View Full Version : virtumonde
Red_Earth
2010-02-27, 07:11
I have recently been given a Compaq Presario, which is running XP media center.
It was given to me because of problems which the previous owner gave up on and bought a macbook.
In adding and running Spybot S&D it found some 135 problems which I asked it to then fix all.
It could not fix some problems and asked me to restart.
upon restart each time it would find 6 or so problems and only be able to fix 4 'without a restart'.
I watched Spybot run because I found it odd there were so many files 917655.
toward the end of the scans large numbers of files are called virtumonde.sdn.
I looked it up on wiki and it comes up a virus.
I'm not sure how to proceed.
IndiGenus
2010-02-28, 02:05
Hello and welcome to the forums here at Spybot S&D.
Please read through the instructions at this link (http://forums.spybot.info/showthread.php?t=288).
Then post your HijackThis log back here for me to review.
Please do not start a new topic but reply back here.
Regards,
Dave
Red_Earth
2010-02-28, 18:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:07 AM, on 2/28/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\IA\command.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SeekeenSrch\seekeen.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\{7C622FEF-089C-1033-0413-060405060001}\Update.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\lphctvoj0e57v.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\ikzo\ikzom.exe
C:\Program Files\Csvnro\Csvnro.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\pphctvoj0e57v.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\COMMON~1\ikzo\ikzol.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [{7C622FEF-089C-1033-0413-060405060001}] "C:\Program Files\Common Files\{7C622FEF-089C-1033-0413-060405060001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [{7C622FEF-089B-1033-0413-060405060001}] "C:\Program Files\Common Files\{7C622FEF-089B-1033-0413-060405060001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{7C622FEF-089D-1033-0413-060405060001}] "C:\Program Files\Common Files\{7C622FEF-089D-1033-0413-060405060001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [lphctvoj0e57v] C:\WINDOWS\system32\lphctvoj0e57v.exe
O4 - HKLM\..\Run: [SMrhcpvoj0e57v] C:\Program Files\rhcpvoj0e57v\rhcpvoj0e57v.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sxpv] C:\WINDOWS\S?mantec\w?auboot.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ikzo] C:\PROGRA~1\COMMON~1\ikzo\ikzom.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Uhqif] C:\WINDOWS\?racle\r?ndll32.exe
O4 - HKCU\..\Run: [Atdntep] "C:\Documents and Settings\Compaq_Administrator\My Documents\?dobe\j?vaw.exe"
O4 - HKCU\..\Run: [Dbbxpi] C:\WINDOWS\system32\s?stem32\?ti2evxx.exe
O4 - HKCU\..\Run: [Wvrmaf] C:\WINDOWS\?racle\m?iexec.exe
O4 - HKCU\..\Run: [Mdlhgl] C:\WINDOWS\system32\?ymantec\??rvices.exe
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - HKCU\..\Run: [Csvnro] C:\Program Files\Csvnro\Csvnro.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SeekeenSrch Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
--
End of file - 8932 bytes
IndiGenus
2010-02-28, 18:30
Okay that gives us a start. Quite a collection of Malware you have there. Before beginning to fix anything I'd like to get a better look at things so we know where we stand.
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
++++++++++++++++++++++++++
Download This file (http://www.gmer.net/download.php). Note its name and save it to your root folder, such as C:\.
Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "Yes" to begin the scan.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.
Red_Earth
2010-02-28, 21:35
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/31/2006 11:26:45 AM
System Uptime: 2/28/2010 2:04:26 PM (0 hours ago)
Motherboard: ASUSTek Computer INC. | | NAGAMI2L
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket 939 | 2204/199mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 104 GiB total, 86.841 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 0.504 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
No restore point in system.
==== Hosts File Hijack ======================
Hosts: 192.168.200.3 ad.doubleclick.net
Hosts: 192.168.200.3 ad.fastclick.net
Hosts: 192.168.200.3 ads.fastclick.net
Hosts: 192.168.200.3 atdmt.com
Hosts: 192.168.200.3 avp.ch
Hosts: 192.168.200.3 avp.com
Hosts: 192.168.200.3 avp.ru
Hosts: 192.168.200.3 awaps.net
Hosts: 192.168.200.3 banner.fastclick.net
Hosts: 192.168.200.3 banners.fastclick.net
Hosts: 192.168.200.3 ca.com
Hosts: 192.168.200.3 click.atdmt.com
Hosts: 192.168.200.3 clicks.atdmt.com
Hosts: 192.168.200.3 customer.symantec.com
Hosts: 192.168.200.3 dispatch.mcafee.com
Hosts: 192.168.200.3 download.mcafee.com
Hosts: 192.168.200.3 download.microsoft.com
Hosts: 192.168.200.3 downloads-us1.kaspersky-labs.com
Hosts: 192.168.200.3 downloads.microsoft.com
Hosts: 192.168.200.3 downloads1.kaspersky-labs.com
Hosts: 192.168.200.3 downloads2.kaspersky-labs.com
Hosts: 192.168.200.3 downloads3.kaspersky-labs.com
Hosts: 192.168.200.3 downloads4.kaspersky-labs.com
Hosts: 192.168.200.3 engine.awaps.net
Hosts: 192.168.200.3 f-secure.com
Hosts: 192.168.200.3 fastclick.net
Hosts: 192.168.200.3 ftp.avp.ch
Hosts: 192.168.200.3 ftp.f-secure.com
Hosts: 192.168.200.3 ftp.kasperskylab.ru
Hosts: 192.168.200.3 ftp.sophos.com
Hosts: 192.168.200.3 go.microsoft.com
Hosts: 192.168.200.3 ids.kaspersky-labs.com
Hosts: 192.168.200.3 kaspersky-labs.com
Hosts: 192.168.200.3 kaspersky.com
Hosts: 192.168.200.3 liveupdate.symantec.com
Hosts: 192.168.200.3 liveupdate.symantecliveupdate.com
Hosts: 192.168.200.3 mast.mcafee.com
Hosts: 192.168.200.3 mcafee.com
Hosts: 192.168.200.3 microsoft.com
Hosts: 192.168.200.3 msdn.microsoft.com
Hosts: 192.168.200.3 my-etrust.com
Hosts: 192.168.200.3 nai.com
Hosts: 192.168.200.3 networkassociates.com
Hosts: 192.168.200.3 office.microsoft.com
Hosts: 192.168.200.3 pandasoftware.com
Hosts: 192.168.200.3 phx.corporate-ir.net
Hosts: 192.168.200.3 rads.mcafee.com
Hosts: 192.168.200.3 secure.nai.com
Hosts: 192.168.200.3 securityresponse.symantec.com
Hosts: 192.168.200.3 service1.symantec.com
Hosts: 192.168.200.3 sophos.com
Hosts: 192.168.200.3 support.microsoft.com
Hosts: 192.168.200.3 symantec.com
Hosts: 192.168.200.3 trendmicro.com
Hosts: 192.168.200.3 update.symantec.com
Hosts: 192.168.200.3 updates.symantec.com
Hosts: 192.168.200.3 updates5.kaspersky-labs.com
Hosts: 192.168.200.3 us.mcafee.com
Hosts: 192.168.200.3 vil.nai.com
Hosts: 192.168.200.3 viruslist.com
Hosts: 192.168.200.3 viruslist.ru
Hosts: 192.168.200.3 virusscan.jotti.org
Hosts: 192.168.200.3 virustotal.com
Hosts: 192.168.200.3 windowsupdate.microsoft.com
Hosts: 192.168.200.3 www.avp.ch
Hosts: 192.168.200.3 www.avp.com
Hosts: 192.168.200.3 www.avp.ru
Hosts: 192.168.200.3 www.awaps.net
Hosts: 192.168.200.3 www.ca.com
Hosts: 192.168.200.3 www.f-secure.com
Hosts: 192.168.200.3 www.kaspersky.com
Hosts: 192.168.200.3 www.kaspersky.ru
Hosts: 192.168.200.3 www.mcafee.com
Hosts: 192.168.200.3 www.microsoft.com
Hosts: 192.168.200.3 www.my-etrust.com
Hosts: 192.168.200.3 www.nai.com
Hosts: 192.168.200.3 www.networkassociates.com
Hosts: 192.168.200.3 www.pandasoftware.com
Hosts: 192.168.200.3 www.sophos.com
Hosts: 192.168.200.3 www.symantec.com
Hosts: 192.168.200.3 www.symantec.com
Hosts: 192.168.200.3 www.trendmicro.com
Hosts: 192.168.200.3 www.viruslist.com
Hosts: 192.168.200.3 www.viruslist.ru
Hosts: 192.168.200.3 www.virustotal.com
Hosts: 192.168.200.3 www3.ca.com
==== Installed Programs ======================
Adobe Flash Player ActiveX
Adobe Reader 7.0.5
AIM 6
Ancient Sudoku
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 4
Belkin N Wireless USB Adapter Setup
Blackhawk Striker 2
Bookworm Deluxe
Bounce Symphony
BufferChm
Chuzzle Deluxe
Compaq Connections (remove only)
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Csvnro
CueTour
Dasher
Data Fax SoftModem with SmartCP
Destinations
DeviceManagementQFolder
Diner Dash
Easy Internet Sign-up
ERUNT 1.1j
Fairies
FATE
Flip Words
FullDPAppQFolder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB979306)
