25 15:02 40 --a------ c:\windows\system32\2Wire.ini
2008-12-24 19:16 . 2008-12-24 19:16 20 --a------ c:\windows\system32\NB-WGASW.ini
2008-12-16 20:01 . 2008-12-16 20:01 268 --ah----- C:\sqmdata10.sqm
2008-12-16 20:01 . 2008-12-16 20:01 244 --ah----- C:\sqmnoopt10.sqm
2008-12-14 19:18 . 2008-12-14 19:18 0 --a------ c:\windows\iPlayer.INI
2008-12-14 19:16 . 2008-12-14 19:16 <DIR> d-------- c:\program files\InterActual
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 23:07 --------- d-----w c:\program files\World of Warcraft
2009-01-07 20:22 --------- d-----w c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2008-12-08 20:15 --------- d-----w c:\program files\Incomplete
2008-12-07 04:55 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-07 04:55 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-12-07 04:54 --------- d-----w c:\program files\AVG
2008-12-07 04:54 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-29 05:21 --------- d-----w c:\program files\AIM Toolbar
2008-11-29 05:21 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 05:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 04:51 --------- d-----w c:\program files\Trend Micro
2008-11-27 20:35 --------- d-----w c:\program files\Xvid
2008-11-27 20:20 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-11-22 21:43 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-22 21:43 --------- d-----w c:\program files\AIM6
2008-11-22 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-22 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-22 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-22 21:42 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
.
((((((((((((((((((((((((((((( snapshot@2008-12-09_20.13.54.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-03 09:57:49 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP2QFE\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP3GDR\strmdll.dll
+ 2008-10-03 09:49:31 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP3QFE\strmdll.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB954600\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB954600\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB954600\update\spcustom.dll
+ 2007-11-30 11:18:51 755,576 ----a-w c:\windows\$hf_mig$\KB954600\update\update.exe
+ 2007-11-30 11:18:51 382,840 ----a-w c:\windows\$hf_mig$\KB954600\update\updspapi.dll
+ 2008-10-22 09:47:25 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP2QFE\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3GDR\tzchange.exe
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-10-23 12:51:04 284,160 ----a-w c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-10-23 12:43:42 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:02:01 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:02:02 231,288 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:02:01 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll
+ 2008-10-16 01:00:11 3,067,904 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\mshtml.dll
+ 2008-10-16 01:00:10 1,499,136 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\shdocvw.dll
+ 2008-10-16 01:00:11 619,520 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\urlmon.dll
+ 2008-10-16 01:00:11 666,112 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
+ 2008-10-16 11:34:08 3,067,904 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
+ 2008-10-16 01:04:06 1,499,136 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\shdocvw.dll
+ 2008-10-16 01:04:06 620,032 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\urlmon.dll
+ 2008-10-16 01:04:06 667,136 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB958215\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB958215\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB958215\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB958215\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958215\update\updspapi.dll
+ 2006-10-19 01:03:58 100,864 -c----w c:\windows\$NtUninstallKB952069_WM9$\logagent.exe
+ 2007-07-27 14:41:48 231,288 -c----w c:\windows\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe
+ 2007-07-27 14:41:48 382,840 -c----w c:\windows\$NtUninstallKB952069_WM9$\spuninst\updspapi.dll
+ 2006-10-19 02:47:20 937,984 -c----w c:\windows\$NtUninstallKB952069_WM9$\wmnetmgr.dll
+ 2006-10-19 02:47:22 2,450,944 -c----w c:\windows\$NtUninstallKB952069_WM9$\wmvcore.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB954600$\spuninst\spuninst.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB954600$\spuninst\updspapi.dll
+ 2006-08-21 14:52:08 246,814 -c----w c:\windows\$NtUninstallKB954600$\strmdll.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB955839$\spuninst\spuninst.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB955839$\spuninst\updspapi.dll
+ 2008-07-14 11:09:18 62,976 -c----w c:\windows\$NtUninstallKB955839$\tzchange.exe
+ 2008-02-20 06:51:05 282,624 -c----w c:\windows\$NtUninstallKB956802$\gdi32.dll
+ 2008-07-08 13:02:02 231,288 -c----w c:\windows\$NtUninstallKB956802$\spuninst\spuninst.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\$NtUninstallKB956802$\spuninst\updspapi.dll
+ 2008-08-20 05:33:19 1,024,000 -c----w c:\windows\$NtUninstallKB958215$\browseui.dll
+ 2008-08-20 05:33:17 151,040 -c----w c:\windows\$NtUninstallKB958215$\cdfview.dll
+ 2008-08-20 05:33:18 1,054,208 -c----w c:\windows\$NtUninstallKB958215$\danim.dll
+ 2008-08-20 05:33:18 357,888 -c----w c:\windows\$NtUninstallKB958215$\dxtmsft.dll
+ 2008-08-20 05:33:18 205,312 -c----w c:\windows\$NtUninstallKB958215$\dxtrans.dll
+ 2008-08-20 05:33:18 55,808 -c----w c:\windows\$NtUninstallKB958215$\extmgr.dll
