PWS.LDPinchIE
I got this trojan identified by spybotsd, along with several others. It deleted all but this one. Now my desktop won't even load. Microsoft Windows Data Execution Prevention pops up to close windows explorer. No icons load the only way I can access anything is through Task manager ctrl+alt+del. I can't turn tea timer off this way though. How can I get this thing off my computer? I see people getting it off with combofix. Is that the program I need?
Thanks
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must have read and followed the "Before you Post" instructions.
There is no way I can tell if I can help from the limited information. Make sure you read the directions so you know what is expected.
Does this come with an error message? Post all error message word for word.Microsoft Windows Data Execution Prevention pops up to close windows explorer.
Let's see if we can get a HijackThis log using this self-installer.
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com...HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
If you get that, along with the HJT log, post also an uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
I have spybot sd and had something trying to get on my machine while on google. I ran spybot which got about 12 things off my machine however PWS.PinchIE would not be removed. Now I can't even start my machine. No icons load, and when starting up I get a windows XP log on which I never had before and Data Execution Prevention pops up and won't let anything load. There are no error messages. Just the windows Data Execution Prevention. It says " To help protect your computer, windows has closed the program. With a button to close the message. I can only access through control+alt+delete to get the task manager, then browse to attempt to run anything. I read the before you post rules, however am not able to some things on the list, such as turning off tea timer since I can't get access to it or it won't open through the oathway I have to take. I downloaded Erunt1.1 to a USB drive and ran it. I had to save in my C drive since I had no choice of my desktop and also downloaded HJT to this usb drive. I ran HJT and here is what I found .
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:18 PM, on 7/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
F:\HiJackThis.exe
C:\WINDOWS\system32\TASKMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TEMP\torC3.tmp
C:\WINDOWS\system32\C2.tmp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [pridl] "C:\Documents and Settings\Owner\Application Data\pridl\pridl.exe" 61A847B5BBF72811329B385672FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [pridl] "C:\Documents and Settings\Owner\Application Data\pridl\pridl.exe" 61A847B5BBF72811329B385672FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - K:\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - K:\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdcc...d/tgctlins.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: McAfee Application Installer Cleanup (0050051248476686) (0050051248476686mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\005005~1.EXE
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 11528 bytes
Here is my uninstall list:
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Media Player
Adobe Reader 7.1.0
Adobe Shockwave Player 11
America Online (Choose which version to remove)
AOL Spyware Protection
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
Belarc Advisor 7.1
Big Fish Games Texas Hold `em (remove only)
BigFix
Blubster 3.0.7
BroadJump Client Foundation
Channel Master
Colors, Shapes & More
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Digital Media Reader
eBay Toolbar
ERUNT 1.1j
getPlus(R)_ocx
Google Earth
Google Talk (remove only)
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
hp deskjet 5550 series (Remove only)
HP Image Zone 3.5
hp print screen utility
HP PSC & OfficeJet 3.5
HP PSC & Officejet 5.3.B Corporate Edition
HP Software Update
iQue - Detail Map Install
iQue - MapInstall and ContactLocation
J2SE Runtime Environment 5.0 Update 2
Kazaa Lite Resurrection 0.0.7.6 F
KeyScrambler
Learn2 Player (Uninstall Only)
Learn2.com Multimedia Training
Live Express
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash MX 2004
Macromedia FreeHand MXa
MapSource - City Select North America v6
McAfee SecurityCenter
Memories Disc Creator 2.0
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync 4.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office Standard Edition 2003
Microsoft Picture It! Premium 10
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.11)
MP3 Shield 2.4.2
MSN Music Assistant
MSN Toolbar
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Multimedia Keyboard Driver
MyDSC2
Napster Burn Engine
Nero BurnRights
Nero OEM
NETGEAR Wireless Adapter WPN311
Oceanlog VersaPro
overland
Palm Desktop for Garmin iQue 3600
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Photo Viewer 2.3
PowerDVD
Pure Networks Port Magic
QuickTime
RealFlight G3 R/C Simulator
RealPlayer
Realtek AC'97 Audio
Recovery Software Suite eMachines
Satellite Finder 4.00
Security Cleanup
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SoftV92 Data Fax Modem with SmartCP
SpanishNow!