HP DVD Play 2.1
HP Game Console
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Rhapsody
HP Software Update
HP Support Overview
HPPhotoSmartExpress
HpSdpAppCoreApp
Insaniquarium Deluxe
InstantShareDevices
iTunes
Jewel Quest
LightScribe 1.4.84.1
Mah Jong Quest
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Away Mode
Microsoft Money 2006
Microsoft Office 2000 Disc 2
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Standard Edition 2003
Microsoft Works
MSN
MSXML 4.0 SP2 (KB973688)
Netscape Browser (remove only)
OptionalContentQFolder
PC-Doctor 5 for Windows
PC Confidential 2008
PhoTags Express
PhotoGallery
Poker Superstars
Polar Bowler
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
QuickTime
RandMap
RCT3 Soaked
RealPlayer
Realtek High Definition Audio Driver
Remove WeatherBug Installer
Rhapsody
Rhapsody Player Engine
Ricochet Lost Worlds
RollerCoaster TycoonŽ 3
Safari
SCRABBLE
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Seekeen 1.0 build 155
SkinsHP1
SlideShow
SlideShowMusic
Slingo Deluxe
Snowy The Bears Adventure
Sonic Express Labeler
Sonic MyDVD Plus
Sonic_PrimoSDK
Spybot - Search & Destroy
Tennis Titans
Tornado Jockey
Tradewinds
Unload
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Media Center Edition 2005 KB973768
==== Event Viewer Messages From Past Week ========
2/28/2010 11:07:46 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1 Security Update for Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (KB953297).
2/28/2010 11:02:44 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
==== End Of File ===========================
Red_Earth
2010-02-28, 21:36
DDS (Ver_09-12-01.01) - NTFSx86
Run by Compaq_Administrator at 14:10:55.42 on Sun 02/28/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.702.353 [GMT -5:00]
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\{7C622FEF-089C-1033-0413-060405060001}\Update.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\lphctvoj0e57v.exe
C:\WINDOWS\IA\command.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\ikzo\ikzom.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Csvnro\Csvnro.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\pphctvoj0e57v.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SeekeenSrch\seekeen.exe
C:\Program Files\Safari\Safari.exe
C:\PROGRA~1\COMMON~1\ikzo\ikzol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.hotmail.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PCCBHO.CPCCBHO: {22fc6ce8-7d47-479f-b74a-bfbb04adb9af} - c:\program files\winferno\pc confidential\PCCBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {C1B4DEC2-2623-438E-9CA2-C9043AB28508} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {12DA1BC4-5384-42fd-A119-3C99D2D146A2} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Sxpv] c:\windows\s?mantec\w?auboot.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ikzo] c:\progra~1\common~1\ikzo\ikzom.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Uhqif] c:\windows\?racle\r?ndll32.exe
uRun: [Atdntep] "c:\documents and settings\compaq_administrator\my documents\?dobe\j?vaw.exe"
uRun: [Dbbxpi] c:\windows\system32\s?stem32\?ti2evxx.exe
uRun: [Wvrmaf] c:\windows\?racle\m?iexec.exe
uRun: [Mdlhgl] c:\windows\system32\?ymantec\??rvices.exe
uRun: [QdrModule12] "c:\program files\qdrmodule\QdrModule12.exe"
uRun: [Csvnro] c:\program files\csvnro\Csvnro.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [{7C622FEF-089C-1033-0413-060405060001}] "c:\program files\common files\{7c622fef-089c-1033-0413-060405060001}\Update.exe" te-110-12-0000213
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [{7C622FEF-089B-1033-0413-060405060001}] "c:\program files\common files\{7c622fef-089b-1033-0413-060405060001}\Update.exe" te-110-12-0000213
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [{7C622FEF-089D-1033-0413-060405060001}] "c:\program files\common files\{7c622fef-089d-1033-0413-060405060001}\Update.exe" te-110-12-0000213
mRun: [ALCMTR] ALCMTR.EXE
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [lphctvoj0e57v] c:\windows\system32\lphctvoj0e57v.exe
mRun: [SMrhcpvoj0e57v] c:\program files\rhcpvoj0e57v\rhcpvoj0e57v.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053v4\BelkinWCUI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Hosts: 192.168.200.3 ad.doubleclick.net
Hosts: 192.168.200.3 ad.fastclick.net
Hosts: 192.168.200.3 ads.fastclick.net
Hosts: 192.168.200.3 atdmt.com
Hosts: 192.168.200.3 avp.ch
Note: multiple HOSTS entries found. Please refer to Attach.txt
============= SERVICES / DRIVERS ===============
R2 cmdService;Command Service;c:\windows\ia\command.exe [2007-6-3 293888]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SeekeenSrch Service;SeekeenSrch Service;c:\documents and settings\all users\application data\seekeensrch\seekeen155.exe [2010-2-26 4608]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-1-10 517632]
=============== Created Last 30 ================
2010-02-28 16:24:56 60512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-28 16:21:33 94208 ----a-w- c:\windows\system32\pphctvoj0e57v.exe
2010-02-28 16:06:22 0 d-----w- c:\windows\ServicePackFiles
2010-02-28 16:05:42 0 d-----w- c:\program files\MSXML 4.0
2010-02-27 04:06:13 0 ----a-w- c:\windows\system32\atmtd.dll.tmp
2010-02-26 23:11:47 0 d-----w- c:\program files\Spybot - Search & Destroy
==================== Find3M ====================
2010-02-26 23:45:19 94208 ----a-w- c:\windows\system32\C7.tmp
2010-02-26 23:45:08 94208 ----a-w- c:\windows\system32\C6.tmp
2010-02-26 23:43:42 94208 ----a-w- c:\windows\system32\C5.tmp
2010-02-26 23:42:48 94208 ----a-w- c:\windows\system32\C4.tmp
2010-02-26 23:42:01 94208 ----a-w- c:\windows\system32\C3.tmp
2010-02-26 23:41:09 94208 ----a-w- c:\windows\system32\C2.tmp
2010-02-26 23:40:44 94208 ----a-w- c:\windows\system32\C1.tmp
2010-02-26 23:39:00 94208 ----a-w- c:\windows\system32\C0.tmp
2010-02-26 23:37:16 94208 ----a-w- c:\windows\system32\BF.tmp
2010-02-26 23:36:03 94208 ----a-w- c:\windows\system32\BE.tmp
2010-02-26 23:35:50 94208 ----a-w- c:\windows\system32\BD.tmp
2010-02-26 23:35:21 94208 ----a-w- c:\windows\system32\BC.tmp
2010-02-26 23:34:55 94208 ----a-w- c:\windows\system32\BB.tmp
2010-02-26 23:33:48 94208 ----a-w- c:\windows\system32\B9.tmp
2010-02-26 23:32:34 94208 ----a-w- c:\windows\system32\B8.tmp
2010-02-26 23:28:18 94208 ----a-w- c:\windows\system32\B7.tmp
2010-02-26 23:27:25 94208 ----a-w- c:\windows\system32\B6.tmp
2010-02-26 23:25:53 94208 ----a-w- c:\windows\system32\B5.tmp
2010-02-26 23:25:37 94208 ----a-w- c:\windows\system32\B2.tmp
2010-02-26 23:25:05 94208 ----a-w- c:\windows\system32\B1.tmp
2010-02-26 23:24:43 94208 ----a-w- c:\windows\system32\B0.tmp
2010-02-26 23:24:32 94208 ----a-w- c:\windows\system32\AF.tmp
2010-02-26 23:23:53 94208 ----a-w- c:\windows\system32\AE.tmp
2010-02-26 23:23:45 94208 ----a-w- c:\windows\system32\AD.tmp
2010-02-26 23:23:31 94208 ----a-w- c:\windows\system32\AC.tmp
2010-02-26 23:23:07 94208 ----a-w- c:\windows\system32\AB.tmp
2010-02-26 23:22:07 94208 ----a-w- c:\windows\system32\AA.tmp
2010-02-26 23:21:54 94208 ----a-w- c:\windows\system32\A9.tmp
2010-02-26 23:21:41 94208 ----a-w- c:\windows\system32\A8.tmp
2010-02-26 23:21:33 94208 ----a-w- c:\windows\system32\A7.tmp
2010-02-26 23:21:09 94208 ----a-w- c:\windows\system32\A6.tmp
2010-02-26 23:20:49 94208 ----a-w- c:\windows\system32\A5.tmp
2010-02-26 23:20:30 94208 ----a-w- c:\windows\system32\A4.tmp
2010-02-26 23:18:06 94208 ----a-w- c:\windows\system32\A3.tmp
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-16 13:35:58 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2009-12-16 12:58:04 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 08:59:48 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 14:41:55 453760 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2005-08-02 20:46:54 187904 --sha-r- c:\windows\ia\asappsrv.dll
2005-08-02 20:58:38 293888 --sha-r- c:\windows\ia\command.exe
2005-07-29 20:24:26 472 --sha-r- c:\windows\ia\KE.vbs
============= FINISH: 14:11:42.53 ===============
Red_Earth
2010-02-28, 21:54
I have clicked on "this link" to see a list of programs to be disabled, but I have not found the list.
