View Full Version : unable to update spybot or access safer-networking
argus1946
2010-02-24, 22:58
I think my desk top is infected, it runs windows 2000 pro with McAfee anti virus.
When I open Internet explorer I get the message "The procedure entry point Dnsfree could not be located in the dynamic link library DNSAPI.dll", when I cancel this, Internet explorer opens and works as normal. However if I try to visit the Safer-networking site I get the page not found message but I can access the forum.
Spybot runs and tells me everything is OK but when I try to update - the message "error retrieving update info file" appears.
I have a laptop which running at the same time through the same router has no problem reaching the Safer-networking site or updating spybot.
I have followed the recommended procedure -
Tea timer is off
Erunt has created a system registry backup.
below is a HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:51:06, on 24/02/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} (SoleroMusicControl Class) - http://www.freehandmusic.com/Update/SoleroMusicControl.cab
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} (MJPEGRender Control) - http://stroodcam-colchester.remotemanager.co.uk/common/activex/MJPEGRender.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS1\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS2\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\SBHookSvc.exe (file missing)
--
End of file - 11347 bytes
I apologise for posting a similar thread in the development forum a day ago obvious to me now that this was the wrong place, I hope you can help.
Hi,
Windows 2000 support is reaching its end soon. It's recommended to prepare to upgrade to a newer release.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
Please post contents of that file in your next reply.
Generate an Uninstall List
* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it & fresh hjt log on your next reply.
argus1946
2010-03-02, 17:15
Hi Blade81
I was unable to goto the Malwarebytes website (page unavailable) so I used another computer and transfered the software using a memory stick. I was unable to update (error code 732(12007,0).
I followed your instructions and performed a quick scan the log is included here
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.0.2195 Service Pack 4
Internet Explorer 6.0.2800.1106
02/03/2010 14:31:43
mbam-log-2010-03-02 (14-31-43).txt
Scan type: Quick Scan
Objects scanned: 104910
Time elapsed: 21 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijacker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\(default) (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\(default) (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\(default) (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\(default) (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINNT\system32\824223 (Trojan.BHO) -> Quarantined and deleted successfully.
Files Infected:
C:\WINNT\system32\spool\prtprocs\w32x86\00007323.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
I the opened HJT here is the uninstall list
7-Zip 4.57
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.8
ArcSoft PhotoImpression
Audacity 1.2.6
BT Home Hub
BT Yahoo! Applications
CDex extraction audio
Clip Art 25,000 Vol 2
Compatibility Pack for the 2007 Office system
DVD Decrypter (Remove Only)
DVD Suite
EPSON Copy Utility
EPSON Photo Print
EPSON PhotoQuicker3.2
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
ERUNT 1.1j
Family History Resource File Viewer 2.0
HijackThis 2.0.2
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.53 (KB927779)
Java(TM) 6 Update 17
Java(TM) 6 Update 5
Java(TM) 6 Update 7
jTides 5.2
L&H TTS3000 British English
LG ODD Auto Firmware Update
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
MSN Messenger 7.0
MSN Toolbar
MSVC80_x86
MSXML 4.0 SP2 (KB954430)
Musicnotes Software Suite 1.2
Nero 7 Essentials
neroxml
PCI Audio Driver
Photo Loader 2.3E
Photohands 1.0E
PL-2303 USB-to-Serial
PowerDVD
PowerProducer
Prism Video Converter
Registry Mechanic 8.0
ScanToWeb
SecurDisc Viewer
Security Update for DirectX 9 (KB941568)
Security Update for DirectX 9 (KB951698)
Security Update for DirectX 9.0 (KB971633)
Security Update for DirectX 9.0 (KB975560)
Security Update for DirectX 9.0 (KB976138)
Security Update for DirectX 9.0b (KB961373)
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows 2000 (KB941569)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB975025)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 6.4 (KB954600)
Security Update for Windows Media Player 6.4 (KB974112)
Security Update for Windows Media Player 7.1 (KB911565)
Security Update for Windows Media Player 7.1 (KB917734)
Security Update for Windows Media Player 7.1 (KB936782)
Serif PhotoPlus 9.0
Shockwave
Solero Music Control 1.0.1.7
Spybot - Search & Destroy
SSC Service Utility v4.30
Switch Sound File Converter
The Master Genealogist Silver UK Edition
Trust 56K V92 PCI Modem
Update Rollup 1 for Windows 2000 SP4
USB CASIO Digital Camera Device Driver
VLC media player 0.9.8a
What's Running 2.2
