View Full Version : [B]Win32.TDSS.rtk Help Please[/B]
Hello, can someone please help me remove Win32.TDSS.rtk from this computer? It keeps showing up in Spybot when I run a scan. Thanks in advance.
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:22 PM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dldocoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nova Development\Scrapbook Factory\ReminderApp.exe
C:\Program Files\Nova Development\Photo Explosion 3.0\calcheck.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2008\Planner\PLNRnote.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080404
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\msywzw.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nvcpldaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [memorycardmanager] "C:\Program Files\Dell 968 AIO Printer\memcard.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dldomon.exe] "C:\Program Files\Dell 968 AIO Printer\dldomon.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dell 968 aio printer fax server] "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" /s
O4 - HKLM\..\Run: [alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [verizon_mccitrayapp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [rthdcpl] RTHDCPL.EXE
O4 - HKLM\..\Run: [reminderapp] C:\Program Files\Nova Development\Scrapbook Factory\ReminderApp.exe
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [photoexplosioncalcheck] C:\Program Files\Nova Development\Photo Explosion 3.0\calcheck.exe
O4 - HKLM\..\Run: [pdvddxsrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iriver updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Planner Reminder 2008.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {7530bfb8-7293-4d34-9923-61a11451afc5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 8132 bytes
Bio-Hazard
2009-07-17, 07:52
Hello and Welcome to forums!
My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
No Reply Within 4 Days Will Result In Your Topic Being Closed!!
Bio-Hazard
2009-07-17, 07:54
Security Check
Download Security Check by screen317 from:
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt
Please post the contents of that document.
STEP 1
Download DDS
Please download DDS by sUBs from one of the links below and save it to your desktop:
http://img.photobucket.com/albums/v666/sUBs/dds_scr.gif
Download DDS and save it to your desktop from:
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
Please disable any anti-malware program that will block scripts from running before running DDS.
Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply
STEP 2
RootRepeal - Rootkit Detector
Download RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip) and unzip it to your Desktop.
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Clickthe Scan button
In the Select Scan dialog, check:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program
Next Reply
Please reply with:
checkup.txt
DDS.txt
Attach.txt
RootRepeal.txt
Thank you so much for your help. I was able to download and run everything. Below are the reports.
Checkup:
Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Disabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Spybot - Search & Destroy
HijackThis 2.0.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
Spybot SDHelper is disabled!
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````
GREAT! (Very random)
Scan took 1 seconds.
`````````End of Log```````````
Attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-06-26.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/8/2008 11:58:23 PM
System Uptime: 7/17/2009 9:49:13 PM (1 hours ago)
Motherboard: Dell Inc. | | 0FM586
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2394/266mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 695 GiB total, 668.994 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\806479E9D100
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\806479E9D100
Service: NIC1394
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
==== Event Viewer Messages From Past Week ========
==== End Of File ===========================
DDS:
DDS (Ver_09-06-26.01) - NTFSx86
Run by AMY at 22:23:08.82 on Fri 07/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2525 [GMT -4:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dldocoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nova Development\Scrapbook Factory\ReminderApp.exe
C:\Program Files\Nova Development\Photo Explosion 3.0\calcheck.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2008\Planner\PLNRnote.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\AMY\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uWindows: load=c:\windows\system32\msywzw.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [nvcpldaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [memorycardmanager] "c:\program files\dell 968 aio printer\memcard.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dldomon.exe] "c:\program files\dell 968 aio printer\dldomon.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [dell 968 aio printer fax server] "c:\program files\dell 968 aio printer\fm3032.exe" /s
mRun: [alcmtr] ALCMTR.EXE
mRun: [verizon_mccitrayapp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [rthdcpl] RTHDCPL.EXE
mRun: [reminderapp] c:\program files\nova development\scrapbook factory\ReminderApp.exe
mRun: [quicktime task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [photoexplosioncalcheck] c:\program files\nova development\photo explosion 3.0\calcheck.exe
mRun: [pdvddxsrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ituneshelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [iriver updater] c:\program files\iriver\iriver manager\updater\Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\windows\installer\{747a6a10-da58-48c2-a1f0-c15514419c8a}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {7530bfb8-7293-4d34-9923-61a11451afc5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-5 24652]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2008-7-6 598856]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [2008-6-10 99568]
=============== Created Last 30 ================
2009-07-07 23:10 <DIR> --d----- c:\program files\Trend Micro
2009-07-04 13:21 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-04 00:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-04 00:04 <DIR> --d----- c:\docume~1\amy\applic~1\SUPERAntiSpyware.com
2009-07-03 23:34 <DIR> --d----- c:\docume~1\amy\applic~1\Malwarebytes
2009-07-03 22:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
==================== Find3M ====================
2008-06-10 14:09 88 ---shr-- c:\windows\system32\5E1FD8CDC5.sys
2008-06-10 14:13 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-06-13 23:29 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061320080614\index.dat
============= FINISH: 22:24:34.17 ===============
RootRepeal:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/07/17 22:29
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: a56da9b4.sys
Image Path: C:\WINDOWS\System32\drivers\a56da9b4.sys
Address: 0xBA228000 Size: 61184 File Visible: No Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4ED4000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA624000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2E22000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SKYNETuplrrtnk.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETuplrrtnk.sys
Address: 0xB5295000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\system32\SKYNETdkdmvvse.dat
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\SKYNETpsbppqlq.dat
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\SKYNETvxdlxrdb.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\SKYNETyudqbwtm.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\Temp\SKYNETnptethians.tmp
Status: Invisible to the Windows API!
