View Full Version : Malware
Deerslayer
2009-11-07, 17:54
I posted yesterday but was unable to post the HJT log. I was finally able to save it to CD and transfer to my laptop. I know you need this to analyze, so I'll risk losing my place in line.
Again: Spybot had detected Opachki and seemed to have cleaned it but something is wrong. No Internet, can't drag and drop, no task bar or start button. Even tried to deny me saving the HJT log to CD saying I did not have permission. So here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:46 AM, on 11/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe
C:\WINDOWS\system32\DLA\TFSWCMD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [TS] C:\Program Files\TS\tsc.exe
O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User '?')
O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (User '?')
O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [TS] C:\Program Files\TS\tsc.exe (User '?')
O4 - S-1-5-21-3790382252-2412222753-2890496779-1007 Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe (User '?')
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qpdom.cbservices.org/qp2.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123125006512
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5253/mcfscan.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\System32\PGPsdkServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 16858 bytes
Hi,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Generate an Uninstall List
* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it & fresh hjt log on your next reply.
Deerslayer
2009-11-12, 00:16
No Recovery Console possible. ComboFix could not get on Internet to get it.
Was able to run requested logs.
ComboFix 09-11-11.02 - Gary 11/11/2009 15:34.1.1 - NTFSx86
Running from: D:\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\stc
c:\program files\stc\csv5p070.exe
c:\program files\Sysmnt
c:\program files\Sysmnt\Ssmgr.exe
c:\windows\123messenger.per
c:\windows\180ax.exe
c:\windows\apphelp32.dll
c:\windows\asferror32.dll
c:\windows\asycfilt32.dll
c:\windows\athprxy32.dll
c:\windows\ati2dvaa32.dll
c:\windows\ati2dvag32.dll
c:\windows\audiosrv32.dll
c:\windows\autodisc32.dll
c:\windows\avifile32.dll
c:\windows\avisynthex32.dll
c:\windows\aviwrap32.dll
c:\windows\bjam.dll
c:\windows\bokja.exe
c:\windows\browserad.dll
c:\windows\cdsm32.dll
c:\windows\changeurl_30.dll
c:\windows\Downloaded Program Files\setup.dll
c:\windows\licencia.txt
c:\windows\msa64chk.dll
c:\windows\msapasrc.dll
c:\windows\mspphe.dll
c:\windows\mssvr.exe
c:\windows\ntnut.exe
c:\windows\saiemod.dll
c:\windows\salm.exe
c:\windows\shdocpe.dll
c:\windows\shdocpl.dll
c:\windows\swin32.dll
c:\windows\system32\MSNSA32.dll
c:\windows\system32\ntnut32.exe
c:\windows\system32\shdocpe.dll
c:\windows\system32\SIPSPI32.dll
c:\windows\system32\wer8274.dll
c:\windows\system32\winfrun32.bin
c:\windows\telefonos.txt
c:\windows\textos.txt
c:\windows\voiceip.dll
c:\windows\winsb.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.
2009-11-07 14:21 . 2009-11-07 14:23 -------- d-----w- c:\program files\ERUNT
2009-11-07 14:15 . 2009-11-07 14:15 -------- d-----w- c:\program files\Trend Micro
2009-11-06 00:53 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 00:53 . 2009-11-07 14:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 00:53 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 00:51 . 2009-11-06 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-25 19:01 . 2009-10-25 19:02 -------- d-----w- c:\program files\Motorola
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 13:57 . 2005-03-16 23:30 5743788 -c--a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-04 03:19 . 2008-06-17 02:09 -------- d-----w- c:\program files\Snoop 4.0
2009-11-04 00:49 . 2003-10-09 16:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-03 13:04 . 2008-04-18 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-25 19:01 . 2003-10-09 15:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-25 18:37 . 2009-10-25 18:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-10-22 08:03 . 2007-03-03 18:46 40 ----a-w- c:\windows\system32\profile.dat
2009-10-18 16:16 . 2007-02-19 23:03 -------- d-----w- c:\program files\Punch! Master Landscape
2009-10-06 01:52 . 2009-10-06 01:52 -------- d-----w- c:\documents and settings\Julie\Application Data\Apple Computer
2009-10-04 03:23 . 2005-06-17 01:20 -------- d-----w- c:\documents and settings\Gary\Application Data\Canon
2009-09-30 01:25 . 2009-09-30 02:43 428032 ----a-w- c:\windows\Internet Logs\xDB43.tmp
2009-09-30 00:37 . 2003-12-28 17:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-29 23:18 . 2009-09-29 23:18 -------- d-----w- c:\program files\Common Files\TSUninstall
2009-09-19 13:37 . 2008-03-18 03:49 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-19 13:35 . 2009-09-19 13:41 1693696 ----a-w- c:\windows\Internet Logs\xDB42.tmp