+ 2008-08-19 09:38:57 18,432 -c----w c:\windows\$NtUninstallKB958215$\iedw.exe
+ 2008-08-20 05:33:18 251,904 -c----w c:\windows\$NtUninstallKB958215$\iepeers.dll
+ 2008-08-20 05:33:18 96,256 -c----w c:\windows\$NtUninstallKB958215$\inseng.dll
+ 2008-08-20 05:33:19 16,384 -c----w c:\windows\$NtUninstallKB958215$\jsproxy.dll
+ 2008-08-20 05:33:20 3,067,392 -c----w c:\windows\$NtUninstallKB958215$\mshtml.dll
+ 2008-08-20 05:33:19 449,024 -c----w c:\windows\$NtUninstallKB958215$\mshtmled.dll
+ 2008-08-20 05:33:18 146,432 -c----w c:\windows\$NtUninstallKB958215$\msrating.dll
+ 2008-08-20 05:33:18 532,480 -c----w c:\windows\$NtUninstallKB958215$\mstime.dll
+ 2008-08-20 05:33:18 39,424 -c----w c:\windows\$NtUninstallKB958215$\pngfilt.dll
+ 2008-08-20 05:33:19 1,499,136 -c----w c:\windows\$NtUninstallKB958215$\shdocvw.dll
+ 2008-08-20 05:33:19 474,112 -c----w c:\windows\$NtUninstallKB958215$\shlwapi.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB958215$\spuninst\spuninst.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\$NtUninstallKB958215$\spuninst\updspapi.dll
+ 2008-08-20 05:33:19 619,008 -c----w c:\windows\$NtUninstallKB958215$\urlmon.dll
+ 2008-08-20 05:33:19 667,648 -c----w c:\windows\$NtUninstallKB958215$\wininet.dll
+ 2008-08-19 09:20:32 351,744 -c----w c:\windows\$NtUninstallKB958215$\xpsp3res.dll
- 2008-11-13 03:36:59 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-12-13 04:33:12 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-08-20 05:33:19 1,024,000 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:20:52 1,024,000 ----a-w c:\windows\system32\browseui.dll
- 2008-08-20 05:33:17 151,040 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:20:42 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2008-08-20 05:33:18 1,054,208 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:20:45 1,054,208 ----a-w c:\windows\system32\danim.dll
- 2008-08-20 05:33:19 1,024,000 -c--a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:20:52 1,024,000 -c--a-w c:\windows\system32\dllcache\browseui.dll
- 2008-08-20 05:33:17 151,040 -c--a-w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:20:42 151,040 -c--a-w c:\windows\system32\dllcache\cdfview.dll
- 2008-08-20 05:33:18 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:20:45 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
- 2008-08-20 05:33:18 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:20:45 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-20 05:33:18 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 10:20:45 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-20 05:33:18 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 10:20:46 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-02-20 06:51:05 282,624 -c--a-w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:01:36 283,648 -c--a-w c:\windows\system32\dllcache\gdi32.dll
- 2008-08-19 09:38:57 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-15 14:18:21 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2008-08-20 05:33:18 251,904 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:20:46 251,904 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2008-08-20 05:33:18 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2008-10-16 10:20:46 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2008-08-20 05:33:19 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 10:20:50 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-19 01:03:58 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 06:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-20 05:33:20 3,067,392 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-20 05:33:19 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:20:50 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-20 05:33:18 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:20:46 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-08-20 05:33:18 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:20:46 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-08-20 05:33:18 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 10:20:46 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-08-20 05:33:19 1,499,136 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:20:48 1,499,136 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
- 2008-08-20 05:33:19 474,112 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-16 10:20:51 474,112 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
- 2006-08-21 14:52:08 246,814 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-20 05:33:19 619,008 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 10:20:53 619,008 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:33:19 667,648 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 10:20:49 667,648 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 02:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 10:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 02:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 10:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-08-20 05:33:18 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:20:45 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-20 05:33:18 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:20:45 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-20 05:33:18 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:20:46 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2008-02-20 06:51:05 282,624 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ----a-w c:\windows\system32\gdi32.dll
- 2008-08-20 05:33:18 251,904 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:20:46 251,904 ----a-w c:\windows\system32\iepeers.dll