Path: C:\WINDOWS\Temp\SKYNEToriyuwfbwj.tmp
Status: Invisible to the Windows API!
Path: C:\WINDOWS\Temp\SKYNETrxtqfbybrp.tmp
Status: Invisible to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\013_10~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\016_13~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\017_14~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\018_15~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\021_18~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\024_21~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\026_23~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\BRANSH~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\025_22~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2798~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2794~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INBFD5~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\ED&GIR~1.MIX
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\ELLENA~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\ELLENP~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\ELLEN&~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\ELLEN&~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\ELLEN&~3.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\ELLEN&~4.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2398~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2B98~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2F98~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL23A8~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2F76~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2386~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2786~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2B86~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2F86~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2396~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2796~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2B96~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2F96~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL23A6~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2F74~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2384~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2784~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2F94~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL23A4~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2782~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2B82~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2F82~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2392~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2792~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2B92~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2F92~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2380~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2B80~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\EL2390~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\ELLEN&~1.MOV
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\ELLEN&~1.WMV
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INDIAN~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INDIAN~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INDIAN~3.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INDIAN~4.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INB3EF~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INB7EF~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INBBEF~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INBFEF~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INB3FF~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INBFC5~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INB3D5~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INB7D5~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INBBD5~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INB3E5~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INB7E5~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INBBE5~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\INBFE5~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\JULIAP~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\JULIAE~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\JULIPA~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\LAKESA~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\LAKESA~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\LAKESA~3.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\LAKESA~4.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\POPPOP~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\SCOTTW~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\SCOTTW~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\SCOTT'~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\SCOTT'~2.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\SCOTT'~3.JPG
Status: Locked to the Windows API!
Path: C:\WINDOWS\system32\drivers\SKYNETuplrrtnk.sys
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\drivers\a56da9b4.sys
Status: Locked to the Windows API!
Path: c:\documents and settings\amy\local settings\temp\~df2851.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\petting zoo, at grama's house, sleepover\1STSLE~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\petting zoo, at grama's house, sleepover\ATPOPP~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\petting zoo, at grama's house, sleepover\ELLENF~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\petting zoo, at grama's house, sleepover\JULIA&~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\petting zoo, at grama's house, sleepover\KISSFR~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\petting zoo, at grama's house, sleepover\LILGOL~1.JPG
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-741404661-12212112-695681161-1006\Dc36\petting zoo, at grama's house, sleepover\NISSAN~1.JPG
Status: Locked to the Windows API!