2009-09-11 14:18 . 2002-08-29 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 23:50 . 2007-03-04 20:18 92576 ----a-w- c:\documents and settings\Bryan.DB5JPM31\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 07:36 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-08-29 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2002-08-29 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 01:53 . 2007-03-04 20:09 92576 ----a-w- c:\documents and settings\Julie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 21:05 . 2003-12-25 19:05 92576 ----a-w- c:\documents and settings\Gary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2002-08-29 10:00 . 2002-08-29 10:00 94784 -csh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2002-08-29 10:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2002-08-29 10:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2002-08-29 10:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 10:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2002-08-29 10:00 343040 --sha-w- c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 . 2002-08-29 10:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2004-08-06 2502656]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-09 151597]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2003-11-10 406016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\\vptray.exe" [2006-09-28 125168]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2006-10-22 1622016]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
2;2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [x]
R2 PGPsdkServ;PGPsdkService;c:\windows\System32\PGPsdkServ.exe [2003-10-27 65536]
R3 SavRoam;SavRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464]
R3 WipeFile;WipeFile;c:\windows\system32\DRIVERS\WipeFile.sys [2006-08-31 58880]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
2009-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://hsremove.com/done.htm
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = hxxp://localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: lspcsnp4.dll
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: turbotax.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-TS - c:\program files\TS\tsc.exe
AddRemove-NoAdware 5.0_is1 - c:\program files\NoAdware5.0\unins000.exe
AddRemove-TS - c:\program files\TS\tsc.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-11 15:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3790382252-2412222753-2890496779-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-11-11 15:51
ComboFix-quarantined-files.txt 2009-11-11 21:49
Pre-Run: 11,435,855,872 bytes free
Post-Run: 12,338,659,328 bytes free
- - End Of File - - 21BAF83C87042CE6C519EE62628305D1
Uninstall
Active Images Express
Adobe Acrobat 8.1.2 Standard
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.2
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Software Update
BCM V.92 56K Modem
Britannica Ready Reference
Canon MP Drivers 6.0
Canon MP Navigator 1.0
Canon ScanGear Starter
Canon Utilities Easy-PhotoPrint
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.3
DAO
Deer Hunter
Deer Hunter - Extended Season
Deer Hunter Companion
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support Center (Support Software)
DellSupport
DiscAPI (Studio 10)
DivX
DS21Patch
DVDSentry
Easy-WebPrint
ERUNT 1.1j
ESET Online Scanner
Garmin Trip and Waypoint Manager v3
Garmin USB Drivers
Garmin WebUpdater
Garmin WebUpdater
Google Earth
Google Updater
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Photo Printing Software
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Ipswitch WS_FTP LE
ItsDeductible Express
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 13
Kaspersky Online Scanner
LG USB Drivers
LiveUpdate 3.1 (Symantec Corporation)
Lizardtech Express View
Logitech MouseWare 9.79.1
LogViewer
Macromedia Contribute 3.11
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8 Plugin
Malwarebytes' Anti-Malware
Media Downloader
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft WinUsb 1.0
Modem Helper
MSN Gaming Zone
MSN Messenger 6.2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH Jukebox
NVIDIA Drivers
OmniPage SE 2.0
Paint Shop Pro 7
PGP 8.0.3
Pinnacle Instant DVD Recorder
PowerDVD
Presto! PageManager 6.03
Punch! Master Landscape
Quicken 2007
QuickTime
RAPID (Studio 10)
RealOne Player
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SmartSound Quicktracks Plugin
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Studio 10
Symantec Client Security
Time Zone Data Update Tool for Microsoft Office Outlook
TurboTax 2008
TurboTax 2008 wiliper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Deluxe 2003
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
V CAST Music
VC 9.0 Runtime
VC 9.0 Runtime
WexTech AnswerWorks
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage v1.3.0254.0
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office 11
Yahoo! Customizations
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
ZoneAlarm
ZoneAlarm Spy Blocker
Zune
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:44 PM, on 11/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DLA\TFSWCMD.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\\vptray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User '?')
O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-3790382252-2412222753-2890496779-1007\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (User '?')
O4 - S-1-5-21-3790382252-2412222753-2890496779-1007 Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe (User '?')