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912812
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921503
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB922760
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923561
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931768
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB932168
Windows 2000 Hotfix - KB933566
Windows 2000 Hotfix - KB933729
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB936021
Windows 2000 Hotfix - KB937143
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938464
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB938829
Windows 2000 Hotfix - KB939653
Windows 2000 Hotfix - KB941202
Windows 2000 Hotfix - KB941644
Windows 2000 Hotfix - KB941693
Windows 2000 Hotfix - KB942615
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944338
Windows 2000 Hotfix - KB944533
Windows 2000 Hotfix - KB945553
Windows 2000 Hotfix - KB947864
Windows 2000 Hotfix - KB948590
Windows 2000 Hotfix - KB948881
Windows 2000 Hotfix - KB950749
Windows 2000 Hotfix - KB950974
Windows 2000 Hotfix - KB951066
Windows 2000 Hotfix - KB951748
Windows 2000 Hotfix - KB951748-V2
Windows 2000 Hotfix - KB952004
Windows 2000 Hotfix - KB952954
Windows 2000 Hotfix - KB953838
Windows 2000 Hotfix - KB953839
Windows 2000 Hotfix - KB954211
Windows 2000 Hotfix - KB955069
Windows 2000 Hotfix - KB955759
Windows 2000 Hotfix - KB956390
Windows 2000 Hotfix - KB956391
Windows 2000 Hotfix - KB956802
Windows 2000 Hotfix - KB956844
Windows 2000 Hotfix - KB957095
Windows 2000 Hotfix - KB957097
Windows 2000 Hotfix - KB958215
Windows 2000 Hotfix - KB958470
Windows 2000 Hotfix - KB958644
Windows 2000 Hotfix - KB958687
Windows 2000 Hotfix - KB958690
Windows 2000 Hotfix - KB958869
Windows 2000 Hotfix - KB959426
Windows 2000 Hotfix - KB960225
Windows 2000 Hotfix - KB960714
Windows 2000 Hotfix - KB960715
Windows 2000 Hotfix - KB960803
Windows 2000 Hotfix - KB960859
Windows 2000 Hotfix - KB961371
Windows 2000 Hotfix - KB961371-V2
Windows 2000 Hotfix - KB961501
Windows 2000 Hotfix - KB963027
Windows 2000 Hotfix - KB967715
Windows 2000 Hotfix - KB968537
Windows 2000 Hotfix - KB969059
Windows 2000 Hotfix - KB969897
Windows 2000 Hotfix - KB969898
Windows 2000 Hotfix - KB969947
Windows 2000 Hotfix - KB970238
Windows 2000 Hotfix - KB971468
Windows 2000 Hotfix - KB971486
Windows 2000 Hotfix - KB971557
Windows 2000 Hotfix - KB971961
Windows 2000 Hotfix - KB972260
Windows 2000 Hotfix - KB972270
Windows 2000 Hotfix - KB973346
Windows 2000 Hotfix - KB973354
Windows 2000 Hotfix - KB973507
Windows 2000 Hotfix - KB973525
Windows 2000 Hotfix - KB973869
Windows 2000 Hotfix - KB973904
Windows 2000 Hotfix - KB974318
Windows 2000 Hotfix - KB974392
Windows 2000 Hotfix - KB974455
Windows 2000 Hotfix - KB974571
Windows 2000 Hotfix - KB976325
Windows 2000 Hotfix - KB976749
Windows 2000 Hotfix - KB977165
Windows 2000 Hotfix - KB977914
Windows 2000 Hotfix - KB978037
Windows 2000 Hotfix - KB978207
Windows 2000 Hotfix - KB978251
Windows 2000 Hotfix - KB978262
Windows 2000 Hotfix - KB978706
Windows Defender Signatures
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player 7.1
Windows Media Player Hotfix [See Q828026 for more information]
WinZip
I then ran HJT here is the log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:54:33, on 02/03/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\cidaemon.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} (SoleroMusicControl Class) - http://www.freehandmusic.com/Update/SoleroMusicControl.cab
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} (MJPEGRender Control) - http://stroodcam-colchester.remotemanager.co.uk/common/activex/MJPEGRender.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS1\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS2\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\SBHookSvc.exe (file missing)
--
End of file - 11432 bytes
I have not tried to access spybot yet but still get the error message as internet explorer opens.
Argus1946
Hi,
Start hjt, do a system scan, checkmark (if found):
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS1\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CS2\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
Close browsers and fix checked entries
Reboot and see if you're able to update MBAM now.
argus1946
2010-03-03, 00:08
Hi Blade81
I am still getting DNSFree could not be found in DNSAPI.dll before IE will open, but everything else was a success -
Spybot updates
Mbam updates
McAfee updates
and IE will go to Safer-Networking.org
Thankyou very much
Argus1946
Hi,
Do you use/have used OpenDNS? It seems users with Windows 2000 are seeing that error. As I told in my opening post, Windows 2000 support is near its end and OS upgrade should be done.
Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.1) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall your current Shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.
Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Uninstall these old Javas:
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report & a fresh hjt log.
