View Full Version : Search Results Redirect Virus
We have a virus that redirects you to a random website when you click one of the results returned from a Google search. It started with pop-ups stating that you have a virus, click here. Since we have AVG and Spybot S&D installed and running I was skeptical, didn’t click on them and immediately disconnected the machine from the Internet and began running scans with AVG, Malwarebytes and Spybot. After updating each with the latest updates and running them a couple of times they found and cleaned the viruses, or so I thought, only to find out that Google search results get redirected about every second or third time you click on a result. I have kept the machine off of the Internet except to update the scanning software and to test. I ran another scan today and Malwarebytes found and cleaned the TrojanDownloader virus, but Google results are still randomly redirected. Based on the information in “Before you Post” I have downloaded HJT and the log is included below.
Thanks in advance for your help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:07 AM, on 11/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {095CD655-22C4-4845-AA1D-10590EA36D1A} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {497B6553-405A-47A7-9E64-2695AFBF5A48} - C:\WINDOWS\system32\byXpmlki.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {95ABACE8-8DCC-4871-9E26-1654AC49F0C8} - C:\WINDOWS\system32\rqRJAqoN.dll (file missing)
O2 - BHO: (no name) - {95bc13d5-1e85-4af9-a538-c9452fc9392f} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E5D5BE53-CA78-4CEE-A405-456AE551483F} - C:\WINDOWS\system32\pmnkIYQJ.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [X10MediaRemote] C:\PROGRA~1\X10MUL~1mediaremote.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [] (User '?')
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [X10MediaRemote] C:\PROGRA~1\X10MUL~1mediaremote.exe (User '?')
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128119231437
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - http://admin.mem.com/imagefunctions/imagxpress7.cab
O16 - DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} (MeM Media Uploader Control) - http://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
O16 - DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} (Pegasus TwainPRO Control v4.0) - http://admin.mem.com/imagefunctions/TwainPro4.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webmail.mckesson.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html
--
End of file - 8546 bytes
Hello kobdog
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Your Operating System and your IE browser are outdated , we can fix that when we're done. Having them updated adds another layer of security.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
ken545, thanks in advance for you help!! I followed your instructions below and the Combofix.txt and new hijackthis.log are below. I also did a quick test and I was able to go to 10 sites each from two seperate searches without being redirected.
Thanks again!!
Combofix.txt:
ComboFix 09-11-04.02 - pmaslos 11/04/2009 19:02.1.1 - NTFSx86
Running from: c:\documents and settings\pmaslos\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\pmaslos\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\run.log
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\iklmpXyb.ini
c:\windows\wiaserviv.log
Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.
2009-11-03 17:09 . 2009-11-03 17:09 -------- d-----w- c:\program files\Trend Micro
2009-11-03 17:06 . 2009-11-03 17:07 -------- d-----w- c:\program files\ERUNT
2009-10-28 01:48 . 2009-10-28 01:50 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-27 18:15 . 2009-11-04 06:35 -------- d-----w- C:\$AVG8.VAULT$
2009-10-27 15:06 . 2009-10-27 16:16 -------- d-----w- c:\program files\timuei
2009-10-25 23:26 . 2009-10-25 23:26 -------- d-----w- c:\documents and settings\dmasloski\Local Settings\Application Data\WinZip
2009-10-25 23:18 . 2009-10-25 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-21 13:13 . 2009-10-05 20:56 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-20 15:31 . 2009-10-20 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-20 15:31 . 2008-10-10 21:01 147456 ----a-r- c:\windows\system32\LgExport.dll
2009-10-20 15:31 . 2008-10-10 21:01 26624 ----a-r- c:\windows\system32\LGDispDrv.dll
2009-10-20 15:30 . 2009-10-20 15:30 -------- d-----w- c:\program files\LG Soft India
2009-10-17 14:37 . 2009-10-05 20:56 2023704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-07 14:28 . 2009-10-05 20:54 1142552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 01:51 . 2005-01-21 16:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 01:50 . 2008-12-04 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 14:56 . 2004-04-01 02:07 33632 ----a-w- c:\documents and settings\pmaslos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 15:30 . 2004-03-25 17:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-20 14:20 . 2004-03-25 17:30 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-25 16:00 . 2009-09-25 16:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 15:59 . 2004-03-25 17:24 -------- d-----w- c:\program files\Java
2009-09-25 15:59 . 2009-09-25 15:59 152576 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-25 05:56 . 2004-02-06 23:05 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2005-04-02 22:47 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2002-08-29 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-12-04 12:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-04 12:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2003-09-19 17:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 20:50 . 2008-12-04 02:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-02 20:50 . 2008-12-04 02:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-02 20:50 . 2008-12-04 02:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.