Stealth Objects
-------------------
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: winlogon.exe (PID: 500) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: services.exe (PID: 548) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: lsass.exe (PID: 560) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETyudqbwtm.dll]
Process: svchost.exe (PID: 728) Address: 0x006b0000 Address: 57344
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: svchost.exe (PID: 728) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: svchost.exe (PID: 796) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: svchost.exe (PID: 872) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: svchost.exe (PID: 1016) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: svchost.exe (PID: 1048) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: spoolsv.exe (PID: 1228) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: svchost.exe (PID: 1320) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: AppleMobileDeviceService.exe (PID: 1352) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: mDNSResponder.exe (PID: 1380) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: dldocoms.exe (PID: 1488) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: McciCMService.exe (PID: 1552) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: nvsvc32.exe (PID: 1672) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: PSIService.exe (PID: 1708) Address: 0x00820000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: sprtsvc.exe (PID: 1784) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: svchost.exe (PID: 1816) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: ViewpointService.exe (PID: 1872) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: WasherSvc.exe (PID: 1948) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: alg.exe (PID: 1196) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: wscntfy.exe (PID: 3384) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: Explorer.EXE (PID: 3508) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: memcard.exe (PID: 3788) Address: 0x019d0000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: dldomon.exe (PID: 3804) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: sprtcmd.exe (PID: 3812) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: RTHDCPL.EXE (PID: 3836) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: ReminderApp.exe (PID: 3852) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: calcheck.exe (PID: 3868) Address: 0x01130000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: PDVDDXSrv.exe (PID: 3876) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: iTunesHelper.exe (PID: 3896) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: Updater.exe (PID: 3912) Address: 0x00b30000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: ctfmon.exe (PID: 3968) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: wcescomm.exe (PID: 136) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: DLG.exe (PID: 1824) Address: 0x00dc0000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: PLNRnote.exe (PID: 460) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: rapimgr.exe (PID: 1112) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: Hotsync.exe (PID: 1072) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: iPodService.exe (PID: 1940) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: iexplore.exe (PID: 512) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: iexplore.exe (PID: 1920) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: SKYNETvxdlxrdb.dll]
Process: RootRepeal.exe (PID: 3100) Address: 0x10000000 Address: 32768
Hidden Services
-------------------
Service Name: a56da9b4
Image PathC:\WINDOWS\System32\drivers\a56da9b4.sys
Service Name: SKYNETorgrqtow
Image PathC:\WINDOWS\system32\drivers\SKYNETuplrrtnk.sys
==EOF==
Bio-Hazard
2009-07-18, 09:43
Hello!
What do you use as you antivirus program?
Download and Run ComboFix
ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE (http://www.bleepingcomputer.com/forums/topic114351.html)
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
Double click on Combo-Fix.exe and follow the prompts.
When finished, it will produce a report for you (C:\ComboFix.txt )
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
I thought they had AVG Free on this computer, but I don't see it anymore. I personally use NOD32 for my PC's and will be recommending the same to them before I give this PC back to them. Here are the log files. Thanks!
ComboFix:
ComboFix 09-07-14.08 - AMY 07/18/2009 23:18.1.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2736 [GMT -4:00]
Running from: c:\documents and settings\AMY\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-2139830847-1551500853-213548912-1510
c:\windows\Install.txt
c:\windows\Installer\164afba.msp
c:\windows\Installer\164afc4.msp
c:\windows\Installer\2cf0635.msi
c:\windows\Installer\2d81bc0.msp
c:\windows\irc.txt
c:\windows\system32\drivers\a56da9b4.sys
c:\windows\system32\drivers\SKYNETuplrrtnk.sys
c:\windows\system32\Install.txt
c:\windows\system32\mfc45.dll
c:\windows\system32\SKYNETdkdmvvse.dat
c:\windows\system32\SKYNETpsbppqlq.dat
c:\windows\system32\SKYNETvxdlxrdb.dll
c:\windows\system32\SKYNETyudqbwtm.dll
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\system32\dllcache\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETorgrqtow
-------\Legacy_avast!antivirus
-------\Legacy_jmnhhgrtja35ujghuykj6r8io9iujg80
-------\Legacy_podmena
-------\Legacy_podmenadrv
-------\Service_a56da9b4
((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.