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyware Doctor 6.0
TaxCut 2004
TaxCut Premium + Efile 2008
TaxCut Premium 2006
TaxCut Premium 2007
TaxCut Standard 2005
TiVo Desktop 2.7
TiVo Desktop 2.7
upapp
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888239
Windows XP Media Center Edition 2005 KB925766
WinHTTrack Website Copier 3.42-2
WinRAR archiver
WinZip
WorldMate for PocketPC
You are infected, let's give combofix a run to see if that gives you some relief. Bring it to the infected computer the same way, and run it from the Desktop if at all possible. We will deal with the uninstall list later.
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/comb...o-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
http://www.bleepingcomputer.com/forums/topic114351.html
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
When the tool is finished, it will produce a report for you. Post that report and a new HJT log
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
OK I ran combo fix and the windows recovery console. With that I was able to start in safe mode and disable my antivirus and I had to uninstall spybot since it would not open to disable tea timer I got a copy of the combo fix log. The computer said it needed to restart to complete unistall and to change settings for my Mcafee. I restarted and now it keeps restarting. I choose windows recovery and safe mode, safe mode with networking, or normal, and it begins start up, the fails and reboots. Here is my combofix log before all this. I couldn't get a new HJT log since I can't get it to stop rebooting.
ComboFix 09-07-23.04 - Owner 07/24/2009 14:28.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.615 [GMT -4:00]
Running from: F:\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\ALLUSE~1\APPLIC~1\11300464
c:\docume~1\ALLUSE~1\APPLIC~1\11300464\11300464
c:\docume~1\ALLUSE~1\APPLIC~1\11300464\11300464.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\ipwindows
c:\program files\ipwindows\popF2.tmp
c:\recycler\S-1-5-21-968814600-1246504547-813671351-500
c:\windows\Installer\13f4c3.msp
c:\windows\Installer\17aaf09.msp
c:\windows\Installer\1982b8f.msp
c:\windows\Installer\208dd.msp
c:\windows\Installer\20969.msp
c:\windows\Installer\20e88.msp
c:\windows\Installer\21418.msp
c:\windows\Installer\22f2f.msp
c:\windows\Installer\25af2.msp
c:\windows\Installer\263ed.msp
c:\windows\Installer\36d71.msp
c:\windows\Installer\5191e8.msi
c:\windows\Installer\5b7d3f.msp
c:\windows\Installer\a28b7b.msi
c:\windows\Installer\ac260c.msp
c:\windows\kb913800.exe
c:\windows\system32\9.tmp
c:\windows\system32\drivers\smss.exe
c:\windows\system32\drivers\vsfoceuflxylkm.sys
c:\windows\system32\ghaf8jkdfd.dll
c:\windows\system32\uuddc32.dll
c:\windows\system32\vsfoceltnbowpd.dat
c:\windows\system32\vsfocexdnplvho.dll
c:\windows\system32\vsfocexvpovpvc.dll
c:\windows\system32\vsfoceymrdylkr.dat
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_vsfocemowuyniq
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.
2009-07-24 18:11 . 2009-07-24 18:12 -------- d-----w- C:\32788R22FWJFW
2009-07-24 05:08 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-24 05:08 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-24 05:08 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-24 05:08 . 2009-07-24 18:27 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-24 05:08 . 2009-07-24 05:10 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-24 05:08 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-24 05:08 . 2009-07-24 17:07 -------- d-----w- c:\program files\Spyware Doctor
2009-07-24 05:08 . 2009-07-24 05:08 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-07-24 05:08 . 2009-07-24 05:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Tools
2009-07-23 10:21 . 2009-07-23 10:21 -------- d-----w- c:\documents and settings\Owner\Application Data\pridl
2009-07-23 10:21 . 2009-07-23 10:21 11264 ----a-w- c:\documents and settings\Owner\Application Data\pridl\pridl.exe
2009-07-23 02:49 . 2009-07-23 03:10 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-08 02:56 . 2003-09-05 22:16 757760 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll
2009-07-08 02:56 . 2003-09-05 22:16 815104 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll
2009-07-08 02:54 . 2009-07-08 02:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Macrovision
2009-07-08 02:48 . 2009-07-08 02:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Macromedia
2009-07-08 02:33 . 2002-01-05 11:10 57344 ------w- c:\windows\system32\mfc70enu.dll
2009-07-08 02:33 . 2009-07-08 02:33 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-07-08 02:33 . 2009-07-08 02:38 -------- d-----w- c:\program files\Common Files\Macromedia
2009-07-08 02:32 . 2009-07-08 02:50 -------- d-----w- c:\program files\Macromedia
2009-07-02 04:11 . 2009-07-02 04:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\RapidShare_
2009-06-30 23:50 . 2009-07-08 01:20 -------- d-----w- c:\documents and settings\All Users\AdobeTemp
2009-06-30 22:42 . 2009-06-30 22:42 -------- d-----w- c:\program files\uTorrent
2009-06-30 22:42 . 2009-07-01 01:03 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-06-30 21:53 . 2009-06-30 21:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-06-30 21:34 . 2009-06-30 21:34 -------- d-----w- c:\program files\Adobe Media Player
2009-06-30 21:29 . 2009-06-30 21:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-27 15:55 . 2009-06-27 15:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2009-06-27 15:47 . 2009-07-23 03:24 -------- d-----w- c:\program files\Blubster