------- Sigcheck -------
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\bits\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\DLLCACHE\qmgr.dll
[-] 2007-03-29 . 65E23953D337574E549B1EF34FE0B1DA . 409600 . . [6.7.2600.3109] . . c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtUninstallKB923845$\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[7] 2004-07-01 . 696AC82FB290A03F205901442E0E9589 . 361984 . . [6.6.2600.1569] . . c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2002-08-29 . 6A1CF14D0E7D0B2241F552223769C8A7 . 221696 . . [6.2.2600.1106] . . c:\windows\$NtUninstallKB842773$\qmgr.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2002-08-29 . BF3C8CF53C77B48206B39910B6D6CBCC . 49152 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\eventlog.dll
c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-09-26 1851392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-04-17 196608]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-6-25 614531]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-6-8 16432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-02 20:50 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/3/2008 8:04 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/3/2008 8:04 PM 297752]
R3 X10Hid;X10 Hid Device;c:\windows\SYSTEM32\DRIVERS\x10hid.sys [4/5/2008 2:14 PM 7040]
S2 33385E2D40287F7D;33385E2D40287F7D;\??\c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D --> c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D [?]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [10/20/2009 9:30 AM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [10/20/2009 9:30 AM 18432]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [11/23/2008 10:16 PM 27904]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
uInternet Settings,ProxyOverride = localhost
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} - hxxp://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} - hxxp://admin.mem.com/imagefunctions/TwainPro4.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{095CD655-22C4-4845-AA1D-10590EA36D1A} - (no file)
BHO-{497B6553-405A-47A7-9E64-2695AFBF5A48} - c:\windows\system32\byXpmlki.dll
BHO-{95ABACE8-8DCC-4871-9E26-1654AC49F0C8} - c:\windows\system32\rqRJAqoN.dll
BHO-{95bc13d5-1e85-4af9-a538-c9452fc9392f} - (no file)
BHO-{E5D5BE53-CA78-4CEE-A405-456AE551483F} - c:\windows\system32\pmnkIYQJ.dll
HKCU-Run-X10MediaRemote - c:\progra~1\X10MUL~1mediaremote.exe
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
Notify-WgaLogon - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 19:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\33385E2D40287F7D]
"ImagePath"="\??\c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1480)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-11-05 19:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 01:24
Pre-Run: 16,091,254,784 bytes free
Post-Run: 19,680,342,016 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hijackthis.log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:48 PM, on 11/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128119231437
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - http://admin.mem.com/imagefunctions/imagxpress7.cab
O16 - DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} (MeM Media Uploader Control) - http://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
O16 - DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} (Pegasus TwainPRO Control v4.0) - http://admin.mem.com/imagefunctions/TwainPro4.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webmail.mckesson.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html
--
End of file - 7662 bytes
Hi,
Not out of the woods completely yet
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::
Fcopy::
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
You have Malwarebytes installed, open it, check for updates and run the quick scan removing all it finds. Post the log please.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:file
c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I need to see the following please
1. New Combofix log
2. Malwarebytes log
3. SystemLook log
4. New HJT log
Ran everything as requested. Just a couple of notes:
- When ComboFix ran after dragging the CFScript.txt file onto it, an error box popped up on the screen during Stage 1 or 2 with the following message, "PEV.cfxxe has encountered a problem and needs to close. We are sorry for the inconvenience." It then went on to ask if I wanted to tell Microsoft about this problem. Not sure if this is related, but I notice your message referenced Rootkit:: and the code had Fcopy::??
- Not sure if it makes a difference, but I ran the Malwarebytes scan before running HijackThis. Missed it, so I doubled back and ran it before running SystemLook.
Thanks again!!!
Here is the info from the logs:
ComboFix.txt:
ComboFix 09-11-04.02 - pmaslos 11/04/2009 21:42.2.1 - NTFSx86
Running from: c:\documents and settings\pmaslos\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pmaslos\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.
2009-11-05 03:42 . 2004-08-04 06:56 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-11-05 03:42 . 2004-08-04 06:56 55808 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-03 17:09 . 2009-11-03 17:09 -------- d-----w- c:\program files\Trend Micro
2009-11-03 17:06 . 2009-11-03 17:07 -------- d-----w- c:\program files\ERUNT
2009-10-28 01:48 . 2009-10-28 01:50 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-27 18:15 . 2009-11-04 06:35 -------- d-----w- C:\$AVG8.VAULT$
2009-10-27 15:06 . 2009-10-27 16:16 -------- d-----w- c:\program files\timuei
2009-10-25 23:26 . 2009-10-25 23:26 -------- d-----w- c:\documents and settings\dmasloski\Local Settings\Application Data\WinZip
2009-10-25 23:18 . 2009-10-25 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-21 13:13 . 2009-10-05 20:56 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-20 15:31 . 2009-10-20 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-20 15:31 . 2008-10-10 21:01 147456 ----a-r- c:\windows\system32\LgExport.dll
2009-10-20 15:31 . 2008-10-10 21:01 26624 ----a-r- c:\windows\system32\LGDispDrv.dll
2009-10-20 15:30 . 2009-10-20 15:30 -------- d-----w- c:\program files\LG Soft India
2009-10-17 14:37 . 2009-10-05 20:56 2023704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-07 14:28 . 2009-10-05 20:54 1142552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 01:51 . 2005-01-21 16:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 01:50 . 2008-12-04 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 14:56 . 2004-04-01 02:07 33632 ----a-w- c:\documents and settings\pmaslos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 15:30 . 2004-03-25 17:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-20 14:20 . 2004-03-25 17:30 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-25 16:00 . 2009-09-25 16:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 15:59 . 2004-03-25 17:24 -------- d-----w- c:\program files\Java
2009-09-25 15:59 . 2009-09-25 15:59 152576 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-25 05:56 . 2004-02-06 23:05 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2005-04-02 22:47 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2002-08-29 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-12-04 12:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-04 12:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2003-09-19 17:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 20:50 . 2008-12-04 02:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-02 20:50 . 2008-12-04 02:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-02 20:50 . 2008-12-04 02:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.