2009-07-19 03:22 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-19 03:22 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-17 02:23 . 2009-07-17 02:23 -------- d-----w- C:\Rooter$
2009-07-08 03:10 . 2009-07-08 03:10 -------- d-----w- c:\program files\Trend Micro
2009-07-08 03:09 . 2009-07-08 03:09 -------- d-----w- c:\program files\ERUNT
2009-07-04 17:21 . 2009-07-04 17:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-04 05:17 . 2009-07-04 17:03 -------- d-----w- c:\documents and settings\EDDIE\Application Data\SUPERAntiSpyware.com
2009-07-04 04:04 . 2009-07-04 15:01 117760 ----a-w- c:\documents and settings\AMY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-04 04:04 . 2009-07-04 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-04 04:04 . 2009-07-04 04:04 -------- d-----w- c:\documents and settings\AMY\Application Data\SUPERAntiSpyware.com
2009-07-04 03:34 . 2009-07-04 03:34 -------- d-----w- c:\documents and settings\AMY\Application Data\Malwarebytes
2009-07-04 02:47 . 2009-07-04 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-04 02:32 . 2009-07-04 02:32 -------- d-----w- c:\documents and settings\EDDIE\Application Data\Malwarebytes
2009-06-22 22:03 . 2009-06-22 22:03 -------- d-----w- c:\documents and settings\EDDIE\Application Data\Roxio
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 01:08 . 2008-07-06 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-04 17:17 . 2008-04-04 13:17 -------- d-----w- c:\program files\Google
2009-07-04 17:05 . 2008-07-06 04:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-22 22:29 . 2008-04-04 13:18 -------- d-----w- c:\program files\Roxio
2009-06-22 13:31 . 2008-04-19 18:07 7924 ----a-w- c:\documents and settings\EDDIE\Application Data\wklnhst.dat
2009-06-17 22:48 . 2008-09-10 04:37 -------- d-----w- c:\documents and settings\EDDIE\Application Data\U3
2009-06-17 20:51 . 2009-06-17 20:51 -------- d-----w- c:\documents and settings\EDDIE\Application Data\iolo
2009-06-17 20:51 . 2009-06-17 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-06-17 01:03 . 2008-08-20 01:40 -------- d-----w- c:\program files\Coupons
2009-06-17 00:12 . 2009-04-03 22:51 -------- d-----w- c:\program files\Common Files\Motive
2009-06-15 19:22 . 2008-12-24 16:57 -------- d-----w- c:\program files\JumpStart
2009-06-12 04:03 . 2008-04-04 13:17 -------- d-----w- c:\program files\Microsoft Works
2009-06-05 15:42 . 2009-04-17 03:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2008-12-31 01:44 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-21 13:13 . 2009-05-21 13:13 5420765 ----a-w- c:\documents and settings\All Users\SPL18.tmp
2009-05-16 17:38 . 2009-05-16 17:38 1421473 ----a-w- c:\documents and settings\All Users\SPL4A.tmp
2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 03:08 . 2008-04-24 18:18 1318 ----a-w- c:\documents and settings\AMY\Application Data\wklnhst.dat
2008-06-10 18:09 . 2008-06-10 18:08 88 --sh--r- c:\windows\system32\5E1FD8CDC5.sys
2008-06-10 18:13 . 2008-06-10 18:08 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nvcpldaemon"="c:\windows\system32\NvCpl.dll" [2007-05-27 8429568]
"memorycardmanager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384]
"dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"dell 968 aio printer fax server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560]
"reminderapp"="c:\program files\Nova Development\Scrapbook Factory\ReminderApp.exe" [2007-10-19 161600]
"quicktime task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"photoexplosioncalcheck"="c:\program files\Nova Development\Photo Explosion 3.0\calcheck.exe" [2007-12-04 75336]
"pdvddxsrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"iriver updater"="c:\program files\iRiver\iRiver Manager\Updater\Updater.exe" [2004-03-10 204800]
"rthdcpl"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-17 16132608]
c:\documents and settings\EDDIE\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-2-22 2301952]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-4 24576]
Event Planner Reminder 2008.lnk - c:\windows\Installer\{747A6A10-DA58-48C2-A1F0-C15514419C8A}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe [2008-6-15 1718]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-10 13:40 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dldocoms.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\DLDOFax.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldoafcn.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/5/2008 4:39 PM 24652]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [7/6/2008 12:51 AM 598856]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [6/10/2008 9:51 AM 99568]
.