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O10 - Unknown file in Winsock LSP: lspcsnp4.dll
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qpdom.cbservices.org/qp2.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123125006512
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5253/mcfscan.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\System32\PGPsdkServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 16103 bytes
Hi,
Move ComboFix.exe to your desktop, please.
Is the connection still down? If it is then follow manual way to install recovery console. Instructions for that in ComboFix tutorial (remember to choose recovery console that is suitable for your Windows version!).
Deerslayer
2009-11-16, 06:17
Hi Blade,
Personal note. I just noticed you are in Finland. My grandparents migrated to America from Finland in the 1800’s and settled in Upper Michigan. My Uncle Bruno was active in bringing Jazz to Finland back in the 1930’s and 40’s.
Still no Internet access on virus infected desktop computer. I can down load the Windows set up on my laptop to CD. I can then insert the CD into the infected desktop computer and make the six-disk setup diskettes. I can’t complete the setup (and I assume the Recovery Console) as it asks for the Windows XP Service Pack 2 CD. All I have is the Dell OEM CD. Can’t figure out how to install the Recovery Console from there. Can’t get the ComboFix file on the infected computers desktop. Wouldn’t be able to drag and drop the Recovery Console over the ComboFix file anyway since drag and drop is not operational. There is a Recovery Option available from the six disks, but choosing that to run just brought up the impaired Windows operating system.
Virus has stopped all Drag and Drop. I can’t move ComboFix from the CD (remember, I can’t access Internet from the desktop computer) to the desktop. Using DOS commands, I was able to copy it to the C:\ drive and ran it from there, but not from desk top. Can’t use DOS to copy it to the desktop directory.
I ran it again from the C:\location and the log is attached.
ComboFix 09-11-11.02 - Gary 11/15/2009 21:51.2.1 - NTFSx86
Running from: C:\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.
2009-11-16 02:45 . 2009-11-11 20:41 3563264 ----a-r- C:\ComboFix.exe
2009-11-07 14:21 . 2009-11-07 14:23 -------- d-----w- c:\program files\ERUNT
2009-11-07 14:15 . 2009-11-07 14:15 -------- d-----w- c:\program files\Trend Micro
2009-11-06 00:53 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 00:53 . 2009-11-07 14:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 00:53 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 00:51 . 2009-11-06 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-25 19:01 . 2009-10-25 19:02 -------- d-----w- c:\program files\Motorola
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 13:57 . 2005-03-16 23:30 5743788 -c--a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-04 03:19 . 2008-06-17 02:09 -------- d-----w- c:\program files\Snoop 4.0
2009-11-04 00:49 . 2003-10-09 16:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-03 13:04 . 2008-04-18 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-25 19:01 . 2003-10-09 15:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-25 18:37 . 2009-10-25 18:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-10-22 08:03 . 2007-03-03 18:46 40 ----a-w- c:\windows\system32\profile.dat
2009-10-18 16:16 . 2007-02-19 23:03 -------- d-----w- c:\program files\Punch! Master Landscape
2009-10-06 01:52 . 2009-10-06 01:52 -------- d-----w- c:\documents and settings\Julie\Application Data\Apple Computer
2009-10-04 03:23 . 2005-06-17 01:20 -------- d-----w- c:\documents and settings\Gary\Application Data\Canon
2009-09-30 01:25 . 2009-09-30 02:43 428032 ----a-w- c:\windows\Internet Logs\xDB43.tmp
2009-09-30 00:37 . 2003-12-28 17:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-29 23:18 . 2009-09-29 23:18 -------- d-----w- c:\program files\Common Files\TSUninstall
2009-09-19 13:37 . 2008-03-18 03:49 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-19 13:35 . 2009-09-19 13:41 1693696 ----a-w- c:\windows\Internet Logs\xDB42.tmp
2009-09-11 14:18 . 2002-08-29 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 23:50 . 2007-03-04 20:18 92576 ----a-w- c:\documents and settings\Bryan.DB5JPM31\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 07:36 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-08-29 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2002-08-29 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 01:53 . 2007-03-04 20:09 92576 ----a-w- c:\documents and settings\Julie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2002-08-29 10:00 . 2002-08-29 10:00 94784 -csh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2002-08-29 10:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2002-08-29 10:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2002-08-29 10:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 10:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2002-08-29 10:00 343040 --sha-w- c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 . 2002-08-29 10:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2009-11-11_21.45.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-16 02:38 . 2009-11-16 02:38 16384 c:\windows\Temp\Perflib_Perfdata_780.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2004-08-06 2502656]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-09 151597]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2003-11-10 406016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\\vptray.exe" [2006-09-28 125168]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2006-10-22 1622016]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
2;2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [x]
R2 PGPsdkServ;PGPsdkService;c:\windows\System32\PGPsdkServ.exe [2003-10-27 65536]
R3 SavRoam;SavRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464]
R3 WipeFile;WipeFile;c:\windows\system32\DRIVERS\WipeFile.sys [2006-08-31 58880]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
2009-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://hsremove.com/done.htm
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = hxxp://localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: lspcsnp4.dll
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: turbotax.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-15 22:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3790382252-2412222753-2890496779-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(356)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-16 22:06
ComboFix-quarantined-files.txt 2009-11-16 04:05
ComboFix2.txt 2009-11-11 21:52
Pre-Run: 12,329,009,152 bytes free
Post-Run: 12,290,453,504 bytes free
- - End Of File - - 2A78B42D99F7D87F1C8DBB29344CF089
näkemiin
Deerslayer
Hi,
Personal note. I just noticed you are in Finland. My grandparents migrated to America from Finland in the 1800’s and settled in Upper Michigan. My Uncle Bruno was active in bringing Jazz to Finland back in the 1930’s and 40’s.