argus1946
2010-03-04, 19:09
Hi Blade 81
I have not used OpenDNS
I have followed your instructions re updates,
the Kapersky scan results are HTML I opened with notepad and copied hope this is OK -
<title>KASPERSKY ONLINE SCANNER 7.0: scan report</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
<style type='text/css'>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>
</head>
<body>
<table width='100%' border='0'>
<tr align='center' bgcolor='#005447'>
<td colspan='2' height='30px' class='pagetitle'>
<b>KASPERSKY ONLINE SCANNER 7.0: scan report</b>
</td>
</tr>
<tr>
<td colspan='2' height='70px'>
Thursday, March 4, 2010<br>
Operating system: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)<br>
Kaspersky Online Scanner version: 7.0.26.13<br>
Last database update: Thursday, March 04, 2010 05:44:51<br>
Records in database: 3699193<br>
</td>
</tr>
<tr>
<td colspan='2' height='10px'>
</td>
</tr>
</table>
<table width='100%' border='0'>
<tr bgcolor='#EFEBDE'>
<td colspan='2' height='20px'><b>Scan settings</b></td>
</tr>
<tr>
<td height='15px' width='250px'>scan using the following database</td>
<td>extended</td>
</tr>
<tr>
<td height='15px'>Scan archives</td>
<td>yes</td>
</tr>
<tr>
<td height='15px'>Scan e-mail databases</td>
<td>yes</td>
</tr>
<tr>
<td colspan='2' height='10px'>
</td>
</tr>
<tr bgcolor='#EFEBDE'>
<td height='20px'><b>Scan area</b></td>
<td>My Computer</td>
</tr>
<tr>
<td colspan='2' height='20px'>
A:\<br>
C:\<br>
D:\
</td>
</tr>
<tr>
<td colspan='2' height='10px'>
</td>
</tr>
<tr bgcolor='#EFEBDE'>
<td colspan='2' height='20px'><b>Scan statistics</b></td>
</tr>
<tr>
<td height='15px'>Objects scanned</td>
<td>54982</td>
</tr>
<tr>
<td height='15px'>Threats found</td>
<td>8</td>
</tr>
<tr>
<td height='15px'>Infected objects found</td>
<td>19</td>
</tr>
<tr>
<td height='15px'>Suspicious objects found</td>
<td>0</td>
</tr>
<tr>
<td height='15px'>Scan duration</td>
<td>02:42:34</td>
</tr>
</table>
<br>
<table width='100%%' border="0">
<tr bgcolor='#EFEBDE'><td height='20px'><b>File name</b></td>
<td width='200px'><b>Threat</b></td>
<td width='100px'><b>Threats count</b></td>
</tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\30\1471045e-720c4260</td><td>Infected: Exploit.OSX.Smid.b</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.NavExcel.d</td><td>2</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.NavExcel</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.NavExcel.b</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.180Solutions</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.BargainBuddy.h</td><td>2</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.BargainBuddy.e</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\Peter's Laptop\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.NavExcel.d</td><td>2</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\Peter's Laptop\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.NavExcel</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\Peter's Laptop\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.NavExcel.b</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\Peter's Laptop\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.180Solutions</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\Peter's Laptop\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.BargainBuddy.h</td><td>2</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\Peter's Laptop\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:AdWare.Win32.BargainBuddy.e</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td height='20px'>C:\Documents and Settings\Administrator\My Documents\Computer stuff\Peter's Laptop\packard bell downloads\setup.exe</td><td>Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j</td><td>1</td><td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr><td colspan='3' height='20px'><b>
Selected area has been scanned.</td></tr></table>
</body>
</html>
Here is the HKT log -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:07:12, on 04/03/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} (SoleroMusicControl Class) - http://www.freehandmusic.com/Update/SoleroMusicControl.cab
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} (MJPEGRender Control) - http://stroodcam-colchester.remotemanager.co.uk/common/activex/MJPEGRender.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\SBHookSvc.exe (file missing)
--
End of file - 9837 bytes
Once again thankyou for your help
Argus1946
Hi,
Could you uninstall Spybot temporarily, reboot and see if error still shows up?
argus1946
2010-03-05, 02:01
Hi Blade81
Still get - "The procedure entry point Dnsfree could not be located in the dynamic link library DNSAPI.dll" after uninstalling spybot and rebooting.
I forgot to mention last time that this fault no longer occurs in the BT Yahoo internet browser.
Argus1946
Hi,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
argus1946
2010-03-06, 16:13
Hi Blade81
here is the combofix log
ComboFix 10-03-05.03 - Administrator 06/03/2010 13:08:56.1.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.283 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winnt\system32\VB6KO.DLL
c:\winnt\Web\default.htt
c:\winnt\system32\comres.dll . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.
2010-03-06 11:49 . 2010-03-06 11:49 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_56c.dat
2010-03-06 11:47 . 2010-03-06 11:47 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_274.dat
2010-03-04 23:54 . 2010-03-04 23:54 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5cc.dat
2010-03-03 21:49 . 2010-03-03 21:49 -------- d-----w- c:\program files\Common Files\Java
2010-03-03 21:49 . 2010-03-03 21:49 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7be84596-n\msvcr71.dll
2010-03-03 21:49 . 2010-03-03 21:49 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7be84596-n\msvcp71.dll
2010-03-03 21:49 . 2010-03-03 21:49 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7be84596-n\jmc.dll
2010-03-03 21:49 . 2010-03-03 21:49 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7a547911-n\decora-sse.dll
2010-03-03 21:49 . 2010-03-03 21:49 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7a547911-n\decora-d3d.dll
2010-03-03 21:48 . 2009-12-17 17:14 411368 ----a-w- c:\winnt\system32\deploytk.dll
2010-03-03 20:47 . 2010-03-03 20:47 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_560.dat
2010-03-03 20:40 . 2010-03-03 20:40 2560 ----a-w- c:\winnt\_MSRSTRT.EXE