------- Sigcheck -------
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\bits\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\DLLCACHE\qmgr.dll
[-] 2007-03-29 . 65E23953D337574E549B1EF34FE0B1DA . 409600 . . [6.7.2600.3109] . . c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtUninstallKB923845$\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[7] 2004-07-01 . 696AC82FB290A03F205901442E0E9589 . 361984 . . [6.6.2600.1569] . . c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2002-08-29 . 6A1CF14D0E7D0B2241F552223769C8A7 . 221696 . . [6.2.2600.1106] . . c:\windows\$NtUninstallKB842773$\qmgr.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-05_01.16.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-05 03:51 . 2009-11-05 03:51 16384 c:\windows\temp\Perflib_Perfdata_698.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-09-26 1851392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-04-17 196608]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-6-25 614531]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-6-8 16432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-02 20:50 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/3/2008 8:04 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/3/2008 8:04 PM 297752]
R3 X10Hid;X10 Hid Device;c:\windows\SYSTEM32\DRIVERS\x10hid.sys [4/5/2008 2:14 PM 7040]
S2 33385E2D40287F7D;33385E2D40287F7D;\??\c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D --> c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D [?]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [10/20/2009 9:30 AM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [10/20/2009 9:30 AM 18432]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [11/23/2008 10:16 PM 27904]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
uInternet Settings,ProxyOverride = localhost
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} - hxxp://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} - hxxp://admin.mem.com/imagefunctions/TwainPro4.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 21:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\33385E2D40287F7D]
"ImagePath"="\??\c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-05 22:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 04:00
ComboFix2.txt 2009-11-05 01:26
Pre-Run: 19,690,999,808 bytes free
Post-Run: 19,658,665,984 bytes free
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
mbam-log-2009-11-04.txt
Malwarebytes' Anti-Malware 1.41
Database version: 3103
Windows 5.1.2600 Service Pack 2
11/4/2009 10:15:04 PM
mbam-log-2009-11-04 (22-15-04).txt
Scan type: Quick Scan
Objects scanned: 113734
Time elapsed: 5 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
SystemLook.txt
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:19 on 04/11/2009 by pmaslos (Administrator - Elevation successful)
========== file ==========
c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D - Unable to find/read file.
-=End Of File=-
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hijackthis.log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:32 PM, on 11/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128119231437
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - http://admin.mem.com/imagefunctions/imagxpress7.cab
O16 - DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} (MeM Media Uploader Control) - http://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
O16 - DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} (Pegasus TwainPRO Control v4.0) - http://admin.mem.com/imagefunctions/TwainPro4.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webmail.mckesson.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html
--
End of file - 7324 bytes
Good Morning,
Combofix removed all or part of a Rootkit, lets check to see if more of it is present.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.
The results from runner gmer.exe are below.
Thanks again!
gmer.txt:
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-05 10:08:02
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\pmaslos\LOCALS~1\Temp\pxtdypob.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\Atlcom.get_atlcom@ get_atlcom Class
Reg HKLM\SOFTWARE\Classes\Atlcom.get_atlcom\CLSID
Reg HKLM\SOFTWARE\Classes\Atlcom.get_atlcom\CLSID@ {E2883E8F-472F-4fb0-9522-AC9BF37916A7}
Reg HKLM\SOFTWARE\Classes\Atlcom.get_atlcom\CurVer
Reg HKLM\SOFTWARE\Classes\Atlcom.get_atlcom\CurVer@ Atlcom.get_atlcom
---- EOF - GMER 1.0.15 ----
Run SystemLook again with this command
:dir
c:\documents and settings\pmaslos\33385E2D40287F7D
The results from SystemLook are below.
Thanks once again!!
SystemLook.txt:
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 10:28 on 05/11/2009 by pmaslos (Administrator - Elevation successful)
========== dir ==========
c:\documents and settings\pmaslos\33385E2D40287F7D - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
-=End Of File=-
Sorry, I missed your email notice that you replied.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::
Folder::
c:\documents and settings\pmaslos\33385E2D40287F7D
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\33385E2D40287F7D]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Thanks for keeping on top of this. In about an hour I will be away from my computer for 2 days.
The output from ComboFix and HJT is below. When running ComboFix it asked if I wanted to update to the lastest version and I did. Hope that was the correct move. When running ComboFix it also produced that "PEV.cfxxe has encountered a problem and needs to close. We are sorry for the inconvenience." error again.