That was interesting :). I had to go and check out the history. I assume you mean Bruno Laakko?
Back to instructions.. Please upload following files to http://www.virustotal.com and post back the results:
c:\windows\system32\svchost.exe
c:\windows\system32\lsass.exe
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
cacls c:\windows\system32\svchost.exe >c:\logit.txt
cacls c:\windows\system32\lsass.exe >>c:\logit.txt
del %0
Double-click on fixes.bat file to execute it. After that you should have logit.txt file in c: root. Attach the file/its contents to your reply.
Deerslayer
2009-11-17, 05:02
Yep, Bruno Laakko was my Dad's brother. He had the band Lepakot. I see you list music as an interset. Jazz maybe?
On to the problem at hand. Requested files below:
File svchost.exe received on 2009.11.17 02:21:43 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 50 and 71 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.17 -
AhnLab-V3 5.0.0.2 2009.11.16 -
AntiVir 7.9.1.65 2009.11.16 -
Antiy-AVL 2.0.3.7 2009.11.16 -
Authentium 5.2.0.5 2009.11.17 -
Avast 4.8.1351.0 2009.11.16 -
AVG 8.5.0.425 2009.11.16 -
BitDefender 7.2 2009.11.17 -
CAT-QuickHeal 10.00 2009.11.16 -
ClamAV 0.94.1 2009.11.16 -
Comodo 2960 2009.11.16 -
DrWeb 5.0.0.12182 2009.11.17 -
eSafe 7.0.17.0 2009.11.16 -
eTrust-Vet 35.1.7123 2009.11.16 -
F-Prot 4.5.1.85 2009.11.16 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.16 -
GData 19 2009.11.17 -
Ikarus T3.1.1.74.0 2009.11.17 -
Jiangmin 11.0.800 2009.11.16 -
K7AntiVirus 7.10.897 2009.11.16 -
Kaspersky 7.0.0.125 2009.11.17 -
McAfee 5804 2009.11.16 -
McAfee+Artemis 5804 2009.11.16 -
McAfee-GW-Edition 6.8.5 2009.11.17 -
Microsoft 1.5202 2009.11.16 -
NOD32 4613 2009.11.16 -
Norman 6.03.02 2009.11.16 -
nProtect 2009.1.8.0 2009.11.16 -
Panda 10.0.2.2 2009.11.16 -
PCTools 7.0.3.5 2009.11.16 -
Prevx 3.0 2009.11.17 -
Rising 22.22.01.01 2009.11.17 -
Sophos 4.47.0 2009.11.17 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.17 -
TheHacker 6.5.0.2.071 2009.11.16 -
TrendMicro 9.0.0.1003 2009.11.16 -
VBA32 3.12.10.11 2009.11.15 -
ViRobot 2009.11.16.2039 2009.11.16 -
VirusBuster 4.6.5.0 2009.11.16 -
Additional information
File size: 14336 bytes
MD5...: 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1..: 49083ae3725a0488e0a8fbbe1335c745f70c4667
SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5
ssdeep: 384:IDvi+JmG6yqlCRaJt4RHS5LutGJae7g9VJnpWCNJbW:INcG6xlCRaJKGOA7S
HJ
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x2509
timedatestamp.....: 0x48025bc0 (Sun Apr 13 19:15:12 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 f6589e1ed3da6afefb0b4294d9ff7f2e
.data 0x4000 0x210 0x200 1.62 cbd504e46c836e09e8faabdcfbabaec2
.rsrc 0x5000 0x408 0x600 2.51 dcede0c303bbb48c6875eb64477e5882
( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Generic Host Process for Win32 Services
original name: svchost.exe
internal name: svchost.exe
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.17 -
AhnLab-V3 5.0.0.2 2009.11.16 -
AntiVir 7.9.1.65 2009.11.16 -
Antiy-AVL 2.0.3.7 2009.11.16 -
Authentium 5.2.0.5 2009.11.17 -
Avast 4.8.1351.0 2009.11.16 -
AVG 8.5.0.425 2009.11.16 -
BitDefender 7.2 2009.11.17 -
CAT-QuickHeal 10.00 2009.11.16 -
ClamAV 0.94.1 2009.11.16 -
Comodo 2960 2009.11.16 -