2010-03-03 20:25 . 2010-03-03 20:23 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-03 20:24 . 2010-03-03 20:23 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-03 20:24 . 2010-03-03 20:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-03 20:20 . 2010-03-03 20:20 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-03 20:19 . 2010-03-04 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-02 14:06 . 2010-03-02 14:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-02 14:06 . 2010-01-07 16:07 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-03-02 14:06 . 2010-03-02 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-02 14:06 . 2010-03-02 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 14:06 . 2010-01-07 16:07 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-02-24 20:38 . 2010-02-24 20:39 -------- d-----w- c:\program files\ERUNT
2010-02-24 16:45 . 2010-03-04 07:18 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-02-24 08:35 . 2010-02-24 08:35 -------- d-----w- c:\program files\Trend Micro
2010-02-18 07:38 . 2010-02-18 07:38 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_54c.dat
2010-02-14 14:47 . 2010-02-14 14:47 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4d4.dat
2010-02-14 07:37 . 2010-02-14 07:37 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_518.dat
2010-02-12 08:50 . 2010-02-12 08:50 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_520.dat
2010-02-10 15:07 . 2010-02-10 15:07 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_52c.dat
2010-02-09 11:48 . 2010-02-09 11:48 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_298.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 12:59 . 2008-10-26 11:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-06 12:58 . 2009-02-15 11:51 -------- d-----w- c:\program files\lg_fwupdate
2010-03-05 00:20 . 2008-09-27 15:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-05 00:10 . 2008-09-27 15:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-03 21:48 . 2008-03-10 07:25 -------- d-----w- c:\program files\Java
2010-03-03 20:29 . 2004-04-06 16:24 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-23 12:37 . 2004-11-25 08:44 -------- d-----w- c:\program files\Google
2010-02-17 18:53 . 2008-02-22 22:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-02-09 14:56 . 2008-02-22 22:55 -------- d-----w- c:\program files\uTorrent
2010-01-24 16:33 . 2010-01-24 16:33 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_160.dat
2010-01-16 09:05 . 2010-01-16 09:05 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_528.dat
2010-01-07 23:48 . 2010-01-07 23:48 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-07 23:09 . 2010-01-07 23:09 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-28 13:03 . 2004-04-06 16:30 319760 ----a-w- c:\winnt\system32\MSPAINT.EXE
2009-12-16 16:25 . 2009-12-16 16:25 576512 ----a-w- c:\winnt\system32\WININET.DLL
2009-12-14 07:10 . 1999-12-07 12:00 35088 ----a-w- c:\winnt\system32\CSRSRV.DLL
2009-12-11 09:19 . 2009-12-11 09:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_158.dat
2009-12-10 13:39 . 1999-12-07 12:00 252592 ----a-w- c:\winnt\system32\drivers\SRV.SYS
2009-12-08 19:27 . 2009-12-08 19:27 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_32c.dat
2009-12-08 18:53 . 1999-12-07 11:05 1713600 ----a-w- c:\winnt\system32\NTKRNLPA.EXE
2009-12-08 18:52 . 1999-12-07 12:00 1690944 ----a-w- c:\winnt\system32\NTOSKRNL.EXE
2009-12-07 07:05 . 1999-12-07 12:00 416080 ----a-w- c:\winnt\system32\drivers\mrxsmb.sys
2009-12-06 16:45 . 2006-09-13 16:47 98864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-04-06 14:30 . 2004-04-06 14:30 21952 ---h--w- c:\program files\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-11-18 2836376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [2003-09-24 5033984]
"nwiz"="nwiz.exe" [2003-09-24 741376]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-24 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-10-27 557056]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2005-5-3 229376]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2003-03-20 06:21 1855488 ----a-r- c:\winnt\mixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-01-24 21:13 77824 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [01/03/2010 14:58 93320]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [06/04/2004 16:20 61712]
R3 Ma730Pt;MA730 Bluetooth VCOM Driver;c:\winnt\system32\drivers\ma730Pt.sys [22/12/2007 16:55 103680]
R3 Ma730VaA;MA730 Bluetooth Advanced Audio;c:\winnt\system32\drivers\Ma730VaA.sys [22/12/2007 16:55 21851]
R3 Ma730Vad;MA730 Bluetooth Audio;c:\winnt\system32\drivers\Ma730Vad.sys [22/12/2007 16:55 50522]
S3 NuVision;Hauppauge WinTV USB (PAL I FM);c:\winnt\system32\drivers\Nuvision.sys [21/01/2005 11:03 259528]
S3 vmfilter323;323 filter service, Normal;c:\winnt\system32\drivers\vmfilter323.sys --> c:\winnt\system32\drivers\vmfilter323.sys [?]
S3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);c:\winnt\system32\Drivers\usbvm323.sys --> c:\winnt\system32\Drivers\usbvm323.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-01-01 c:\winnt\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: autoregister.net\tesco-online
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: ntl.com\register-tesco.qa.business
Trusted Zone: tesco.net\memberservices
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://www.freehandmusic.com/Update/SoleroMusicControl.cab
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://stroodcam-colchester.remotemanager.co.uk/common/activex/MJPEGRender.ocx
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-eyeBeam SIP Client - (no file)
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-MSConfig - c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AXX632XW\msconfig[1].exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 13:29
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8207B8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xeb422ac3
\Driver\ACPI -> ACPI.sys @ 0xbffde554
\Driver\atapi -> atapi.sys @ 0xbff8c396
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x804c079e
ParseProcedure -> ntoskrnl.exe @ 0x804bf0b0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x804c079e
ParseProcedure -> ntoskrnl.exe @ 0x804bf0b0
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(228)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2010-03-06 13:40:34
ComboFix-quarantined-files.txt 2010-03-06 13:40
Pre-Run: 6,129,348,608 bytes free
Post-Run: 6,256,128,000 bytes free
- - End Of File - - 016118F2873ABB9B51EF4030FE9CD1C2
Argus1946
Hi,
Upload following file to http://www.virustotal.com and post back the results:
c:\winnt\system32\comres.dll
argus1946
2010-03-06, 18:19
Hi Blade81
Combofix log as requested -
ComboFix 10-03-05.03 - Administrator 06/03/2010 13:08:56.1.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.283 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winnt\system32\VB6KO.DLL
c:\winnt\Web\default.htt
c:\winnt\system32\comres.dll . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.