Thanks once again!!!!
Here is the info from the log files:
ComboFix.txt:
ComboFix 09-11-05.05 - pmaslos 11/06/2009 10:06.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.614 [GMT -6:00]
Running from: c:\documents and settings\pmaslos\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pmaslos\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\pmaslos\33385E2D40287F7D
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.
2009-11-06 15:37 . 2009-10-21 13:12 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-05 03:42 . 2004-08-04 06:56 55808 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-05 03:42 . 2004-08-04 06:56 55808 ------w- c:\windows\system32\eventlog.dll
2009-11-03 17:09 . 2009-11-03 17:09 -------- d-----w- c:\program files\Trend Micro
2009-11-03 17:06 . 2009-11-03 17:07 -------- d-----w- c:\program files\ERUNT
2009-10-28 01:48 . 2009-10-28 01:50 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-27 18:15 . 2009-11-04 06:35 -------- d-----w- C:\$AVG8.VAULT$
2009-10-27 15:06 . 2009-10-27 16:16 -------- d-----w- c:\program files\timuei
2009-10-25 23:26 . 2009-10-25 23:26 -------- d-----w- c:\documents and settings\dmasloski\Local Settings\Application Data\WinZip
2009-10-25 23:18 . 2009-10-25 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-20 15:31 . 2009-10-20 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-20 15:31 . 2008-10-10 21:01 147456 ----a-r- c:\windows\system32\LgExport.dll
2009-10-20 15:31 . 2008-10-10 21:01 26624 ----a-r- c:\windows\system32\LGDispDrv.dll
2009-10-20 15:30 . 2009-10-20 15:30 -------- d-----w- c:\program files\LG Soft India
2009-10-17 14:37 . 2009-10-17 14:36 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 13:54 . 2009-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-11-03 01:51 . 2005-01-21 16:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 01:50 . 2008-12-04 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 14:56 . 2004-04-01 02:07 33632 ----a-w- c:\documents and settings\pmaslos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 15:30 . 2004-03-25 17:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-20 14:20 . 2004-03-25 17:30 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-25 16:00 . 2009-09-25 16:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 15:59 . 2004-03-25 17:24 -------- d-----w- c:\program files\Java
2009-09-25 15:59 . 2009-09-25 15:59 152576 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-25 05:56 . 2004-02-06 23:05 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2005-04-02 22:47 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2002-08-29 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-12-04 12:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-04 12:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2003-09-19 17:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 20:50 . 2008-12-04 02:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-02 20:50 . 2008-12-04 02:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-02 20:50 . 2008-12-04 02:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.
------- Sigcheck -------
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\bits\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\DLLCACHE\qmgr.dll
[-] 2007-03-29 . 65E23953D337574E549B1EF34FE0B1DA . 409600 . . [6.7.2600.3109] . . c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtUninstallKB923845$\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[7] 2004-07-01 . 696AC82FB290A03F205901442E0E9589 . 361984 . . [6.6.2600.1569] . . c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2002-08-29 . 6A1CF14D0E7D0B2241F552223769C8A7 . 221696 . . [6.2.2600.1106] . . c:\windows\$NtUninstallKB842773$\qmgr.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-05_01.16.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-06 16:15 . 2009-11-06 16:15 16384 c:\windows\temp\Perflib_Perfdata_698.dat
+ 2009-04-06 22:55 . 2008-07-08 13:02 17272 c:\windows\SYSTEM32\spmsg.dll
- 2009-04-06 22:55 . 2009-05-26 11:40 17272 c:\windows\SYSTEM32\spmsg.dll
+ 2009-11-05 13:54 . 2009-11-05 13:54 29184 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BA}\IconCD95F6617.exe
+ 2009-11-05 13:54 . 2009-11-05 13:54 632320 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BA}\IconCD95F66110.exe
- 2004-01-21 21:19 . 2009-09-25 05:56 3063296 c:\windows\SYSTEM32\mshtml.dll
+ 2004-01-21 21:19 . 2009-10-20 00:08 3063296 c:\windows\SYSTEM32\mshtml.dll
- 2006-05-19 15:08 . 2009-09-25 05:56 3063296 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2006-05-19 15:08 . 2009-10-20 00:08 3063296 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-11-05 13:54 . 2009-11-05 13:54 1541120 c:\windows\Installer\151dcf.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-09-26 1851392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-05 2028312]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-04-17 196608]
"combofix"="c:\combofix\CF30461.exe" [2009-11-06 388608]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-6-25 614531]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-6-8 16432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-02 20:50 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/3/2008 8:04 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/3/2008 8:04 PM 297752]
R3 X10Hid;X10 Hid Device;c:\windows\SYSTEM32\DRIVERS\x10hid.sys [4/5/2008 2:14 PM 7040]
S2 33385E2D40287F7D;33385E2D40287F7D;\??\c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D --> c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D [?]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [10/20/2009 9:30 AM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [10/20/2009 9:30 AM 18432]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [11/23/2008 10:16 PM 27904]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
uInternet Settings,ProxyOverride = localhost
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} - hxxp://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} - hxxp://admin.mem.com/imagefunctions/TwainPro4.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 10:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\33385E2D40287F7D]
"ImagePath"="\??\c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(472)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-06 10:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 16:25
ComboFix2.txt 2009-11-05 04:01
ComboFix3.txt 2009-11-05 01:26
Pre-Run: 19,342,331,904 bytes free
Post-Run: 19,324,100,608 bytes free
- - End Of File - - 60121E403D57B38CB8F1E05D208A6A56
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hijackthis.log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:39 AM, on 11/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128119231437
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - http://admin.mem.com/imagefunctions/imagxpress7.cab
O16 - DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} (MeM Media Uploader Control) - http://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
O16 - DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} (Pegasus TwainPRO Control v4.0) - http://admin.mem.com/imagefunctions/TwainPro4.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webmail.mckesson.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html
--
End of file - 7205 bytes
Something odd on your Combofix log, it keeps deleting TDSS which is a Rootkit but it shows up as deleting in each scan.