DrWeb 5.0.0.12182 2009.11.17 -
eSafe 7.0.17.0 2009.11.16 Win32.Banker
eTrust-Vet 35.1.7123 2009.11.16 -
F-Prot 4.5.1.85 2009.11.16 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.16 -
GData 19 2009.11.17 -
Ikarus T3.1.1.74.0 2009.11.17 -
Jiangmin 11.0.800 2009.11.16 -
K7AntiVirus 7.10.897 2009.11.16 -
Kaspersky 7.0.0.125 2009.11.17 -
McAfee 5804 2009.11.16 -
McAfee+Artemis 5804 2009.11.16 -
McAfee-GW-Edition 6.8.5 2009.11.17 -
Microsoft 1.5202 2009.11.16 -
NOD32 4613 2009.11.16 -
Norman 6.03.02 2009.11.16 -
nProtect 2009.1.8.0 2009.11.16 -
Panda 10.0.2.2 2009.11.16 -
PCTools 7.0.3.5 2009.11.16 -
Prevx 3.0 2009.11.17 -
Rising 22.22.01.01 2009.11.17 -
Sophos 4.47.0 2009.11.17 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.17 -
TheHacker 6.5.0.2.071 2009.11.16 -
TrendMicro 9.0.0.1003 2009.11.16 -
VBA32 3.12.10.11 2009.11.15 -
ViRobot 2009.11.16.2039 2009.11.16 -
VirusBuster 4.6.5.0 2009.11.16 -
Additional information
File size: 13312 bytes
MD5...: bf2466b3e18e970d8a976fb95fc1ca85
SHA1..: de5a73cbb5f51f64c53fb4277ef2c23e70db123f
SHA256: f7794b5d12dc5d820a162850f4388e2aa80426ad07cb221799cf941c682ab501
ssdeep: 384:ggHUJZXmtGDWkzLWT4a8WfMptsN0BhgO49:338z4zRfMpy0BF4
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x14bd
timedatestamp.....: 0x48025186 (Sun Apr 13 18:31:34 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x10d0 0x1200 6.00 7d33d24893e1db0fa0ecbd7a8fa637bd
.data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250
.rsrc 0x4000 0x1b30 0x1c00 7.15 54488850c25258396b2c9492c36b0bd5
( 5 imports )
> ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf
> KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery
> ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter
> LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo
> SAMSRV.dll: SamIInitialize, SampUsingDsData
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: LSA Shell (Export Version)
original name: lsass.exe
internal name: lsass.exe
file version.: 5.1.2600.5512 (xpsp.080413-2113)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Bat File Log (was not able to get it on desk top. Was able to get it to C:\ root and ran it from there)
c:\windows\system32\svchost.exe BUILTIN\Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
c:\windows\system32\lsass.exe BUILTIN\Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
Hi,
Yep, Bruno Laakko was my Dad's brother. He had the band Lepakot. I see you list music as an interset. Jazz maybe?
I like music of many different genres, favourites are hard rock and metal :)
Click start->run->write services.msc and see what's the status of Remote Procedure Call (RPC) service. If it's not started, double click the service and set its startup type as automatic and start the service. If any issues arise post back (exact error message if any is shown).
Deerslayer
2009-11-18, 04:39
Hi Blade,
Here's what we have. Can't run from "START" as START is not on the Windows desktop anymore. Ran it from Task Manager. Status of RPC is "Starting". I let that go for about three hours and it still shows "starting". Doubling clicking it does nothing at all. I tried right click,and the following are all greyed out:
Start
Stop
Pause
Resume
Restart
No errors, just won't do anything.