2010-03-06 11:49 . 2010-03-06 11:49 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_56c.dat
2010-03-06 11:47 . 2010-03-06 11:47 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_274.dat
2010-03-04 23:54 . 2010-03-04 23:54 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5cc.dat
2010-03-03 21:49 . 2010-03-03 21:49 -------- d-----w- c:\program files\Common Files\Java
2010-03-03 21:49 . 2010-03-03 21:49 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7be84596-n\msvcr71.dll
2010-03-03 21:49 . 2010-03-03 21:49 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7be84596-n\msvcp71.dll
2010-03-03 21:49 . 2010-03-03 21:49 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7be84596-n\jmc.dll
2010-03-03 21:49 . 2010-03-03 21:49 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7a547911-n\decora-sse.dll
2010-03-03 21:49 . 2010-03-03 21:49 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7a547911-n\decora-d3d.dll
2010-03-03 21:48 . 2009-12-17 17:14 411368 ----a-w- c:\winnt\system32\deploytk.dll
2010-03-03 20:47 . 2010-03-03 20:47 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_560.dat
2010-03-03 20:40 . 2010-03-03 20:40 2560 ----a-w- c:\winnt\_MSRSTRT.EXE
2010-03-03 20:25 . 2010-03-03 20:23 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-03 20:24 . 2010-03-03 20:23 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-03 20:24 . 2010-03-03 20:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-03 20:20 . 2010-03-03 20:20 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-03 20:19 . 2010-03-04 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-02 14:06 . 2010-03-02 14:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-02 14:06 . 2010-01-07 16:07 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-03-02 14:06 . 2010-03-02 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-02 14:06 . 2010-03-02 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 14:06 . 2010-01-07 16:07 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-02-24 20:38 . 2010-02-24 20:39 -------- d-----w- c:\program files\ERUNT
2010-02-24 16:45 . 2010-03-04 07:18 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-02-24 08:35 . 2010-02-24 08:35 -------- d-----w- c:\program files\Trend Micro
2010-02-18 07:38 . 2010-02-18 07:38 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_54c.dat
2010-02-14 14:47 . 2010-02-14 14:47 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4d4.dat
2010-02-14 07:37 . 2010-02-14 07:37 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_518.dat
2010-02-12 08:50 . 2010-02-12 08:50 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_520.dat
2010-02-10 15:07 . 2010-02-10 15:07 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_52c.dat
2010-02-09 11:48 . 2010-02-09 11:48 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_298.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 12:59 . 2008-10-26 11:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-06 12:58 . 2009-02-15 11:51 -------- d-----w- c:\program files\lg_fwupdate
2010-03-05 00:20 . 2008-09-27 15:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-05 00:10 . 2008-09-27 15:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-03 21:48 . 2008-03-10 07:25 -------- d-----w- c:\program files\Java
2010-03-03 20:29 . 2004-04-06 16:24 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-23 12:37 . 2004-11-25 08:44 -------- d-----w- c:\program files\Google
2010-02-17 18:53 . 2008-02-22 22:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-02-09 14:56 . 2008-02-22 22:55 -------- d-----w- c:\program files\uTorrent
2010-01-24 16:33 . 2010-01-24 16:33 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_160.dat
2010-01-16 09:05 . 2010-01-16 09:05 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_528.dat
2010-01-07 23:48 . 2010-01-07 23:48 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-07 23:09 . 2010-01-07 23:09 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-28 13:03 . 2004-04-06 16:30 319760 ----a-w- c:\winnt\system32\MSPAINT.EXE
2009-12-16 16:25 . 2009-12-16 16:25 576512 ----a-w- c:\winnt\system32\WININET.DLL
2009-12-14 07:10 . 1999-12-07 12:00 35088 ----a-w- c:\winnt\system32\CSRSRV.DLL
2009-12-11 09:19 . 2009-12-11 09:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_158.dat
2009-12-10 13:39 . 1999-12-07 12:00 252592 ----a-w- c:\winnt\system32\drivers\SRV.SYS
2009-12-08 19:27 . 2009-12-08 19:27 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_32c.dat
2009-12-08 18:53 . 1999-12-07 11:05 1713600 ----a-w- c:\winnt\system32\NTKRNLPA.EXE
2009-12-08 18:52 . 1999-12-07 12:00 1690944 ----a-w- c:\winnt\system32\NTOSKRNL.EXE
2009-12-07 07:05 . 1999-12-07 12:00 416080 ----a-w- c:\winnt\system32\drivers\mrxsmb.sys
2009-12-06 16:45 . 2006-09-13 16:47 98864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-04-06 14:30 . 2004-04-06 14:30 21952 ---h--w- c:\program files\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-11-18 2836376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [2003-09-24 5033984]
"nwiz"="nwiz.exe" [2003-09-24 741376]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-24 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-10-27 557056]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2005-5-3 229376]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2003-03-20 06:21 1855488 ----a-r- c:\winnt\mixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-01-24 21:13 77824 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [01/03/2010 14:58 93320]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [06/04/2004 16:20 61712]
R3 Ma730Pt;MA730 Bluetooth VCOM Driver;c:\winnt\system32\drivers\ma730Pt.sys [22/12/2007 16:55 103680]
R3 Ma730VaA;MA730 Bluetooth Advanced Audio;c:\winnt\system32\drivers\Ma730VaA.sys [22/12/2007 16:55 21851]
R3 Ma730Vad;MA730 Bluetooth Audio;c:\winnt\system32\drivers\Ma730Vad.sys [22/12/2007 16:55 50522]
S3 NuVision;Hauppauge WinTV USB (PAL I FM);c:\winnt\system32\drivers\Nuvision.sys [21/01/2005 11:03 259528]
S3 vmfilter323;323 filter service, Normal;c:\winnt\system32\drivers\vmfilter323.sys --> c:\winnt\system32\drivers\vmfilter323.sys [?]