IndiGenus
2010-03-01, 00:34
I have clicked on "this link" to see a list of programs to be disabled, but I have not found the list.
Don't worry about it. In your case it doesn't appear you have ANY security software at all here, so nothing to disable. I will advise some free programs after we do some cleanup.
Red_Earth
2010-03-01, 02:07
When you say download this file, I did it and ran it but I interrupted it because it had not had all of my drives checkmarked. I stopped scan.
I reopened and scanned again. this time it froze or something; I left it alone because it was taking a long time and it sent my monitor into a sleep mode from which I could not revive it.
I had to hard reboot. I have deleted the file and will attempt to download again and run it again and post my results. Thank you for being patient. I am not very saavy.
IndiGenus
2010-03-01, 02:42
Okay no problem. If you cannot get it to run then just let me know and we'll proceed with the fix. Most of this Malware has been around a long time (in the wild). We don't see much of it these days but it tends to make comebacks at times. My inclination though is that this PC has been infected for some time now.
Red_Earth
2010-03-01, 08:13
I downloaded a new file, and it scanned for hours and hours.
When I wasn't paying attention, again, it went into a frozen mode where my monitor wouldn't come on. I even unplugged the blue cable in back and in plugging it back in it still wouldn't let me see the screen. I plugged in a usb mouse and not only would it not wake up my monitor, it wouldn't light up to show power to it.
The computer, however, was running. The orange light was flickering, and the fan was running.
The previous owner has not run this computer in over a year and a half or so.
IndiGenus
2010-03-01, 15:51
Okay so this is "old" Malware.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Red_Earth
2010-03-01, 20:22
ComboFix 10-03-01.01 - Compaq_Administrator 03/01/2010 13:00:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.702.356 [GMT -5:00]
Running from: c:\docume~1\COMPAQ~1\LOCALS~1\Temp\Saf52.tmp\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
The following files were disabled during the run:
c:\windows\IA\asappsrv.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\35573251.exe
c:\documents and settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
c:\documents and settings\Compaq_Administrator\Application Data\rhcpvoj0e57v
c:\documents and settings\Compaq_Administrator\Cookies\_install.exe
c:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
C:\Microsoft
c:\microsoft\svchost.exe
c:\progra~1\COMMON~1\{3C622~1
c:\progra~1\COMMON~1\{7C622~1
c:\progra~1\COMMON~1\{7C622~1\system.dll
c:\progra~1\COMMON~1\{7C622~1\Update.exe
c:\progra~1\COMMON~1\{7C622~2
c:\progra~1\COMMON~1\{7C622~2\system.dll
c:\progra~1\COMMON~1\{7C622~2\Update.exe
c:\progra~1\COMMON~1\{7C622~3
c:\progra~1\COMMON~1\{7C622~3\system.dll
c:\progra~1\COMMON~1\{7C622~3\Update.exe
c:\program files\asks~1
c:\program files\Common Files\curity~1
c:\program files\Common Files\dobe~1
c:\program files\Common Files\racle~1
c:\program files\Common Files\smante~1
c:\program files\Common Files\smbols~1
c:\program files\Common Files\sstem~1
c:\program files\Common Files\ymante~1
c:\program files\crosof~1.net
c:\program files\curity~1
c:\program files\JavaCore
c:\program files\mantec~1
c:\program files\racle~1
c:\program files\rhcpvoj0e57v
c:\program files\shcrvoj0e57v
c:\program files\Spcron
c:\program files\sstem3~1
c:\program files\Svconr
c:\program files\Svconr\Svconr.exe.lzma
c:\program files\Temporary
c:\program files\Temporary\InsiDERInst.exe
c:\program files\wnsxs~1
c:\program files\ystem~1
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\IA
c:\windows\IA\asappsrv.dll.vir
c:\windows\IA\command.exe
c:\windows\IA\KE.vbs
c:\windows\icroso~1
c:\windows\icroso~1.net
c:\windows\mcroso~1
c:\windows\racle~1
c:\windows\smante~1
c:\windows\sstem~1
c:\windows\system32\asks~1
c:\windows\system32\atmtd.dll.tmp
c:\windows\system32\COMCTL32.OCA
c:\windows\system32\curity~1
c:\windows\system32\E.tmp
c:\windows\system32\fnts~1
c:\windows\system32\lphctvoj0e57v.exe
c:\windows\system32\mantec~1
c:\windows\system32\pphctvoj0e57v.exe
c:\windows\system32\racle~1
c:\windows\system32\s.ico
c:\windows\system32\sks~1
c:\windows\system32\sstem3~1
c:\windows\system32\stem~1
c:\windows\system32\unsvchosts.lzma
c:\windows\system32\wapisu.exe
c:\windows\system32\wnsxs~1
c:\windows\system32\ymante~1
c:\windows\tsks~1
c:\windows\ymbols~1
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Service_cmdService
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.
2010-03-01 00:08 . 2010-03-01 00:08 293376 ----a-w- C:\2outg8ml.exe
2010-02-28 16:40 . 2010-02-28 16:41 -------- d-----w- c:\program files\ERUNT
2010-02-28 16:25 . 2010-02-28 16:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\PCHealth
2010-02-28 16:24 . 2010-02-28 16:24 60512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-28 16:06 . 2010-02-28 16:06 -------- d-----w- c:\windows\ServicePackFiles
2010-02-28 16:05 . 2010-02-28 16:05 -------- d-----w- c:\program files\MSXML 4.0
2010-02-26 23:11 . 2010-02-26 23:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 23:49 . 2008-07-23 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-26 23:45 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C7.tmp
2010-02-26 23:45 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C6.tmp
2010-02-26 23:43 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C5.tmp
2010-02-26 23:42 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C4.tmp
2010-02-26 23:42 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C3.tmp
2010-02-26 23:41 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C2.tmp
2010-02-26 23:40 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C1.tmp
2010-02-26 23:39 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C0.tmp
2010-02-26 23:37 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BF.tmp
2010-02-26 23:36 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BE.tmp
2010-02-26 23:35 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BD.tmp
2010-02-26 23:35 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BC.tmp
2010-02-26 23:34 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BB.tmp
2010-02-26 23:33 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B9.tmp
2010-02-26 23:32 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B8.tmp
2010-02-26 23:28 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B7.tmp
2010-02-26 23:27 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B6.tmp
2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B5.tmp
2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B2.tmp
2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B1.tmp
2010-02-26 23:24 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B0.tmp
2010-02-26 23:24 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AF.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AE.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AD.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AC.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AB.tmp
2010-02-26 23:22 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AA.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A9.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A8.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A7.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A6.tmp
2010-02-26 23:20 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A5.tmp
2010-02-26 23:20 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A4.tmp
2010-02-26 23:18 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A3.tmp
2010-02-26 23:06 . 2007-08-16 18:02 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer
2010-02-26 10:00 . 2009-03-14 15:40 -------- d-----w- c:\program files\SeekeenSrch
2010-02-26 09:26 . 2009-03-14 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SeekeenSrch
2009-12-31 16:14 . 2004-08-09 21:00 352640 ------w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:35 . 2004-08-09 21:00 668672 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:35 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2004-08-09 21:00 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-04 14:41 . 2004-08-09 21:00 453760 ------w- c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sxpv"="c:\windows\S?mantec\w?auboot.exe" [?]