Run this through CFScript
Fcopy::
c:\windows\ServicePackFiles\i386\qmgr.dll | c:\windows\SYSTEM32\qmgr.dll
Driver::
33385E2D40287F7D
Registry::
[-HKEY_LOCAL_MACHINE\System\CCS\Services\33385E2D40287F7D]
Folder::
c:\documents and settings\pmaslos\33385E2D40287F7D
I need to head out. I will run these on Sunday and post the results.
Thanks again!!!
The ComboFix log and HJT logs are below. ComboFix found a newer version again and asked if I wanted to update so I did. Also got the PEV.cfxee error again running ComboFix, just before Stage 1. The only other thing that occured was after ComboFix rebooted my machine and was generating the log, Kodak EasyShare said it ran into a problem and was terminating. Kodak EasyShare loads in the Startup Folder and I'll probably be removing it. Just an F.Y.I.
Thanks again!!
Here are the logs...
ComboFix.txt:
ComboFix 09-11-07.04 - pmaslos 11/08/2009 15:01.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.612 [GMT -6:00]
Running from: c:\documents and settings\pmaslos\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pmaslos\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\qmgr.dll --> c:\windows\SYSTEM32\qmgr.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_33385E2D40287F7D
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.
2009-11-06 15:37 . 2009-10-21 13:12 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-05 03:42 . 2004-08-04 06:56 55808 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-05 03:42 . 2004-08-04 06:56 55808 ------w- c:\windows\system32\eventlog.dll
2009-11-03 17:09 . 2009-11-03 17:09 -------- d-----w- c:\program files\Trend Micro
2009-11-03 17:06 . 2009-11-03 17:07 -------- d-----w- c:\program files\ERUNT
2009-10-28 01:48 . 2009-10-28 01:50 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-27 18:15 . 2009-11-04 06:35 -------- d-----w- C:\$AVG8.VAULT$
2009-10-27 15:06 . 2009-10-27 16:16 -------- d-----w- c:\program files\timuei
2009-10-25 23:26 . 2009-10-25 23:26 -------- d-----w- c:\documents and settings\dmasloski\Local Settings\Application Data\WinZip
2009-10-25 23:18 . 2009-10-25 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-20 15:31 . 2009-10-20 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-20 15:31 . 2008-10-10 21:01 147456 ----a-r- c:\windows\system32\LgExport.dll
2009-10-20 15:31 . 2008-10-10 21:01 26624 ----a-r- c:\windows\system32\LGDispDrv.dll
2009-10-20 15:30 . 2009-10-20 15:30 -------- d-----w- c:\program files\LG Soft India
2009-10-17 14:37 . 2009-10-17 14:36 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 13:54 . 2009-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-11-03 01:51 . 2005-01-21 16:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 01:50 . 2008-12-04 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 14:56 . 2004-04-01 02:07 33632 ----a-w- c:\documents and settings\pmaslos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 15:30 . 2004-03-25 17:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-20 14:20 . 2004-03-25 17:30 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-25 16:00 . 2009-09-25 16:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 15:59 . 2004-03-25 17:24 -------- d-----w- c:\program files\Java
2009-09-25 15:59 . 2009-09-25 15:59 152576 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-25 05:56 . 2004-02-06 23:05 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2005-04-02 22:47 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2002-08-29 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-12-04 12:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-04 12:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2003-09-19 17:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 20:50 . 2008-12-04 02:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-02 20:50 . 2008-12-04 02:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-02 20:50 . 2008-12-04 02:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-05_01.16.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-08 21:10 . 2009-11-08 21:10 16384 c:\windows\temp\Perflib_Perfdata_ec.dat
- 2009-04-06 22:55 . 2009-05-26 11:40 17272 c:\windows\SYSTEM32\spmsg.dll
+ 2009-04-06 22:55 . 2008-07-08 13:02 17272 c:\windows\SYSTEM32\spmsg.dll
+ 2009-11-05 13:54 . 2009-11-05 13:54 29184 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BA}\IconCD95F6617.exe
+ 2002-08-29 11:00 . 2004-08-04 06:56 382464 c:\windows\SYSTEM32\DLLCACHE\qmgr.dll
+ 2009-11-05 13:54 . 2009-11-05 13:54 632320 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BA}\IconCD95F66110.exe
- 2004-01-21 21:19 . 2009-09-25 05:56 3063296 c:\windows\SYSTEM32\mshtml.dll
+ 2004-01-21 21:19 . 2009-10-20 00:08 3063296 c:\windows\SYSTEM32\mshtml.dll
- 2006-05-19 15:08 . 2009-09-25 05:56 3063296 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2006-05-19 15:08 . 2009-10-20 00:08 3063296 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-11-05 13:54 . 2009-11-05 13:54 1541120 c:\windows\Installer\151dcf.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-09-26 1851392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-05 2028312]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-04-17 196608]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-6-25 614531]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-6-8 16432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-02 20:50 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/3/2008 8:04 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/3/2008 8:04 PM 297752]
R3 X10Hid;X10 Hid Device;c:\windows\SYSTEM32\DRIVERS\x10hid.sys [4/5/2008 2:14 PM 7040]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [10/20/2009 9:30 AM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [10/20/2009 9:30 AM 18432]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [11/23/2008 10:16 PM 27904]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