S3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);c:\winnt\system32\Drivers\usbvm323.sys --> c:\winnt\system32\Drivers\usbvm323.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-01-01 c:\winnt\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: autoregister.net\tesco-online
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: ntl.com\register-tesco.qa.business
Trusted Zone: tesco.net\memberservices
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://www.freehandmusic.com/Update/SoleroMusicControl.cab
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://stroodcam-colchester.remotemanager.co.uk/common/activex/MJPEGRender.ocx
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-eyeBeam SIP Client - (no file)
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-MSConfig - c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AXX632XW\msconfig[1].exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 13:29
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8207B8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xeb422ac3
\Driver\ACPI -> ACPI.sys @ 0xbffde554
\Driver\atapi -> atapi.sys @ 0xbff8c396
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x804c079e
ParseProcedure -> ntoskrnl.exe @ 0x804bf0b0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x804c079e
ParseProcedure -> ntoskrnl.exe @ 0x804bf0b0
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(228)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2010-03-06 13:40:34
ComboFix-quarantined-files.txt 2010-03-06 13:40
Pre-Run: 6,129,348,608 bytes free
Post-Run: 6,256,128,000 bytes free
- - End Of File - - 016118F2873ABB9B51EF4030FE9CD1C2
Argus1946
argus1946
2010-03-06, 18:51
Hi Blade81
Sorry I repeated post thought thr first had not gone.
Unable to find file c:\winnt\system32\comres.dll search says it does not exist
combofix announced after stage 50 was complete that
it was deleting files -
c:winnt\system32\ub6ko.dll and
c:winnt\web\default.htt
and attempting to restore
c:winnt\system32\comres.dll
next time I looked at the screen the log was completed
Argus1946
Hi,
Sorry for the confusion. It seems that file isn't part of Windows 2000. So, false alarm there.
Do you recall when did that error about procedure entry point Dnsfree begin to occur? As I said earlier, it seems to be related to OpenDNS and its incompatibility with Windows 2000.
argus1946
2010-03-06, 22:02
Hi Blade81
I can't remember exactly when the "The procedure entry point Dnsfree could not be located in the dynamic link library DNSAPI.dll" warning started but it was very recently.
It was this warning that lead me to believe the computer may be infected, when I tried to update spybot and McAfee before scanning I found that niether could, I then found access to the safer-networking site blocked.
I am fairly sure it happened around 20th February this year.
Argus1946
Hi,
I still believe that error wouldn't be present in newer operating systems. However, I can't figure out what program would install OpenDNS related stuff there.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
c:\documents and settings\Administrator\Application Data\uTorrent
c:\program files\uTorrent
DDS::
uStart Page = about:blank
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
Trusted Zone: internet
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
argus1946
2010-03-07, 18:11
Hi Blade81
here is latest combofix log -
ComboFix 10-03-06.07 - Administrator 07/03/2010 14:21:10.2.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.393 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\uTorrent
c:\documents and settings\Administrator\Application Data\uTorrent\[1985] Island Life - Grace Jones - 120mb @ 320kbs.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\[2003] American Tune - Eva Cassidy - 104mb @ 320kbs ##~.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\10cc - The Very Best Of(split tracks + covers).torrent
c:\documents and settings\Administrator\Application Data\uTorrent\1964 - The Rolling Stones.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\20 albums from 1976-mp3-Yoda68.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\216. Soul II Soul - Back To Life ( However Do You Want Me ).mp3.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\808_State.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\812 Kate Bush - The Whole Story.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Christy Moore - Listen (2009) - Folk.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Christy Moore - Spirit Of Freedom.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Christy Moore - The Best Of (Great Irish Traditional Musician).torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Christy Moore and Conal Gallen.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Cream - Disraeli Gears (1967) {Original} [EAC - Lame V0].torrent
c:\documents and settings\Administrator\Application Data\uTorrent\David Bowie - The last hero - 1996.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\dBpowerAMP Music Converter R13.2 Reference Edition.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Derek And The Dominoes-Layla And Other Assorted Love Songs(MfSL)(Darkside_RG).1.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Derek And The Dominoes-Layla And Other Assorted Love Songs(MfSL)(Darkside_RG).torrent
c:\documents and settings\Administrator\Application Data\uTorrent\dht.dat
c:\documents and settings\Administrator\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Administrator\Application Data\uTorrent\Donna Summer - Cats Without Claws.1.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Donna Summer - Cats Without Claws.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Dub Anthology.1.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Dub Anthology.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Elton John - Goodbye Yellow Brick Road (EAC.FLAC).torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Elton John - The very Best Of DHZ Inc Release.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Gotan Project - La Revancha Del Tango copy 2.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Grace Jones - Island Life [1985].torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Hazel O'Connor (1980) - Breaking Glass [tRg music release].torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Kate Bush - Hounds Of Love [remastered + 12 bonus tracks, 320 kbps].torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Kate Bush - Live at Hammersmith Odeon.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\KT Tunstall - Drastic Fantastic (2007) - Pop.rar.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Les Miserables - Original London Cast.1.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Les Miserables - Original London Cast.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\MaxSea.rar.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Mussorgsky - Pictures At An Exhibition - Night on Bald Mountain - 4 Choral Works - BP·Abbado.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Mussorgsky - Pictures.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Mussorgsky Pictures at an Exhibition - Abbado BPO.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Osibisa-7albums-From Lp and Cd.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Osibisa - Woyaya (1971).torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Paul Young - Hit Collection [Pop][2007].wwww.lokotorreents.com.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\resume.dat