"Uhqif"="c:\windows\?racle\r?ndll32.exe" [?]
"Atdntep"="c:\documents and settings\Compaq_Administrator\My Documents\?dobe\j?vaw.exe" [?]
"Dbbxpi"="c:\windows\system32\s?stem32\?ti2evxx.exe" [?]
"Wvrmaf"="c:\windows\?racle\m?iexec.exe" [?]
"Mdlhgl"="c:\windows\system32\?ymantec\??rvices.exe" [?]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ikzo"="c:\progra~1\COMMON~1\ikzo\ikzom.exe" [2006-07-19 9216]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-04-27 50736]
"Csvnro"="c:\program files\Csvnro\Csvnro.exe" [2008-04-29 57344]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"nwiz"="nwiz.exe" [2006-01-24 1519616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-22 180269]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]
c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-10 1474560]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 SeekeenSrch Service;SeekeenSrch Service;c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [2/26/2010 4:26 AM 4608]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [1/10/2009 8:16 PM 517632]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{C1B4DEC2-2623-438E-9CA2-C9043AB28508} - (no file)
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-{7C622FEF-089C-1033-0413-060405060001} - c:\program files\Common Files\{7C622FEF-089C-1033-0413-060405060001}\Update.exe
HKLM-Run-{7C622FEF-089B-1033-0413-060405060001} - c:\program files\Common Files\{7C622FEF-089B-1033-0413-060405060001}\Update.exe
HKLM-Run-{7C622FEF-089D-1033-0413-060405060001} - c:\program files\Common Files\{7C622FEF-089D-1033-0413-060405060001}\Update.exe
HKLM-Run-lphctvoj0e57v - c:\windows\system32\lphctvoj0e57v.exe
HKLM-Run-SMrhcpvoj0e57v - c:\program files\rhcpvoj0e57v\rhcpvoj0e57v.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 13:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3312)
c:\program files\SeekeenSrch\seekeen.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\program files\SeekeenSrch\seekeen.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2010-03-01 13:18:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-01 18:18
Pre-Run: 93,198,229,504 bytes free
Post-Run: 93,758,308,352 bytes free
- - End Of File - - D98D1C79BD649ECF2050BDCED9B9203F
Red_Earth
2010-03-01, 20:25
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:04 PM, on 3/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\ikzo\ikzom.exe
C:\Program Files\SeekeenSrch\seekeen.exe
C:\Program Files\Csvnro\Csvnro.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sxpv] C:\WINDOWS\S?mantec\w?auboot.exe
O4 - HKCU\..\Run: [ikzo] C:\PROGRA~1\COMMON~1\ikzo\ikzom.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Uhqif] C:\WINDOWS\?racle\r?ndll32.exe
O4 - HKCU\..\Run: [Atdntep] "C:\Documents and Settings\Compaq_Administrator\My Documents\?dobe\j?vaw.exe"
O4 - HKCU\..\Run: [Dbbxpi] C:\WINDOWS\system32\s?stem32\?ti2evxx.exe
O4 - HKCU\..\Run: [Wvrmaf] C:\WINDOWS\?racle\m?iexec.exe
O4 - HKCU\..\Run: [Mdlhgl] C:\WINDOWS\system32\?ymantec\??rvices.exe
O4 - HKCU\..\Run: [Csvnro] C:\Program Files\Csvnro\Csvnro.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SeekeenSrch Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
--
End of file - 7304 bytes
Red_Earth
2010-03-01, 20:40
Okay so
During the ComboFix run a dialog box popped up and asked me to write down a file name that was trying to access ComboFix.
The file name is
C:\WINDOWS\IA\asapposrv.dll
The program did its scan and I posted the results.
After that I scanned with Hijackthis.
I posted those results as well.
I then restarted my computer and the popups that had been popping up did not pop up.
However a red shield with a white X appears in the lower right tray with a balloon that reads: Your computer might be at risk. Antivirus software might not be installed.
Other than that I would not question the integrity of the system had I not been told there was a problem. So Far.
IndiGenus
2010-03-01, 21:15
Hi,
Wow, some of this Malware has been on this system for YEARS!
Before you do anything else combofix needs to be run from the desktop as advised earlier. You downloaded it to a temp folder (c:\docume~1\COMPAQ~1\LOCALS~1\Temp\Saf52.tmp\ComboFix.exe). Please move it from there to the desktop, or download a fresh copy to your desktop (whichever is easier for you).
After doing that...
1. Open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
http://forums.spybot.info/showthread.php?p=361959#post361959
Collect::
c:\windows\IA\asappsrv.dll
File::
C:\windows\system32\C7.tmp
c:\windows\system32\C6.tmp
c:\windows\system32\C5.tmp
c:\windows\system32\C4.tmp
c:\windows\system32\C3.tmp
c:\windows\system32\C2.tmp
c:\windows\system32\C1.tmp
c:\windows\system32\C0.tmp
c:\windows\system32\BF.tmp
c:\windows\system32\BE.tmp
c:\windows\system32\BD.tmp
c:\windows\system32\BC.tmp
c:\windows\system32\BB.tmp
c:\windows\system32\B9.tmp
c:\windows\system32\B8.tmp
c:\windows\system32\B7.tmp
c:\windows\system32\B6.tmp
c:\windows\system32\B5.tmp
c:\windows\system32\B2.tmp
c:\windows\system32\B1.tmp
c:\windows\system32\B0.tmp
c:\windows\system32\AF.tmp
c:\windows\system32\AE.tmp
c:\windows\system32\AD.tmp
c:\windows\system32\AC.tmp
c:\windows\system32\AB.tmp
c:\windows\system32\AA.tmp
c:\windows\system32\A9.tmp
c:\windows\system32\A8.tmp
c:\windows\system32\A7.tmp
c:\windows\system32\A6.tmp
c:\windows\system32\A5.tmp
c:\windows\system32\A4.tmp
c:\windows\system32\A3.tmp
Folder::
c:\program files\SeekeenSrch
c:\documents and settings\All Users\Application Data\SeekeenSrch
c:\progra~1\COMMON~1\ikzo
c:\program files\Csvnro
Driver:::
SeekeenSrch Service
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sxpv"=-
"Uhqif"=-
"Atdntep"=-
"Dbbxpi"=-
"Wvrmaf"=-
"Mdlhgl"=-
"ikzo"=-
"Csvnro"=-
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.
Red_Earth
2010-03-02, 00:51
ComboFix 10-03-01.01 - Compaq_Administrator 03/01/2010 17:41:53.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.702.446 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\bestwiner.stt
c:\windows\Downloaded Program Files\_install.exe
c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\_install.exe
c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\_install.exe
c:\windows\SoftwareDistribution\Download\00f4dcdbcc87699e75212b885cb6bebf\_install.exe
c:\windows\SoftwareDistribution\Download\00f4dcdbcc87699e75212b885cb6bebf\sp2qfe\_install.exe
c:\windows\SoftwareDistribution\Download\00f4dcdbcc87699e75212b885cb6bebf\update\_install.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.