uInternet Settings,ProxyOverride = localhost
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} - hxxp://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} - hxxp://admin.mem.com/imagefunctions/TwainPro4.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 15:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2552)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-11-08 15:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-08 21:18
ComboFix2.txt 2009-11-06 16:26
ComboFix3.txt 2009-11-05 04:01
ComboFix4.txt 2009-11-05 01:26
Pre-Run: 19,288,989,696 bytes free
Post-Run: 19,251,994,624 bytes free
- - End Of File - - 6A3C3CBA4331D5F785B23372C121A7DB
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hijackthis.log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:09 PM, on 11/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128119231437
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - http://admin.mem.com/imagefunctions/imagxpress7.cab
O16 - DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} (MeM Media Uploader Control) - http://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
O16 - DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} (Pegasus TwainPRO Control v4.0) - http://admin.mem.com/imagefunctions/TwainPro4.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webmail.mckesson.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html
--
End of file - 7137 bytes
Hi,
Logs look fine. How are things running now ?
Lets check for leftover entries or files the other scans may have missed.
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
I'm not quite sure how you figure all of this out, but Eset found 13 additional viruses! The log is below.
Next question is once this is all cleaned up, if I update Windows XP to SP3 and keep AVG, Spybot and Malwarebytes up-to-date and run them on a regular basis as well as leave TeaTimer running as well as AVG Resident Shield, will that protect from this type of malware/virus? Is there any way of knowing where this infection came from?
Thanks again for all you help!!!!!!!!!!!!!!
Eset log.txt:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=5352253793d8af4cba68f0f4024d2335
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-09 12:54:17
# local_time=2009-11-08 06:54:17 (-0600, Central Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 28451614 28451614 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=89051
# found=13
# cleaned=13
# scan_time=2188
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiVirusLab.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamyy1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\24\19cd3358-3b4a5677 a variant of Java/TrojanDownloader.OpenStream trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\41\14123b69-68edc88b a variant of Java/TrojanDownloader.OpenStream trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\54\69a81a76-318c41d8 a variant of Java/TrojanDownloader.OpenStream trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\55\15747477-33e35c44 a variant of Java/TrojanDownloader.OpenStream trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\pmaslos\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-25d92522-402cec73.class a variant of Java/TrojanDownloader.OpenStream trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\pmaslos\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-3157a8e7-22469569.class a variant of Java/TrojanDownloader.OpenStream trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\pmaslos\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-484623a-454392b5.class a variant of Java/TrojanDownloader.OpenStream trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\pmaslos\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-52d8b673-5b2902cd.class a variant of Java/TrojanDownloader.OpenStream trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iklmpXyb.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir Win32/Olmarik.OF virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000969.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
Hi,
Most of those files that ESET found where backups of what the scans removed along with some bad stuff in your System Restore and Java Cache.
Lets flush all this garbage out.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
http://i24.photobucket.com/albums/c30/ken545/Atribune.jpg
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Open up Spybot Search and Destroy and go to the Quarantine folder and remove it all.
Lets update your Java to make your system more secure
Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 17, if not proceed with the instructions.
Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.
Java SE Runtime Environment (JRE)JRE 6 Update 17 <--The wording is confusing but this is what you need
Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version
You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)
Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
Not really sure how you got infected, could have been a bad email, bad website, its hard to say.
Let me know how things are running now and I will link you to some free tools to install to help keep you more secure.
Completed all the steps in you last posting and everything seems to be working fine!! I can even boot into "Safe Mode" which I wasn't able to do before we went through all of this. Is there anything else you need? Otherwise I need to turn AVG and Spybot back on. I've been using AVG, Spaybot and Malwarebytes, but you also mentioned you have a list of tools to keep our machine more secure. Should I update to XP SP3 first??
Thanks again!!!!!!!!!!!!