2009-06-27 01:04 . 2009-06-27 01:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-24 20:42 . 2004-08-10 19:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-24 20:25 . 2009-06-24 20:25 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-24 20:22 . 2009-06-24 20:23 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-06-24 19:57 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-06-24 19:57 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-24 19:40 . 2009-06-24 19:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-24 19:29 . 2009-06-24 19:29 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-24 19:29 . 2009-06-24 19:29 -------- d-----w- c:\program files\MSBuild
2009-06-24 19:29 . 2009-06-24 19:29 -------- d-----w- c:\program files\Reference Assemblies
2009-06-24 19:28 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-24 19:28 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-24 19:28 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-24 19:28 . 2009-06-24 19:29 -------- d-----w- C:\cef7ac87ad8b1fbcfba1a9f067fc74
2009-06-24 19:28 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-24 19:28 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-24 19:28 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-24 19:28 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-24 19:24 . 2009-06-24 19:24 -------- d-----w- c:\program files\MSXML 6.0
2009-06-24 19:12 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-24 19:12 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-24 19:11 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-24 19:11 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-24 19:11 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-24 19:11 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-24 19:11 . 2009-02-06 16:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-06-24 19:11 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-24 19:11 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-06-24 19:11 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-24 19:11 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-24 19:11 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-24 19:11 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-24 19:09 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-06-24 19:09 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-06-24 19:09 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 18:27 . 2009-07-24 18:27 0 ----a-w- c:\windows\system32\B.tmp
2009-07-24 18:26 . 2008-01-11 17:42 -------- d-----w- c:\program files\McAfee
2009-07-24 18:21 . 2005-12-12 14:43 52224 ----a-w- c:\windows\system32\Crypserv.exe
2009-07-23 10:21 . 2009-07-23 10:21 84480 ----a-w- c:\windows\system32\9A.tmp
2009-07-23 10:21 . 2009-07-23 10:20 40 ----a-w- c:\windows\system32\8B.tmp
2009-07-23 10:20 . 2009-07-23 10:20 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-23 10:20 . 2005-04-13 16:56 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-07-23 03:25 . 2005-11-26 20:22 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-23 03:17 . 2005-11-26 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-08 02:46 . 2005-05-19 22:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-08 01:35 . 2008-05-22 03:46 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-02 17:44 . 2005-12-29 02:04 88968 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 15:24 . 2005-12-11 21:56 -------- d-----w- c:\program files\My Shared Folder
2009-06-24 20:07 . 2009-07-24 01:47 177842 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-06-24 20:06 . 2005-04-13 17:18 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-16 14:55 . 2005-04-13 16:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2005-04-13 16:55 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-04 16:06 . 2008-11-27 00:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-06-03 19:24 . 2005-04-13 16:55 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 05:15 . 2005-04-13 16:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:44 . 2005-04-13 16:55 344064 ----a-w- c:\windows\system32\localspl.dll
2005-03-02 18:37 . 2006-10-04 17:56 22819 ----a-w- c:\program files\CDCOPS.DLL
2005-02-24 19:57 . 2006-10-04 17:56 36093 ----a-w- c:\program files\SP.VOC
2005-02-24 19:54 . 2006-10-04 17:56 50002 ----a-w- c:\program files\IT.VOC
2005-02-24 19:49 . 2006-10-04 17:56 33776 ----a-w- c:\program files\FR.VOC
2005-02-24 19:43 . 2006-10-04 17:56 35379 ----a-w- c:\program files\GE.voc
2005-02-24 19:39 . 2006-10-04 17:56 32610 ----a-w- c:\program files\TU.voc
2009-06-27 14:42 . 2008-09-08 17:30 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
------- Sigcheck -------
[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys
[-] 2009-07-23 10:20 360320 073941D59AE065910064B728DEE981EE c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-07-23 10:20 360320 073941D59AE065910064B728DEE981EE c:\windows\system32\drivers\TCPIP.SYS
[-] 2007-06-13 10:23 1053696 0803AFF01DBF0C4CD0F2E5ED3AA94A72 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 E644780B0A82D807610B1F2F739CCF76 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2004-08-10 19:00 1032192 6746CF2FA16D3A5DF8AAF3B1A246D97B c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 00:12 1033728 5453DC164BD317ED2AE80DC738F962E1 c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2007-06-13 10:23 1053696 A93113210A660F1540BA73E5CF094CB3 c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 00:12 15360 C57ABD3A5599C0519A119FEFCC7D1D0A c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ctfmon.exe