2010-03-01 00:08 . 2010-03-01 00:08 293376 ----a-w- C:\2outg8ml.exe
2010-02-28 16:40 . 2010-02-28 16:41 -------- d-----w- c:\program files\ERUNT
2010-02-28 16:25 . 2010-02-28 16:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\PCHealth
2010-02-28 16:24 . 2010-02-28 16:24 60512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-28 16:06 . 2010-02-28 16:06 -------- d-----w- c:\windows\ServicePackFiles
2010-02-28 16:05 . 2010-02-28 16:05 -------- d-----w- c:\program files\MSXML 4.0
2010-02-26 23:11 . 2010-02-26 23:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-26 09:26 . 2009-09-02 20:10 4608 ----a-w- c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 19:49 . 2007-06-10 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-03-01 19:43 . 2007-08-16 18:01 -------- d-----w- c:\program files\iTunes
2010-03-01 19:43 . 2007-08-16 17:59 -------- d-----w- c:\program files\Common Files\Apple
2010-03-01 19:42 . 2007-08-16 18:01 -------- d-----w- c:\program files\iPod
2010-03-01 19:26 . 2008-06-25 12:54 -------- d-----w- c:\program files\Internet Chess Club
2010-03-01 19:22 . 2007-01-31 21:20 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Netscape
2010-03-01 19:19 . 2007-01-13 17:57 -------- d-----w- c:\program files\Rhapsody
2010-03-01 19:18 . 2007-05-12 01:09 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Atari
2010-02-26 23:49 . 2008-07-23 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-26 23:45 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C7.tmp
2010-02-26 23:45 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C6.tmp
2010-02-26 23:43 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C5.tmp
2010-02-26 23:42 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C4.tmp
2010-02-26 23:42 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C3.tmp
2010-02-26 23:41 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C2.tmp
2010-02-26 23:40 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C1.tmp
2010-02-26 23:39 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C0.tmp
2010-02-26 23:37 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BF.tmp
2010-02-26 23:36 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BE.tmp
2010-02-26 23:35 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BD.tmp
2010-02-26 23:35 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BC.tmp
2010-02-26 23:34 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BB.tmp
2010-02-26 23:33 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B9.tmp
2010-02-26 23:32 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B8.tmp
2010-02-26 23:28 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B7.tmp
2010-02-26 23:27 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B6.tmp
2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B5.tmp
2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B2.tmp
2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B1.tmp
2010-02-26 23:24 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B0.tmp
2010-02-26 23:24 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AF.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AE.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AD.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AC.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AB.tmp
2010-02-26 23:22 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AA.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A9.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A8.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A7.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A6.tmp
2010-02-26 23:20 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A5.tmp
2010-02-26 23:20 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A4.tmp
2010-02-26 23:18 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A3.tmp
2010-02-26 23:06 . 2007-08-16 18:02 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer
2010-02-26 10:00 . 2009-03-14 15:40 -------- d-----w- c:\program files\SeekeenSrch
2010-02-26 09:26 . 2009-03-14 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SeekeenSrch
2009-12-31 16:14 . 2004-08-09 21:00 352640 ------w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:35 . 2004-08-09 21:00 668672 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:35 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2004-08-09 21:00 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55 . 2004-08-10 04:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-10 04:00 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-09 21:00 453760 ------w- c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sxpv"="c:\windows\S?mantec\w?auboot.exe" [?]
"Uhqif"="c:\windows\?racle\r?ndll32.exe" [?]
"Atdntep"="c:\documents and settings\Compaq_Administrator\My Documents\?dobe\j?vaw.exe" [?]
"Dbbxpi"="c:\windows\system32\s?stem32\?ti2evxx.exe" [?]
"Wvrmaf"="c:\windows\?racle\m?iexec.exe" [?]
"Mdlhgl"="c:\windows\system32\?ymantec\??rvices.exe" [?]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ikzo"="c:\progra~1\COMMON~1\ikzo\ikzom.exe" [2006-07-19 9216]
"Csvnro"="c:\program files\Csvnro\Csvnro.exe" [2008-04-29 57344]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"nwiz"="nwiz.exe" [2006-01-24 1519616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-22 180269]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]
c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-10 1474560]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [1/10/2009 8:16 PM 517632]
S2 SeekeenSrch Service;SeekeenSrch Service;c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [2/26/2010 4:26 AM 4608]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 17:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-03-01 17:48:29
ComboFix-quarantined-files.txt 2010-03-01 22:48
ComboFix2.txt 2010-03-01 18:18
Pre-Run: 94,759,530,496 bytes free
Post-Run: 94,705,057,792 bytes free
- - End Of File - - AB2BB21D40DD7344D6F13CFF67449AE8
Red_Earth
2010-03-02, 00:51
I will now continue with the rest of the instructions
Red_Earth
2010-03-02, 01:07
ComboFix 10-03-01.01 - Compaq_Administrator 03/01/2010 17:55:44.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.702.364 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FILE ::
"c:\windows\system32\A3.tmp"
"c:\windows\system32\A4.tmp"
"c:\windows\system32\A5.tmp"
"c:\windows\system32\A6.tmp"
"c:\windows\system32\A7.tmp"
"c:\windows\system32\A8.tmp"
"c:\windows\system32\A9.tmp"
"c:\windows\system32\AA.tmp"
"c:\windows\system32\AB.tmp"
"c:\windows\system32\AC.tmp"
"c:\windows\system32\AD.tmp"
"c:\windows\system32\AE.tmp"
"c:\windows\system32\AF.tmp"
"c:\windows\system32\B0.tmp"
"c:\windows\system32\B1.tmp"
"c:\windows\system32\B2.tmp"
"c:\windows\system32\B5.tmp"
"c:\windows\system32\B6.tmp"
"c:\windows\system32\B7.tmp"
"c:\windows\system32\B8.tmp"
"c:\windows\system32\B9.tmp"
"c:\windows\system32\BB.tmp"
"c:\windows\system32\BC.tmp"
"c:\windows\system32\BD.tmp"
"c:\windows\system32\BE.tmp"
"c:\windows\system32\BF.tmp"
"c:\windows\system32\C0.tmp"
"c:\windows\system32\C1.tmp"
"c:\windows\system32\C2.tmp"
"c:\windows\system32\C3.tmp"
"c:\windows\system32\C4.tmp"
"c:\windows\system32\C5.tmp"
"c:\windows\system32\C6.tmp"
"c:\windows\system32\C7.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\SeekeenSrch
c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen147.exe
c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
c:\progra~1\COMMON~1\ikzo
c:\progra~1\COMMON~1\ikzo\ikzoa.exe
c:\progra~1\COMMON~1\ikzo\ikzoa.lck
c:\progra~1\COMMON~1\ikzo\ikzod\class-barrel
c:\progra~1\COMMON~1\ikzo\ikzod\ikzoc.dll
c:\progra~1\COMMON~1\ikzo\ikzol.exe
c:\progra~1\COMMON~1\ikzo\ikzol.lck
c:\progra~1\COMMON~1\ikzo\ikzom.exe
c:\progra~1\COMMON~1\ikzo\ikzom.lck
c:\progra~1\COMMON~1\ikzo\ikzop.exe
c:\progra~1\COMMON~1\ikzo\ikzop.lck
c:\program files\Csvnro
c:\program files\Csvnro\Csvnro.exe
c:\program files\SeekeenSrch
c:\program files\SeekeenSrch\home.js
c:\program files\SeekeenSrch\readme.html
c:\program files\SeekeenSrch\seekeen.dll
c:\program files\SeekeenSrch\seekeen.exe
c:\program files\SeekeenSrch\skopt.exe
c:\program files\SeekeenSrch\uninstall.exe
c:\windows\system32\A3.tmp
c:\windows\system32\A4.tmp
c:\windows\system32\A5.tmp
c:\windows\system32\A6.tmp
c:\windows\system32\A7.tmp
c:\windows\system32\A8.tmp
c:\windows\system32\A9.tmp
c:\windows\system32\AA.tmp
c:\windows\system32\AB.tmp
c:\windows\system32\AC.tmp
c:\windows\system32\AD.tmp
c:\windows\system32\AE.tmp
c:\windows\system32\AF.tmp
c:\windows\system32\B0.tmp
c:\windows\system32\B1.tmp
c:\windows\system32\B2.tmp
c:\windows\system32\B5.tmp
c:\windows\system32\B6.tmp
c:\windows\system32\B7.tmp
c:\windows\system32\B8.tmp
c:\windows\system32\B9.tmp
c:\windows\system32\BB.tmp
c:\windows\system32\BC.tmp
c:\windows\system32\BD.tmp
c:\windows\system32\BE.tmp
c:\windows\system32\BF.tmp
c:\windows\system32\C0.tmp
c:\windows\system32\C1.tmp
c:\windows\system32\C2.tmp
c:\windows\system32\C3.tmp
c:\windows\system32\C4.tmp
c:\windows\system32\C5.tmp
c:\windows\system32\C6.tmp
c:\windows\system32\C7.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SEEKEENSRCH_SERVICE
-------\Service_SeekeenSrch Service
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.