c:\documents and settings\Administrator\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Administrator\Application Data\uTorrent\rss.dat
c:\documents and settings\Administrator\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Administrator\Application Data\uTorrent\rth.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Sade - The Best of Sade.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\settings.dat
c:\documents and settings\Administrator\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Administrator\Application Data\uTorrent\Siouxsie And The Banshees - Gold Remastered [2CDs][Rock][2005][www.pctrecords.com].torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Sir Georg Solti conducts Mussorgsky and Bartok (DECCA).torrent
c:\documents and settings\Administrator\Application Data\uTorrent\slackware-10.2-iso.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Squeeze - Essential Squeeze.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Steve Winwood - 11 albums.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Strike Boys - Play time.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Tears For Fears - Discography 1983-2004 (9 Albums).torrent
c:\documents and settings\Administrator\Application Data\uTorrent\The Beatles - Discography (Remastered)Mp3 [320Kbps].torrent
c:\documents and settings\Administrator\Application Data\uTorrent\The Navy Lark - Series 01 - 10 Episodes - Radio Comedy - 192Kbps Mp3 - Slimoo.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\The Police - Greatest Hits.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\The Police - Synchronicity (1983).torrent
c:\documents and settings\Administrator\Application Data\uTorrent\The Seeds of Love.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\The Very Best Of Enya.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\The.Dark.Knight[2008]DvDrip-aXXo.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Tina Turner - Greatest Hits[cdrip]vbr[mp3]-darkjedi.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Tina Turner - Private dancer.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Traffic - John Barleycorn Must Die (1970) @ 320K.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\Traffic Discography.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\utorrent-help.zip
c:\documents and settings\Administrator\Application Data\uTorrent\utorrent.chm
c:\documents and settings\Administrator\Application Data\uTorrent\utorrent.lng
c:\program files\uTorrent
c:\program files\uTorrent\uTorrent.exe
c:\winnt\system32\comres.dll . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.
2010-03-07 14:38 . 2010-03-07 14:38 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_550.dat
2010-03-07 14:36 . 2010-03-07 14:36 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_26c.dat
2010-03-03 21:49 . 2010-03-03 21:49 -------- d-----w- c:\program files\Common Files\Java
2010-03-03 21:49 . 2010-03-03 21:49 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7be84596-n\msvcr71.dll
2010-03-03 21:49 . 2010-03-03 21:49 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7be84596-n\msvcp71.dll
2010-03-03 21:49 . 2010-03-03 21:49 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7be84596-n\jmc.dll
2010-03-03 21:49 . 2010-03-03 21:49 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7a547911-n\decora-sse.dll
2010-03-03 21:49 . 2010-03-03 21:49 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7a547911-n\decora-d3d.dll
2010-03-03 21:48 . 2009-12-17 17:14 411368 ----a-w- c:\winnt\system32\deploytk.dll
2010-03-03 20:40 . 2010-03-03 20:40 2560 ----a-w- c:\winnt\_MSRSTRT.EXE
2010-03-03 20:25 . 2010-03-03 20:23 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-03 20:24 . 2010-03-03 20:23 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-03 20:24 . 2010-03-03 20:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-03 20:20 . 2010-03-03 20:20 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-03 20:19 . 2010-03-04 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-02 14:06 . 2010-03-02 14:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-02 14:06 . 2010-01-07 16:07 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-03-02 14:06 . 2010-03-02 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-02 14:06 . 2010-03-02 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 14:06 . 2010-01-07 16:07 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-02-24 20:38 . 2010-02-24 20:39 -------- d-----w- c:\program files\ERUNT
2010-02-24 16:45 . 2010-03-04 07:18 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-02-24 08:35 . 2010-02-24 08:35 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 15:09 . 2008-10-26 11:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-07 15:08 . 2009-02-15 11:51 -------- d-----w- c:\program files\lg_fwupdate
2010-03-05 00:20 . 2008-09-27 15:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-05 00:10 . 2008-09-27 15:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-03 21:48 . 2008-03-10 07:25 -------- d-----w- c:\program files\Java
2010-03-03 20:29 . 2004-04-06 16:24 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-23 12:37 . 2004-11-25 08:44 -------- d-----w- c:\program files\Google
2010-01-07 23:48 . 2010-01-07 23:48 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-07 23:09 . 2010-01-07 23:09 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-28 13:03 . 2004-04-06 16:30 319760 ----a-w- c:\winnt\system32\MSPAINT.EXE
2009-12-16 16:25 . 2009-12-16 16:25 576512 ------w- c:\winnt\system32\WININET.DLL
2009-12-14 07:10 . 1999-12-07 12:00 35088 ----a-w- c:\winnt\system32\CSRSRV.DLL
2009-12-10 13:39 . 1999-12-07 12:00 252592 ----a-w- c:\winnt\system32\drivers\SRV.SYS
2009-12-08 18:53 . 1999-12-07 11:05 1713600 ------w- c:\winnt\system32\NTKRNLPA.EXE
2009-12-08 18:52 . 1999-12-07 12:00 1690944 ------w- c:\winnt\system32\NTOSKRNL.EXE
2004-04-06 14:30 . 2004-04-06 14:30 21952 ---h--w- c:\program files\folder.htt
.