Hi,
Glad things are back to normal. Yes, I would update to SP3 and Internet Explorer 8. IE 8 is more secure then the previous version. There is no one silver bullet to keep you secure but keeping things updated and installing some of these programs can help quite a bit.
Don't turn on the TeaTimer until after you upgrade.
Malwarebytes <--This is the free version and yours to keep. Open it, check for updates and run the Quick scan a few times a month .
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Installed XP SP3, after a few tries and a little help from the MS Support website with unlocking some files in the registry, but it worked. Updated to IE8 also. Turned the TeaTimer back on and enabled AVG again. Between those two and running periodic scans with Malwarebytes and Spybot and keeping all the databases up-to-date hopefully we don't have to go through this again!
More importantly, I can't thank you enough for your help!!!!!
Hi,
I was just looking over your log and just want to make sure this file is gone.
You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
C:\Documents and Settings\pmaslos\Local Settings\Temp\pxtdypob.sys <--This file, right click on it and delete it, let me know if it was present and would not delete
I'm back. Sorry about that! I checked for the file "pxtdypob.sys" and it's not there. I doubled checked my setting to "show all files" also.
Things have been working fine and I ran a Malwarbytes Quick Scan on Wednesday. We left the computer on overnight last night with two of us logged in, but nothing really running, I had IE open and my wife had Excel open but not any workbooks. When whe logged off this morning she received the message "Ending program sw". Is this some type of spyware??
Off to run a Malwarebytes, Spybot and AVG scan...
Thanks for keeping on top of this!!
Hi, That me be related to Silent Spy which is a rogue program.
You may have to Download SystemLook again
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
The SystemLook output is below, and an HJT log too, just in case??
SystemLook.txt:
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:55 on 13/11/2009 by pmaslos (Administrator - Elevation successful)
========== reg ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe"
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe"
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe"
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe"
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe"
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe"
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe"
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup"
"ISUSScheduler"=""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start"
"Malwarebytes Anti-Malware (reboot)"=""C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript"
"PCMService"=""C:\Program Files\Dell\Media Experience\PCMService.exe""
"SunJavaUpdateSched"=""C:\Program Files\Java\jre6\bin\jusched.exe""
"tgcmd"=""C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
-=End Of File=-
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hijackthis.log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:04 AM, on 11/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {095CD655-22C4-4845-AA1D-10590EA36D1A} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {497B6553-405A-47A7-9E64-2695AFBF5A48} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {95ABACE8-8DCC-4871-9E26-1654AC49F0C8} - (no file)
O2 - BHO: (no name) - {95bc13d5-1e85-4af9-a538-c9452fc9392f} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E5D5BE53-CA78-4CEE-A405-456AE551483F} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128119231437
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - http://admin.mem.com/imagefunctions/imagxpress7.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} (MeM Media Uploader Control) - http://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
O16 - DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} (Pegasus TwainPRO Control v4.0) - http://admin.mem.com/imagefunctions/TwainPro4.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webmail.mckesson.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html
--
End of file - 8463 bytes
See if any of these are present, make sure you still have windows enabled to show all files and folders
C:\Silent-Spy.cnt
C:\Silent-Spy.hlp
C:\Wlp.sys
C:\Wlg.sys
C:\SW.htm
C:\SSS <--folder
Didn't find any of them. I even searched for all of them and the only thing even similar was:
C:\Documents and Settings\pmaslos\Local Settings\Temporary Internet Files\sw.gif
And what's weird is it shows up twice in the search results.
Run this cleaner to clean that folder out
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
http://i24.photobucket.com/albums/c30/ken545/Atribune.jpg
You have Spybot Search and Destroy installed, make sure its the latest version , open Spybot and go to Help > About and it should be version 1.6.2, if not uninstall it via Add Remove Programs and download and install the latest version. Then run it, if Silent Spy or part of it is present Spybot will remove it. I dont need to see any report but when its done, see if Silent Spy was flagged to remove and let me know
http://www.safer-networking.org/en/home/index.html
Ran ATF Cleaner and Spybot, no immediate threats were found.
I did a search of the entire hard drive for *.log files yesterday just to see if SW had created a log. Didn’t find anything related to that, but it looks like Qwest (our DSL provider) may have been running some checks or updates as there were logs in C:\Documents and Settings\All Users\Application Data\Support.com\profiles\dmasloski\{qwest}\logs. I copied the entries in the protect.log for November below. Not sure that it’s related, but I wonder if they were using sw to monitor things during the update?? May seem far fetched, but thought I’d pass it along. Probably worth a call to Qwest as to what they are probing and protecting. Your thoughts??