2010-03-01 00:08 . 2010-03-01 00:08 293376 ----a-w- C:\2outg8ml.exe
2010-02-28 16:40 . 2010-02-28 16:41 -------- d-----w- c:\program files\ERUNT
2010-02-28 16:25 . 2010-02-28 16:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\PCHealth
2010-02-28 16:24 . 2010-02-28 16:24 60512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-28 16:06 . 2010-02-28 16:06 -------- d-----w- c:\windows\ServicePackFiles
2010-02-28 16:05 . 2010-02-28 16:05 -------- d-----w- c:\program files\MSXML 4.0
2010-02-26 23:11 . 2010-02-26 23:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 19:49 . 2007-06-10 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-03-01 19:43 . 2007-08-16 18:01 -------- d-----w- c:\program files\iTunes
2010-03-01 19:43 . 2007-08-16 17:59 -------- d-----w- c:\program files\Common Files\Apple
2010-03-01 19:42 . 2007-08-16 18:01 -------- d-----w- c:\program files\iPod
2010-03-01 19:26 . 2008-06-25 12:54 -------- d-----w- c:\program files\Internet Chess Club
2010-03-01 19:22 . 2007-01-31 21:20 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Netscape
2010-03-01 19:19 . 2007-01-13 17:57 -------- d-----w- c:\program files\Rhapsody
2010-03-01 19:18 . 2007-05-12 01:09 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Atari
2010-02-26 23:49 . 2008-07-23 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-26 23:06 . 2007-08-16 18:02 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer
2009-12-31 16:14 . 2004-08-09 21:00 352640 ------w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:35 . 2004-08-09 21:00 668672 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:35 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2004-08-09 21:00 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55 . 2004-08-10 04:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-10 04:00 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-09 21:00 453760 ------w- c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"nwiz"="nwiz.exe" [2006-01-24 1519616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-22 180269]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]
c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-10 1474560]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [1/10/2009 8:16 PM 517632]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
AddRemove-SeekeenSrch - c:\program files\SeekeenSrch\uninstall.exe
AddRemove-Csvnro - c:\program files\Csvnro\Csvnro.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 18:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
.
**************************************************************************
.
Completion time: 2010-03-01 18:05:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-01 23:05
ComboFix2.txt 2010-03-01 22:48
ComboFix3.txt 2010-03-01 18:18
Pre-Run: 94,738,001,920 bytes free
Post-Run: 94,696,960,000 bytes free
- - End Of File - - EDB6E351B8194884D6EF4F82B8FAB408
Red_Earth
2010-03-02, 01:08
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:13 PM, on 3/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6015 bytes
IndiGenus
2010-03-02, 05:26
Great, things are looking better and hopefully running better too. More work to do though I think....
You need to get some protection on here to prevent any re-infection now that things are better.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here is a list of some free versions to try:
AVG AntiVirus (http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free)
Avast Antivirus Home Version--Free (http://www.avast.com/eng/avast_4_home.html)
Antivir Personal - Free (http://www.free-av.com/)
Run only one.
I would suggest you update it and run a full system scan, letting it fix or quarantine whatever it finds.
++++++++++++++++++++++
Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a new DDS log.
Red_Earth
2010-03-02, 20:28
I have completed the instructions up to where I am to download and run Malwarebytes.
I went to the website via the link, and I was confused because there were so many places to download so many seemingly different things.
I dont know know which "download here" is for malwarebytes.
The other thing is I don't have any money.
It looks like it may cost 25$.
Confused
IndiGenus
2010-03-02, 20:57
There is a paid and free version, but I am just advising to use the free one.
Click on the big Download Now button. I attached a picture of it if you're not sure.
Red_Earth
2010-03-02, 22:37
I saw the icon you posted.
It does not show up anywhere I can find from the link you gave me.
Safari cannot find internet plugin.
A balloon pops up and says:
The page MG Malbytes download has MIME type application/x-shockwave-flash. Some of the content can't be shown.
Maybe this is to blame?
IndiGenus
2010-03-03, 04:49
That's interesting....:confused:
Let's try another download site.
http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
Red_Earth
2010-03-03, 07:06
Malwarebytes' Anti-Malware 1.44
Database version: 3817
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
3/3/2010 12:04:37 AM
mbam-log-2010-03-03 (00-04-37).txt
Scan type: Quick Scan
Objects scanned: 125728
Time elapsed: 8 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{dbe49762-874f-41ac-9409-ecdd4b3db4a2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8b27cc68-110c-46a9-80d3-f3107de6eb98} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\xInsiDERexe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcpvoj0e57v (Rogue.AntiVirusXP) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Compaq_Administrator\Desktop\Click to Find and Fix Errors.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
Red_Earth
2010-03-03, 07:13
DDS (Ver_09-12-01.01) - NTFSx86
Run by Compaq_Administrator at 0:10:19.03 on Wed 03/03/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.702.469 [GMT -5:00]
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\imapi.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.hotmail.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PCCBHO.CPCCBHO: {22fc6ce8-7d47-479f-b74a-bfbb04adb9af} - c:\program files\winferno\pc confidential\PCCBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053v4\BelkinWCUI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
============= SERVICES / DRIVERS ===============
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-2 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-2 19024]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-1-10 517632]
=============== Created Last 30 ================
2010-03-03 04:54:15 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2010-03-03 04:54:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 04:54:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-03 04:54:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-03 04:54:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 16:48:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-03-02 15:58:11 0 d-----w- c:\docume~1\compaq~1\applic~1\AVG8
2010-03-01 17:59:16 98816 ----a-w- c:\windows\sed.exe
2010-03-01 17:59:16 77312 ----a-w- c:\windows\MBR.exe
2010-03-01 17:59:16 261632 ----a-w- c:\windows\PEV.exe
2010-03-01 17:59:16 161792 ----a-w- c:\windows\SWREG.exe
2010-03-01 00:08:50 293376 ----a-w- C:\2outg8ml.exe
2010-02-28 16:24:56 60512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-28 16:06:22 0 d-----w- c:\windows\ServicePackFiles
2010-02-28 16:05:42 0 d-----w- c:\program files\MSXML 4.0
2010-02-26 23:11:47 0 d-----w- c:\program files\Spybot - Search & Destroy
==================== Find3M ====================
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-16 13:35:58 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2009-12-16 12:58:04 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55:25 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:55:25 2180352 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 18:53:08 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:19:32 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:19:32 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 18:19:32 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 08:59:48 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 14:41:55 453760 ------w- c:\windows\system32\dllcache\mrxsmb.sys
============= FINISH: 0:11:41.95 ===============
Red_Earth
2010-03-03, 07:13
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/31/2006 11:26:45 AM
System Uptime: 3/3/2010 12:08:50 AM (0 hours ago)
Motherboard: ASUSTek Computer INC. | | NAGAMI2L
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket 939 | 1785/199mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 104 GiB total, 87.83 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 0.504 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP4: 3/1/2010 12:54:06 PM - System Checkpoint
RP5: 3/1/2010 12:54:14 PM - Last good restore point
RP6: 3/1/2010 12:55:18 PM - Software Distribution Service 3.0
RP7: 3/1/2010 2:18:25 PM - Removed RollerCoaster TycoonŽ 3
RP8: 3/1/2010 2:19:36 PM - Removed Rhapsody Player Engine
RP9: 3/1/2010 2:40:33 PM - Removed Apple Mobile Device Support
RP10: 3/1/2010 2:41:25 PM - Removed Apple Software Update
RP11: 3/1/2010 2:42:41 PM - Removed iTunes
RP12: 3/1/2010 3:26:23 PM - Software Distribution Service 3.0
RP13: 3/2/2010 5:46:31 AM - Software Distribution Service 3.0
RP14: 3/2/2010 11:48:29 AM - avast! Free Antivirus Setup
==== Installed Programs ======================
Adobe Flash Player ActiveX
Adobe Reader 7.0.5
ArcSoft PhotoImpression 4
avast! Free Antivirus
Belkin N Wireless USB Adapter Setup
BufferChm
Compaq Connections (remove only)
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Data Fax SoftModem with SmartCP
Destinations
DeviceManagementQFolder
Easy Internet Sign-up
ERUNT 1.1j
FullDPAppQFolder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB979306)
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Software Update
HP Support Overview
HPPhotoSmartExpress
HpSdpAppCoreApp
InstantShareDevices
LightScribe 1.4.84.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Away Mode
Microsoft Money 2006
Microsoft Office 2000 Disc 2
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
MSXML 4.0 SP2 (KB973688)
OptionalContentQFolder
PC-Doctor 5 for Windows
PC Confidential 2008
PhoTags Express
PhotoGallery
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
QuickTime
RandMap
RealPlayer
Realtek High Definition Audio Driver
Safari
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SkinsHP1
SlideShow
SlideShowMusic
Sonic Express Labeler
Sonic MyDVD Plus
Sonic_PrimoSDK
Spybot - Search & Destroy
Unload
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Media Center Edition 2005 KB973768
==== Event Viewer Messages From Past Week ========
3/3/2010 12:10:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor IntelIde ViaIde
3/2/2010 11:13:32 AM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.3 did not allow the name to be claimed by this machine.