Contents of the 'Scheduled Tasks' folder
2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-07-19 c:\windows\Tasks\User_Feed_Synchronization-{4B58D1B5-7E15-4E83-B75F-A8C92440C1A7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-OE_OEM - c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKLM-Run-verizon_mccitrayapp - c:\program files\Verizon\McciTrayApp.exe
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {7530bfb8-7293-4d34-9923-61a11451afc5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 23:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(496)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
- - - - - - - > 'explorer.exe'(1952)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dldocoms.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Creative Home\Hallmark Card Studio 2008\Planner\PLNRnote.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-19 23:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-19 03:28
Pre-Run: 718,256,807,936 bytes free
Post-Run: 718,544,224,256 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
203 --- E O F --- 2009-06-12 11:26
[B]HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:58 PM, on 7/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dldocoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nova Development\Scrapbook Factory\ReminderApp.exe
C:\Program Files\Nova Development\Photo Explosion 3.0\calcheck.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2008\Planner\PLNRnote.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080404
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nvcpldaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [memorycardmanager] "C:\Program Files\Dell 968 AIO Printer\memcard.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dldomon.exe] "C:\Program Files\Dell 968 AIO Printer\dldomon.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dell 968 aio printer fax server] "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" /s
O4 - HKLM\..\Run: [rthdcpl] RTHDCPL.EXE
O4 - HKLM\..\Run: [reminderapp] C:\Program Files\Nova Development\Scrapbook Factory\ReminderApp.exe
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [photoexplosioncalcheck] C:\Program Files\Nova Development\Photo Explosion 3.0\calcheck.exe
O4 - HKLM\..\Run: [pdvddxsrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iriver updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Planner Reminder 2008.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {7530bfb8-7293-4d34-9923-61a11451afc5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 7758 bytes
Bio-Hazard
2009-07-19, 09:24
I thought they had AVG Free on this computer, but I don't see it anymore. I personally use NOD32 for my PC's and will be recommending the same to them before I give this PC back to them. Here are the log files. Thanks!We need to install a antivirus program on to this computer. underneath are some free options. Or you can put NOD32 if your friend agrees with you.
Antivirus
Looking over your log it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect cleans and erase harmful virus files on a computer Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
Avira AntiVir Personal (http://www.free-av.de/en/download/1/avira_antivir_personal__free_antivirus.html) (Protects your computer against dangerous viruses, worms, Trojans and costly dialers.)
avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) (The home edition is freeware for noncommercial users.)
AVG Anti-Virus Free Edition (http://www.avg.com/filedir/inst/avg_free_stf_en_85_285a1462.exe) (AVG Anti-Virus Free Edition is only available for single computer use for home and non commercial use.)
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.
ATF-Cleaner
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.
Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop.
Alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
Alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the Perform Full Scan option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Kaspersky Online Scan
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Malwarebytes Antimalware log
Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
OK. I was able to run what you requested. The computer seems to be running ok. I have a question though. There are four accounts on this PC. I've been doing everything from the one account. If you log into the other accounts they still have little issues like the system32 folder opens on the one account, and it still trying to load drivers on the other account that it can't find. Below are the log files.
MBAM:
Malwarebytes' Anti-Malware 1.39
Database version: 2476
Windows 5.1.2600 Service Pack 3
7/21/2009 10:14:26 PM
mbam-log-2009-07-21 (22-14-26).txt
Scan type: Full Scan (C:\|)
Objects scanned: 181350
Time elapsed: 26 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\SKYNETvxdlxrdb.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP0\A0000003.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
Kaspersky:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, July 21, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, July 22, 2009 04:48:01
Records in database: 2510289
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Files scanned: 83817
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:05:05
File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\a56da9b4.sys.vir Infected: Backdoor.Win32.NewRest.ao 1
The selected area was scanned.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:11 AM, on 7/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dldocoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nova Development\Scrapbook Factory\ReminderApp.exe
C:\Program Files\Nova Development\Photo Explosion 3.0\calcheck.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2008\Planner\PLNRnote.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080404
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nvcpldaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [memorycardmanager] "C:\Program Files\Dell 968 AIO Printer\memcard.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dldomon.exe] "C:\Program Files\Dell 968 AIO Printer\dldomon.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dell 968 aio printer fax server] "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" /s
O4 - HKLM\..\Run: [rthdcpl] RTHDCPL.EXE
O4 - HKLM\..\Run: [reminderapp] C:\Program Files\Nova Development\Scrapbook Factory\ReminderApp.exe
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [photoexplosioncalcheck] C:\Program Files\Nova Development\Photo Explosion 3.0\calcheck.exe
O4 - HKLM\..\Run: [pdvddxsrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iriver updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-741404661-12212112-695681161-1008\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" (User 'JULIA')
O4 - HKUS\S-1-5-21-741404661-12212112-695681161-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'JULIA')
O4 - HKUS\S-1-5-21-741404661-12212112-695681161-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'JULIA')
O4 - HKUS\S-1-5-21-741404661-12212112-695681161-1008\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe" (User 'JULIA')
O4 - HKUS\S-1-5-21-741404661-12212112-695681161-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'JULIA')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Planner Reminder 2008.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {7530bfb8-7293-4d34-9923-61a11451afc5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 9882 bytes
Thanks!