[-] 2004-08-10 19:00 35840 D0F345DAC41FB51A9C64562AE6ABEA55 c:\windows\system32\ctfmon.exe
[-] 2005-06-11 00:17 57856 32B1509B48612035B5656971BCA3EEEA c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2004-08-10 19:00 57856 059B2144B6D22170BADF7CC9A55D0ABB c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2008-04-14 00:12 57856 BDF823FB267FD0459F15F644A8A5E108 c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe
[-] 2005-06-10 23:53 78336 7E11C852534988C790F9946C6BE81253 c:\windows\system32\spoolsv.exe
[-] 2008-04-14 00:12 26112 2C88AF3B982C8E48E6D3B777CDA055E3 c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\userinit.exe
[-] 2004-08-10 19:00 45056 24BEFCE61490784AD7246F33955229C2 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 35840]
"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 540672]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2164736]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 449024]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2280960]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1220608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-06 200749]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 53248]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 434176]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 176128]
"msnappau"="c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe" [2004-08-13 106496]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-21 299008]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 208896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 69632]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3760128]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 84992]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-18 632048]
"Blubster"="c:\program files\Blubster\Blubster.exe" [2008-11-10 1368064]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 360448]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 65536]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-01 98304]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 57344]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 565760]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2002-8-9 319488]
c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 50176]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 258048]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 86068]
NETGEAR WPN311 Wireless Assistant.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2005-2-21 4538368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UserInit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/24/2009 1:08 AM 130936]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [9/2/2006 2:37 PM 3026]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/24/2009 1:08 AM 348752]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [1/29/2007 4:14 PM 113896]
S2 0144421248459507mcinstcleanup;McAfee Application Installer Cleanup (0144421248459507);c:\windows\TEMP\014442~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\014442~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 KCFdcDevice0;KCFdcDevice0;\??\c:\futura\kcfdc.sys --> c:\futura\kcfdc.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - 0144421248459507MCINSTCLEANUP
*Deregistered* - mchInjDrv
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKLM-Run-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
HKLM-Run-11300464 - c:\documents and settings\All Users\Application Data\11300464\11300464.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.adelphia.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\qdqhzd2c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://moneycentral.msn.com/home.asp
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\qdqhzd2c.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 14:34
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WININET.DLL
.
Completion time: 2009-07-24 14:36
ComboFix-quarantined-files.txt 2009-07-24 18:36
Pre-Run: 69,079,355,392 bytes free
Post-Run: 69,117,624,320 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
323 --- E O F --- 2009-07-23 10:17
It's still rebooting in whatever mode I choose including last known good configuration.
add information linkSee if you can get the computer into safe mode:
http://spyware-free.us/tutorials/safemode/
while your computer is loading up, rapidly and repeatedly press the f8 button.
If you can then access MSConfig like this:
Start > Run > type "msconfig" without the quotes, then OK. If you get the System Configuration Windows open, click on the BOOT.INI tab,
Make sure there are NO checks in any of the Boot Options > OK and restart the computer to see if that helps.
You might also find something here that will help if those instructions do not work.
http://www.google.com/search?hl=en&q...+reboot&aqi=g1
Last edited by pskelley; 2009-07-27 at 20:30.
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
I have tried everything to get this machine to stop the reboot loop it is now in. Including f8 to get it to attempt safe mode it starts to go through that, then reboots, normal mode same thing every option on that menu same result. I've tried to boot from cd same thing happens. Any more ideas?
Posting Permissions