Thanks again!!!
protect.log:
----- Protection starting 11/10/2009 8:31:14 AM
* General initialization done 11/10/2009 8:31:14 AM
* General initialization done 11/10/2009 8:31:14 AM
* Mutex and server connect done 11/10/2009 8:31:15 AM
* Retrieving protection files from server 11/10/2009 8:31:15 AM
* Retrieval OK 11/10/2009 8:31:15 AM
Protection initialized 11/10/2009 8:31:15 AM
***Beginning probe 11/10/2009 8:31:16 AM ***
Checking {7341d696-c59a-4816-a60c-8dea7d62e56a}
Probing {7341d696-c59a-4816-a60c-8dea7d62e56a}
Finished probing {7341d696-c59a-4816-a60c-8dea7d62e56a}
Backing up {7341d696-c59a-4816-a60c-8dea7d62e56a}
Finished backing up {7341d696-c59a-4816-a60c-8dea7d62e56a}
Checking {a573cc4a-d7a1-4593-990a-fb581e573af4}
Probing {a573cc4a-d7a1-4593-990a-fb581e573af4}
Finished probing {a573cc4a-d7a1-4593-990a-fb581e573af4}
Backing up {a573cc4a-d7a1-4593-990a-fb581e573af4}
Finished backing up {a573cc4a-d7a1-4593-990a-fb581e573af4}
Checking {c39235c9-4974-11d4-a4ba-0010a4e61750}
Probing {c39235c9-4974-11d4-a4ba-0010a4e61750}
Finished probing {c39235c9-4974-11d4-a4ba-0010a4e61750}
Backing up {c39235c9-4974-11d4-a4ba-0010a4e61750}
Finished backing up {c39235c9-4974-11d4-a4ba-0010a4e61750}
Checking {f04b4727-5194-4d8f-a004-75b9c36fbbfb}
Probing {f04b4727-5194-4d8f-a004-75b9c36fbbfb}
Finished probing {f04b4727-5194-4d8f-a004-75b9c36fbbfb}
Backing up {f04b4727-5194-4d8f-a004-75b9c36fbbfb}
Finished backing up {f04b4727-5194-4d8f-a004-75b9c36fbbfb}
Checking {14d4ee36-4ef4-4678-b258-cb4dc98cd2b9}
Probing {14d4ee36-4ef4-4678-b258-cb4dc98cd2b9}
Finished probing {14d4ee36-4ef4-4678-b258-cb4dc98cd2b9}
Backing up {14d4ee36-4ef4-4678-b258-cb4dc98cd2b9}
Finished backing up {14d4ee36-4ef4-4678-b258-cb4dc98cd2b9}
Checking {28f10aee-6184-4ca9-af23-f75d39c475cc}
Probing {28f10aee-6184-4ca9-af23-f75d39c475cc}
Finished probing {28f10aee-6184-4ca9-af23-f75d39c475cc}
Backing up {28f10aee-6184-4ca9-af23-f75d39c475cc}
Finished backing up {28f10aee-6184-4ca9-af23-f75d39c475cc}
***Probe completed 11/10/2009 8:35:29 AM***
* Mutex and server connect done 11/10/2009 8:35:29 AM
* Retrieving protection files from server 11/10/2009 8:35:29 AM
* Retrieval OK 11/10/2009 8:35:29 AM
Protection initialized 11/10/2009 8:35:29 AM
***Beginning probe 11/10/2009 8:35:29 AM ***
Checking {4b6488ce-a39a-4bdd-9274-8c413275705b}
Probing {4b6488ce-a39a-4bdd-9274-8c413275705b}
Finished probing {4b6488ce-a39a-4bdd-9274-8c413275705b}
Backing up {4b6488ce-a39a-4bdd-9274-8c413275705b}
Finished backing up {4b6488ce-a39a-4bdd-9274-8c413275705b}
***Probe completed 11/10/2009 8:35:39 AM***
----- Protection starting 11/11/2009 11:15:05 AM
* General initialization done 11/11/2009 11:15:05 AM
* Mutex and server connect done 11/11/2009 11:15:05 AM
* Retrieving protection files from server 11/11/2009 11:15:05 AM
* Retrieval OK 11/11/2009 11:15:05 AM
Protection initialized 11/11/2009 11:15:05 AM
***Beginning probe 11/11/2009 11:15:05 AM ***
***Probe completed 11/11/2009 11:15:05 AM***
----- Protection starting 11/12/2009 12:26:03 PM
* General initialization done 11/12/2009 12:26:03 PM
* Mutex and server connect done 11/12/2009 12:26:03 PM
* Retrieving protection files from server 11/12/2009 12:26:03 PM
* Retrieval OK 11/12/2009 12:26:03 PM
Protection initialized 11/12/2009 12:26:03 PM
***Beginning probe 11/12/2009 12:26:03 PM ***
***Probe completed 11/12/2009 12:26:03 PM***
----- Protection starting 11/13/2009 1:20:12 AM
* General initialization done 11/13/2009 1:20:12 AM
* Mutex and server connect done 11/13/2009 1:20:12 AM
* Retrieving protection files from server 11/13/2009 1:20:12 AM
* Retrieval OK 11/13/2009 1:20:23 AM
Protection initialized 11/13/2009 1:20:23 AM
***Beginning probe 11/13/2009 1:20:23 AM ***
***Probe completed 11/13/2009 1:20:23 AM***
Hi, Dont know much about what Quest does, I guess a call to them to ask wouldn't hurt.
I will leave this thread open for you for a few days, any other issues just post back.