Sorry, my question is do we need to run scans in the other accounts as well to address the little problems that those accounts have?
Bio-Hazard
2009-07-22, 15:58
Sorry, my question is do we need to run scans in the other accounts as well to address the little problems that those accounts have?
This account looks good. Most of the scanners scan all the user accounts. We can check the other user accounts.
Optional Fix
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything bad. This may change,read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).
I recommend that you remove the Viewpoint products; however, decide for yourself.
To uninstall the the Viewpoint components :
Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
How to prevent it from being recreated every time you run the AOL software:
Open AOL
Go to Help on the toolbar
Select About AOL
Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.
Do you have any problems with this user account?
OK. I have uninstalled Viewpoint Media Player. I don't see AOL anywhere in the Add/Remove, but I do see something called Unity Web Player. Should I uninstall that too?
Sorry, no the account we have been working in seems fine, sans the Dell Support Center trying to install or fix itself everytime you log into it. I haven't looked into that yet.
Bio-Hazard
2009-07-24, 14:06
Hello!
Do you have any problems at the moment?
Hello, it seems that 2 out of the 4 accounts are fine now, but the other two have some minor issues. When you log into one of the accounts the System32 folder opens. When you log into the second account it has a few error messages about some files that want to load, but can't find. Both of these accounts are user accounts (not Admin) so I'm not sure that they got cleaned. Not sure what to do at this point for these 2 accounts.
Bio-Hazard
2009-07-26, 11:11
Hello, it seems that 2 out of the 4 accounts are fine now, but the other two have some minor issues. When you log into one of the accounts the System32 folder opens. When you log into the second account it has a few error messages about some files that want to load, but can't find. Both of these accounts are user accounts (not Admin) so I'm not sure that they got cleaned. Not sure what to do at this point for these 2 accounts.
Hello!
Can these accounts be deleted? Can you post a Hijackthis log from the account that opens up System32 folder?
Your log now appears to be clean. Congratulations!
You can get rid of the tools we used:
DDS - (You can just delete the exe file from your desktop)
Securitycheck - (You can just delete the exe file from your desktop)
RootRepeal - (You can just delete the exe file from your desktop)
Atf Cleaner - (You can just delete the exe file from your desktop)
Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
http://i147.photobucket.com/albums/r301/DFW_photos/CF_Cleanup.png
Please advise if this step is missed for any reason as it performs some important actions.
General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site (http://update.microsoft.com/microsoftupdate) on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) or F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html). I suggest that you run one of them at least once a month.
Recommended Programs
I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.
WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE (http://www.webopedia.com/TERM/A/ActiveX_control.html). You can download SpywareBlaster from HERE (http://www.javacoolsoftware.com/sbdownload.html).
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE (http://www.malwarebytes.org/mbam.php). Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926) and Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE (http://forum.malwareremoval.com/viewtopic.php?t=22187) and for more information regarding host files read HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
Firefox (http://www.mozilla.com/en-US/firefox/)
Opera (http://www.opera.com/download/)
Google Chrome (http://www.google.com/chrome)
Here is a great article by miekiemoes How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html).
Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php). You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy surfing and stay clean!
Bio-Hazard
OK. I just spoke to the owner and he said yes, the two accounts can be deleted. He will just create two new ones. I actually think I will let them Delete/Recreate the accounts. Do you still want a HJT log from the account before it gets deleted? Also, I have removed all the tools we used following your instructions. Thank you so much for your time and help in cleaning this system up. Your knowledge, professionalism, and dedication is very much appreciated. Thank you.
Bio-Hazard
2009-07-28, 23:20
OK. I just spoke to the owner and he said yes, the two accounts can be deleted. He will just create two new ones. I actually think I will let them Delete/Recreate the accounts. Do you still want a HJT log from the account before it gets deleted? Also, I have removed all the tools we used following your instructions. Thank you so much for your time and help in cleaning this system up. Your knowledge, professionalism, and dedication is very much appreciated. Thank you.
If he is willing to delete them and make new ones then there is no need to post a HijackThis log.
It was my pleasure to help you. Can you please post her when you have seen this so i can archive this thread.
Regards
Bio-Hazard
Archive away and thanks again for all your help! :2thumb:
Bio-Hazard
2009-07-30, 01:14
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.