3/1/2010 12:59:49 PM, error: Service Control Manager [7034] - The SeekeenSrch Service service terminated unexpectedly. It has done this 1 time(s).
3/1/2010 12:59:49 PM, error: Service Control Manager [7034] - The Command Service service terminated unexpectedly. It has done this 1 time(s).
3/1/2010 1:31:15 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001CDF694161. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2/28/2010 11:53:27 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1 Security Update for Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (KB953297).
2/28/2010 11:15:44 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
==== End Of File ===========================
IndiGenus
2010-03-03, 16:54
Looking pretty good. How's it running?
Did you have a chance to run a full system scan with Avast?
I would also suggest you update to Service Pack 3 and update IE.
Seeing traces of an old Norton install too that should be removed. I would suggest you run the removal tool.
http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html
Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Post a new HijackThis log and let me know how it's running.
Red_Earth
2010-03-03, 17:20
It is running fairly smoothly.
It still seems to have something lingering.
I did run a full avast scan which found some 100 problems.
All of which it fixed.
I then immediately following ran a quick scan which found 1 more problem.
I asked the previous owner who said there has not been Norton on this machine.
I will continue with the instructions.
IndiGenus
2010-03-03, 17:24
I asked the previous owner who said there has not been Norton on this machine.
Could be that it was part of the garbage that many PC makers install as "trialware". I wouldn't worry too much about it as I don't think it's causing problems. Just like to clean out leftovers if any.
Another scan I usually like to see run for any traces is Kaspersky, but it requires Java runtime which I don't see installed on the machine. You could run the AVP tool from Kaspersky.
Please click here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to download AVP Tool by Kaspersky.
Save it to your desktop.
Reboot your computer into SafeMode.
You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
It will by default install it to your desktop folder.Click Next.
Hit ok at the prompt for scanning in Safe Mode.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.
System Memory
Startup Objects
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)
After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.
Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.
Red_Earth
2010-03-03, 17:25
again at the link you left me for majorgeeks I encounter the MIME message when I click on the Norton Removal icon. It shows me a black screen with nothing but a lego with 2 questionmarks and the MIME err msg.
IndiGenus
2010-03-03, 17:27
Okay....and looks like the link to the Kaspersky tool is dead. I'll look into these. Wondering if you're getting the issues because no Java?
IndiGenus
2010-03-03, 17:29
Would you have an issue installing Java runtime? It's free and many sites do require it. But some folks don't like to use it.
Red_Earth
2010-03-03, 17:29
I dont know java.
So I guess it is possible.
I really appreciate you helping me.
Red_Earth
2010-03-03, 17:30
I will load java. how?
IndiGenus
2010-03-03, 17:32
You can get it here.
http://java.sun.com/javase/downloads/widget/jdk6.jsp
Just skip the step to provide user name, and don't check the box for Sun Download Manager.
Red_Earth
2010-03-03, 18:11
I believe java is installed now.
I was carefully watching for a checkbox for sun download but didnt see one.
I didnt check or uncheck a box for it.
Red_Earth
2010-03-03, 18:15
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
avast! Free Antivirus
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
HijackThis 2.0.2
Java DB 10.5.3.0
Java(TM) 6 Update 18
Java(TM) SE Development Kit 6 Update 18
Java Auto Updater
Out of date Java installed!
Adobe Reader 7.0.5
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast5 AvastSvc.exe
ALWILS~1 Avast5 avastUI.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
Red_Earth
2010-03-03, 18:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:18 AM, on 3/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7098 bytes
Red_Earth
2010-03-03, 18:18
The majorgeeks site still leads me to a black screen when I try to get Nortronremover, only now there is not even a box with question marks like there was before.
IndiGenus
2010-03-03, 18:59
Have you tried going back to download the Norton Removal Tool?
Also, with Java installed we can run Kaspersky online scan.
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from here
http://www.kaspersky.com/virusscanner
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.
Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419
In your next reply post:
Kaspersky log
New HJT log taken after the above scan has run
Red_Earth
2010-03-03, 19:01
I did manage to get KAS through the site that seemed down.
Would you rather I do the safe mode run of the setup I have already dropped onto my desktop?
IndiGenus
2010-03-03, 19:07
The majorgeeks site still leads me to a black screen when I try to get Nortronremover, only now there is not even a box with question marks like there was before.
Strange, what browser are you using?
Can try another site...
http://www.softpedia.com/progDownload/Norton-Removal-Tool-Download-26173.html
IndiGenus
2010-03-03, 19:08
I did manage to get KAS through the site that seemed down.
Would you rather I do the safe mode run of the setup I have already dropped onto my desktop?
Jeez we're just batting a thousand huh?
What setup are you referring to?
Red_Earth
2010-03-03, 19:54
You originally gave me instructions to download Kasperski.
You then went back and said the KAsperski site was down.
I got JAva and tried to go back to the Majorgeeks site to do the Norton uninstall that I was unable to do without java.
However I was still unable to do the Norton Uninstall because the screen was just black when It would attempt to send me to the page when I click on the norton uninstall button.
I then tried to download Kasperski and did successfully.
I then was going to run Kasperski in safe mode like we discussed earlier, but I tried and the icon for kasperski setup would not show up in safe mode.
I got a message that says I have too many icons on my desktop for it to display in safe mode without changing the size of the icons.
I came back to this site to ask how to proceed and you were suggesting I use Kasperski online instead of the setup I downloaded.
I am just asking which instruction set is the preferable one.
Red_Earth
2010-03-03, 19:55
I use safari browser
IndiGenus
2010-03-03, 19:57
Let's try doing the online Kaspersky scan. The last one I posted.
Please use Internet Explorer to do so. Honestly I've never used Safari so I'm not sure if the issues are related to that or not.
Hopefully the Kas online scan will run and we can then just finish up the cleaning. :rockon:
Red_Earth
2010-03-03, 20:16
The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience. While you are waiting for the improved Online Scanner, why not try a free trial of Kaspersky Internet Security 2010, which has everything you need to keep your computer safe.
Should I go for this?
IndiGenus
2010-03-03, 20:18
The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience. While you are waiting for the improved Online Scanner, why not try a free trial of Kaspersky Internet Security 2010, which has everything you need to keep your computer safe.
Should I go for this?
I wouldn't suggest it unless you intend to buy it.
We can try another online scanner as there are several to choose from. Kaspersky is just my favorite.
Eset Online Scanner (http://www.eset.com/onlinescan/)
Run with Internet Explorer
Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button, or click the notification bar at the top of the window and choose to install.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Red_Earth
2010-03-03, 20:33
well it is not letting me.
It says I am missing an active x.