((((((((((((((((((((((((((((( SnapShot@2010-03-06_13.30.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-07 07:22 . 2010-03-07 07:22 217088 c:\winnt\ERDNT\AutoBackup\07-03-2010\Users\00000002\UsrClass.dat
+ 2010-03-07 07:23 . 2005-10-20 12:02 163328 c:\winnt\ERDNT\AutoBackup\07-03-2010\ERDNT.EXE
+ 2010-03-07 07:22 . 2010-03-07 07:22 6094848 c:\winnt\ERDNT\AutoBackup\07-03-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-11-18 2836376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [2003-09-24 5033984]
"nwiz"="nwiz.exe" [2003-09-24 741376]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-24 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-10-27 557056]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2005-5-3 229376]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2003-03-20 06:21 1855488 ----a-r- c:\winnt\mixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-01-24 21:13 77824 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [01/03/2010 14:58 93320]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [06/04/2004 16:20 61712]
R3 Ma730Pt;MA730 Bluetooth VCOM Driver;c:\winnt\system32\drivers\ma730Pt.sys [22/12/2007 16:55 103680]
R3 Ma730VaA;MA730 Bluetooth Advanced Audio;c:\winnt\system32\drivers\Ma730VaA.sys [22/12/2007 16:55 21851]
R3 Ma730Vad;MA730 Bluetooth Audio;c:\winnt\system32\drivers\Ma730Vad.sys [22/12/2007 16:55 50522]
S3 NuVision;Hauppauge WinTV USB (PAL I FM);c:\winnt\system32\drivers\Nuvision.sys [21/01/2005 11:03 259528]
S3 vmfilter323;323 filter service, Normal;c:\winnt\system32\drivers\vmfilter323.sys --> c:\winnt\system32\drivers\vmfilter323.sys [?]
S3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);c:\winnt\system32\Drivers\usbvm323.sys --> c:\winnt\system32\Drivers\usbvm323.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-01-01 c:\winnt\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: autoregister.net\tesco-online
Trusted Zone: mcafee.com
Trusted Zone: ntl.com\register-tesco.qa.business
Trusted Zone: tesco.net\memberservices
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://www.freehandmusic.com/Update/SoleroMusicControl.cab
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://stroodcam-colchester.remotemanager.co.uk/common/activex/MJPEGRender.ocx
.
- - - - ORPHANS REMOVED - - - -
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 15:08
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(220)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
- - - - - - - > 'explorer.exe'(1560)
c:\winnt\system32\SHDOCVW.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\System32\cisvc.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~2\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\winnt\System32\nvsvc32.exe
c:\winnt\system32\regsvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\winnt\system32\MSTask.exe
c:\winnt\system32\stisvc.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\winnt\System32\mspmspsv.exe
c:\progra~1\McAfee\VIRUSS~2\mcsysmon.exe
c:\winnt\System32\cidaemon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-03-07 15:17:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 15:17
ComboFix2.txt 2010-03-06 13:40
Pre-Run: 6,225,444,864 bytes free
Post-Run: 6,217,277,440 bytes free
- - End Of File - - E6C5EE47A36AFC8E19109916D5B34AFA
The "The procedure entry point Dnsfree could not be located in the dynamic link library DNSAPI.dll" warning has gone IE start up is very quick!
Rgistry mechanic has disappeared from my desk top but Whats running says its running
Argus1946
Good. Post a fresh dds log too, please :)
Rgistry mechanic has disappeared from my desk top but Whats running says its runningIt's possibly shortcut that has disappeared. That can be re-created if needed.
argus1946
2010-03-07, 22:55
Hi Blade81
I restarted the computer and registry mechanic is back where it should be and working ok.
In fact everything appears to be ok.
apologies but what is a dds log?
was it a virus spyware malware that caused the problems?
argus1946
Sorry, meant hjt log there. Anyway, since the problem seems to be resolved I see no point posting the log now :)
You had dns hijacker present and that prevented you from accessing some sites.
Please find some final steps next.
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Run Secunia vulnerability check here (http://secunia.com/vulnerability_scanning/online/) and fix its findings.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
argus1946
2010-03-08, 19:21
Hi Blade
Thanks for all your help
I have followed your instructions and everything is ok
your reccomendations re updates will be adhered to
thanks once again
Argus1946
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.