- 2008-08-20 05:33:18 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:20:46 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2001-07-13 19:09:44 279,552 ----a-w c:\windows\system32\itiimg3.dll
- 2008-08-20 05:33:19 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:20:50 16,384 ----a-w c:\windows\system32\jsproxy.dll
- 2006-10-19 01:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 06:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2006-01-21 21:01:22 25,088 ----a-w c:\windows\system32\Macromed\Flash\genuinst.exe
+ 2006-01-03 23:14:12 20,480 ----a-w c:\windows\system32\Macromed\Flash\UninstFl.exe
- 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
- 2008-08-20 05:33:20 3,067,392 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-20 05:33:19 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:20:50 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-20 05:33:18 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:20:46 146,432 ----a-w c:\windows\system32\msrating.dll
- 2008-08-20 05:33:18 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:20:46 532,480 ----a-w c:\windows\system32\mstime.dll
- 2008-08-20 05:33:18 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:20:46 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2008-08-20 05:33:19 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:20:48 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
- 2008-08-20 05:33:19 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:20:51 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2006-09-25 22:58:48 14,640 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
- 2006-08-21 14:52:08 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-07-14 11:09:18 62,976 ----a-w c:\windows\system32\tzchange.exe
+ 2008-10-22 09:47:07 62,976 ----a-w c:\windows\system32\tzchange.exe
- 2008-08-20 05:33:19 619,008 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:20:53 619,008 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-20 05:33:19 667,648 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 10:20:49 667,648 ----a-w c:\windows\system32\wininet.dll
- 2006-10-19 02:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 10:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 02:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 10:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
- 2008-08-19 09:20:32 351,744 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-10-15 14:00:41 351,744 ----a-w c:\windows\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Auto EPSON Stylus CX6600 Series on BASEMENT"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-02-29 98304]
"Auto EPSON Stylus CX6600 Series on BASEMENT (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-02-29 98304]
"Auto Auto EPSON Stylus CX6600 Series on YOUR-28180281E2 on BASEMENT"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-02-29 98304]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-06 1261336]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2007-11-23 1742384]
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2007-11-23 729088]
Microsoft Broadband Networking.lnk - c:\windows\Installer\{2C84BB95-1DB9-4AC4-8750-F979BBCDD859}\_18be6784.exe [2007-11-23 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll raimqm.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\tuvTliHW
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-06 97928]
R3 MSFT43XX;Microsoft Wireless Notebook Adapter Driver;c:\windows\system32\drivers\mn720-50.sys [2003-07-18 254208]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-06 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-06 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-06 76040]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-09 24652]
R4 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2008-12-24 20736]
.
Contents of the 'Scheduled Tasks' folder
2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{26b5dbb0-92f9-4e62-9e33-9a4ab870157d} - c:\windows\system32\raimqm.dll
BHO-{32B85999-BDC2-414D-AA7E-A5BA43EC4C1A} - c:\windows\system32\tuvTliHW.dll
HKCU-Run-GetModule33 - c:\program files\GetModule\GetModule33.exe
Notify-pmnoMdbX - pmnoMdbX.dll
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9bom4h6.default\
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 18:28:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Zune\ZuneNss.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\Microsoft Broadband Networking\MSBNTray.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-14 18:33:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 23:33:23
ComboFix2.txt 2008-12-10 20:19:06
ComboFix3.txt 2008-12-10 01:14:56
Pre-Run: 28,845,666,304 bytes free
Post-Run: 28,825,505,792 bytes free
389 --- E O F --- 2008-12-18 08:00:59
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:57 PM, on 1/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Hazard.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on BASEMENT] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P43 "Auto EPSON Stylus CX6600 Series on BASEMENT" /O17 "\\BASEMENT\hazard" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on BASEMENT (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P52 "Auto EPSON Stylus CX6600 Series on BASEMENT (Copy 1)" /O23 "\\BASEMENT\EPSON_Stylus" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto Auto EPSON Stylus CX6600 Series on YOUR-28180281E2 on BASEMENT] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P67 "Auto Auto EPSON Stylus CX6600 Series on YOUR-28180281E2 on BASEMENT" /O23 "\\BASEMENT\Auto_EPSON_S" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll raimqm.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5120 bytes