IndiGenus
2010-03-03, 20:36
You are using IE right? It should give you the option to install the ActiveX. There's some info. at the following MS site:
http://www.microsoft.com/protect/terms/activex.aspx
Red_Earth
2010-03-03, 21:09
yes i was using IE.
It did give me the option.
I took the option and it was acting stalled.
It did end up taking though and gave me what i needed.
however in running the scan online, it keeps kicking me out, giving me an "error 2002"
I am using my neighbors internet it may just be that.
I will keep trying.
I also will remind you that I did get the Kasperski setup exe onto my desktop. The one you had suggested when we first spoke of Kasperski.
I just couldn't get the icon to show up while my computer was in safe mode.
IndiGenus
2010-03-03, 21:13
Hmm...
To use the Kasperksy AV in Safe Mode, try this.
Once the screen loads, use the tab key to move from icon to icon and see if it will navigate to it that way.
Red_Earth
2010-03-03, 21:51
I got eset to complete a scan.
It did not produce a log .
It merely said no threats found.
I will now continue with the new Kasperski instructions.
IndiGenus
2010-03-03, 22:13
I got eset to complete a scan.
It did not produce a log .
It merely said no threats found.
I will now continue with the new Kasperski instructions.
Sounds good. Think we're almost done.
Red_Earth
2010-03-04, 18:35
I got kas to run by locating it in C: and dragging it onto my desktop.
I ran it once and it took 3 hours; I thought I did it incorrectly because I hadnt set it to "deep" scan. I ran it again and it took much longer.
IndiGenus
2010-03-04, 18:36
I got kas to run by locating it in C: and dragging it onto my desktop.
I ran it once and it took 3 hours; I thought I did it incorrectly because I hadnt set it to "deep" scan. I ran it again and it took much longer.
Did it find anything?
Red_Earth
2010-03-04, 18:38
my Kas logs in notepad seem to have disappeared upon restart.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:49 AM, on 3/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7262 bytes
IndiGenus
2010-03-04, 18:40
Did you save the logs before you restarted? If so do you remember where. The instructions show to save to the desktop, but maybe you put them elsewhere?
Red_Earth
2010-03-04, 20:36
I saved them while I was still in Safe Mode.
When I turn on my computer in safe mode I can see them on the desktop.
Not on normal boot though.
I search for them in Search function; they show up as being in C administrator desktop, but when I go there they are not there, and they are not showing up on my actual desktop.
Red_Earth
2010-03-04, 20:40
when I shut my computer down to check to see if they were on my desktop in safe mode, Windows automatically updated itself. Is that normal?
IndiGenus
2010-03-04, 22:29
I saved them while I was still in Safe Mode.
When I turn on my computer in safe mode I can see them on the desktop.
Not on normal boot though.
I search for them in Search function; they show up as being in C administrator desktop, but when I go there they are not there, and they are not showing up on my actual desktop.
Can you open them and see what's there, if anything, then jot it down and post back here.
IndiGenus
2010-03-04, 22:30
when I shut my computer down to check to see if they were on my desktop in safe mode, Windows automatically updated itself. Is that normal?
In Safe Mode? No, unless you ran Safe Mode with networking there would be no way to download the updates.
Red_Earth
2010-03-04, 23:33
Autoscan: completed 11 minutes ago (events: 18, objects: 506489, time: 03:15:07)
3/3/2010 3:03:15 PM Task started
3/3/2010 3:10:19 PM Detected: not-a-virus:AdWare.Win32.PurityScan.ak C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60C92449.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact
3/3/2010 3:10:19 PM Untreated: not-a-virus:AdWare.Win32.PurityScan.ak C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60C92449.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact Postponed
3/3/2010 3:46:38 PM Detected: Trojan.VBS.Small.bj C:\Qoobox\Quarantine\C\WINDOWS\IA\KE.vbs.vir
3/3/2010 3:46:38 PM Untreated: Trojan.VBS.Small.bj C:\Qoobox\Quarantine\C\WINDOWS\IA\KE.vbs.vir Postponed
3/3/2010 3:50:31 PM Detected: not-a-virus:AdWare.Win32.PurityScan.ak C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005156.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact
3/3/2010 3:50:31 PM Untreated: not-a-virus:AdWare.Win32.PurityScan.ak C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005156.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact Postponed
3/3/2010 3:51:16 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP8\A0003422.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 3:51:16 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP8\A0003422.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 4:37:17 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\CompaqPresario_Spring06.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 4:37:17 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\CompaqPresario_Spring06.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 4:37:17 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\HPPavillion_Spring06.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 4:37:17 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\HPPavillion_Spring06.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 6:16:58 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005158.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 6:16:58 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005158.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 6:16:58 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005157.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 6:16:59 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005157.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 6:18:22 PM Task completed
Red_Earth
2010-03-04, 23:35
Autoscan: completed 17 hours ago (events: 18, objects: 506489, time: 03:15:07)
Autoscan: completed 13 hours ago (events: 2, objects: 504374, time: 03:25:06)
3/3/2010 6:33:08 PM Task started
3/3/2010 9:58:14 PM Task completed
The first scan I paid close attention and clicked delete and quarantine as needed.
The second scan I left alone, and returned to a completed scan.
Red_Earth
2010-03-04, 23:36
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:15 PM, on 3/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7319 bytes
IndiGenus
2010-03-05, 00:42
Okay looks pretty good. We should do some cleanup.
Uninstall Combofix
Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
The above procedure will:
Delete the following: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
You can also delete DDS and GMER.
Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Let me know how it's running too please.
Red_Earth
2010-03-05, 00:45
will do
Red_Earth
2010-03-05, 00:51
when I try to launch combofix it asks me to disable avast and I dont know how
Red_Earth
2010-03-05, 01:13
I uninstalled avast.
I will reinstall after we are through or if we need it again.
I do not know what I am supposed to do.
I can only access ComboFix by clicking the icon on my desktop.
There is no start button.
or run for that matter.
Not that I see.
I double click combofix icon on my desktop and it starts running.
It launches quickly into a scan.
I dont see any run box.
No place to type. no time to type. No uninstall.
confused
IndiGenus
2010-03-05, 05:42
The Start button is your Windows Start button, in the lower left hand corner of your monitor (normally but that can be different). Then you select run and it brings up the run dialogue box. Then you can type in or copy/paste the command Combofix /Uninstall.
Red_Earth
2010-03-05, 07:42
My computer seems to be running just fine.
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
HijackThis 2.0.2
Java DB 10.5.3.0
Java(TM) 6 Update 18
Java(TM) SE Development Kit 6 Update 18
Java Auto Updater
Out of date Java installed!
Adobe Reader 7.0.5
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
IndiGenus
2010-03-05, 17:10
Think other than doing all the updating and making sure you have protection in place, you are pretty much set.
As you can see from the report, you need to update your Windows Service Pack. I would suggest you set Windows to use Automatic Updates (http://support.microsoft.com/kb/306525).
You also need to turn your Firewall on, or install one of the ones I recommend below.
Adobe Reader needs to be updated (http://www.adobe.com/support/downloads/detail.jsp?ftpID=3853).
Also make sure to re-install either Avast or one of the other AV's I recommended.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here is a list of some free and evaluation versions to try:
AVG AntiVirus (http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free)
Avast Antivirus Home Version--Free (http://www.avast.com/eng/avast_4_home.html)
Antivir Personal - Free (http://www.free-av.com/)
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.
Online-Armor (http://www.tallemu.com/free-firewall-protection-software.html)
Outpost Firewall (http://www.agnitum.com/products/outpostfree/)
For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/index.php?showtutorial=60)
Install SpywareBlaster - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49)
Install Winpatrol -
Use Winpatrol (http://www.winpatrol.com/) to take control of your PC and provide another layer of security.
Help file and tutorial can be found Here (http://www.winpatrol.com/features.html)
Block unwanted parasites with a custom hosts file -
http://www.mvps.org/winhelp2002/hosts.htm
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.
Keep your applications up to date -
Use Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) to help stay on top of application updates that could leave your PC vulnerable to attack.
I'll leave the thread open a few days in case you have questions or issues.
Regards,
Dave
Red_Earth
2010-03-05, 18:19
Thank you so much, Dave.
You were amazing.
What a great service you have provided me.
IndiGenus
2010-03-05, 20:13
You're welcome and safe surfing in the future.
Regards,
Dave