By the way, the "Extended" tab has nothing but a blue square on it. The Standard tab has the services listed. Not sure if that means anything.
I checked other services and the following are all hung in the "starting" status as well:
Automatic updates
Intuit Update Service
SSDP Discovery Service
Symantec Network Proxy
Windows Time.
Rebooted into safe mode and it made no difference.
Deerslayer
Hi,
Do you recall when this drag and drop issue first started to show up? What was done before it?
Reboot the system. Then immediately after that start eventviewer thru task manager (eventvwr.exe) and see if there're errors that have same datetime stamp with the startup timestamp. Let me know what errors there are.
Deerslayer
2009-11-20, 05:48
I ran event viewer but didn't see any startup entries. I have uploaded all three logs in case you can use them to spot anything amiss.
I believe the drag and drop and loss of "start" all occurred at the same time. Thinking back, the last time I shut down before the malware I saw nothing wrong. It was when I started the computer about 1 Nov when I noticed the issue. Long time to boot, about 5 minutes to get the Windows log in screen and then another 2-3 minutes to get the desk top. It was after that I noticed all the other issues.
Not sure it matters, but I get two error messages when I boot. One is a PGP error "cannot establish connection with the PGP SDK service" and the other is "Unable to launch application, error code 2147023179 and C:\program files\Dell support center\gs_agent\dsc.exe"
Deerslayer
Hi,
You still can't access web with Internet Explorer? Let's see if following steps have any effect:
1. Exit all programs, including Internet Explorer (if it is running).
2. Click Start, and then click Run. Type the following command in the Open box, and then press ENTER:
inetcpl.cpl
The Internet Options dialog box appears.
3. Click the Advanced tab.
4. Under Reset Internet Explorer settings, click Reset. Then click Reset again.
5. Goto Security tab.
6. Click Internet, Custom level, reset and click yes to confirmation.
Launch IE and see if you're able to connect.
Deerslayer
2009-11-26, 02:55
Hey Blade,
Back from deer hunting :)
Still cannot connect. I did manage to get the task bar back though. Not sure how but I think it was hiding off screen and I managed to get it back.
As far as connecting, when I select IE, I get a momentary flash on the screen and then nothing. I tried several times. Once, I was actually able to get IE minimized into the task bar (several iterations). When I tried to access the minimized IE, the error was that "windows cannot find http://www.yahoo.com. Make sure you typed it correctly and try again"
I have not been able to get IE to appear on the task bar any more, except for one time. I currently have an IE ICON there that says "Customize Links". Selecting it says windows cannot find "http://go.microsoft.com//fwlink/?LinkID=53540. Make sure you typed it correctly.
Now if I select IE, I get the quick flash of what appears to be IE opening, but it goes away and no longer goes to the task bar. Not sure how/why I managed to get it to appear there once.
I've also tried other programs with an "update" feature and none of them can access Internet either.
Is it time to Format C:\?
Gary
Is it time to Format C:\?
Let's not give up just yet.
Delete old ComboFix.exe and copy a fresh one to desktop.
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\lspcsnp4.dll
DDS::
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh hjt log.
Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the quote box into a new file:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
ping -n 2 google.com
route print
)
start Log1.txt
del %0
Go to the File menu at the top of the Notepad and select Save as.
Select save in: desktop
Fill in File name: test.bat
Save as type: All file types (*.*)
Click save.
Close the Notepad.
Locate and double-click tast.bat on the desktop.
A notepad opens, copy and paste the content it (log1.txt) to your reply.
Deerslayer
2009-11-26, 16:53
Problem,
Cannot drag and drop so can't get the script on top of ComboFix. Is there another way for ComboFix to launch it? Also, I can;t get files from the CD over to the desk top. If I use DOS to copy and paste I can get onlt get them to the C:\ root drive. Any further copy aand paste attempts presents me with 'The syntax of the command is incorrect". Maybe my DOS is rusty but shouldn't but when at the CD, D:\ drive, shouldn't "copy test.bat C:\Documents and Settings\Gary\Desktop" copy it over?
As far as the test.bat, I ran it fron C:\. I did not get a log file. All I get is "*** Default servers are not available" as an error in the DOS box.
Hi,
These remaining issues left I think reformat may not be bad option after all. Before your case I've seen two similar cases with exactly same symptoms and both had to be reformatted since the culprit couldn't be found.
To save time here I recommend to backup important documents, pictures and that kind of stuff and then reformat.