Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Spybot doesn't remove win32.fraudload.edt. Please help!

  1. #11
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    I chose not to install the Windows Recovery Console.
    Is this needed?
    Yes, it is needed in case of something happening to your computer and we can't get in it normally, we may have to use Recovery Console to help fix the problem(s). I'll be having you run ComboFix again in this post. Please have ComboFix download and install Recovery Console when it prompts you to. Thanks.


    Step # 1: Run CFScript

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      KILLALL::
      
      MIA::
      
      c:\windows\system32\proquota.exe
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







      Note: This CFScript is for use on proctor67's computer only! Do not use it on your computer.

    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    In your next post/reply, I need to see the following:

    1. The ComboFix Log that appears after Step 1 has been completed.
    2. A fresh DDS Log taken after Step 1 has been completed.
    Malware Removal University Master
    Member of ASAP & UNITE

  2. #12
    Junior Member
    Join Date
    Nov 2009
    Posts
    9

    Default

    ComboFix 09-12-04.05 - JProcter 12/05/2009 13:17.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.551 [GMT -6:00]
    Running from: c:\documents and settings\JProcter\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\JProcter\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\proquota.exe . . . is missing!!

    c:\windows\system32\proquota.exe . . . is missing!!

    .
    ((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
    .

    2009-12-02 05:43 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-12-02 05:43 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2009-12-02 05:43 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2009-12-02 05:43 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2009-12-02 05:43 . 2009-12-02 05:43 -------- d-----w- c:\program files\Avira
    2009-12-02 05:43 . 2009-12-02 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2009-11-30 02:57 . 2009-11-30 02:58 -------- d-----w- c:\program files\ERUNT
    2009-11-27 19:00 . 2009-11-27 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
    2009-11-23 02:57 . 2009-11-23 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-11-23 02:57 . 2009-11-23 03:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-11-23 00:06 . 2009-11-23 00:06 -------- d-----w- c:\documents and settings\JProcter\Local Settings\Application Data\Threat Expert
    2009-11-22 23:59 . 2009-11-23 02:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-11-11 02:20 . 2009-11-11 02:21 1408800 ----a-w- c:\documents and settings\JProcter\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-11-29 05:18 . 2006-03-31 08:04 70256 ----a-w- c:\documents and settings\JProcter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-11-27 19:12 . 2006-01-20 13:31 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-11-27 19:06 . 2006-01-20 13:28 -------- d-----w- c:\program files\Google
    2009-11-27 19:04 . 2006-01-20 13:40 -------- d-----w- c:\program files\Microsoft Experience Pack
    2009-11-27 19:04 . 2009-01-01 02:13 -------- d-----w- c:\program files\Cakewalk
    2009-11-27 19:03 . 2006-07-19 19:57 -------- d-----w- c:\program files\Citrix
    2009-11-27 19:00 . 2008-05-22 15:08 -------- d-----w- c:\program files\AVG
    2009-11-27 18:58 . 2006-01-20 13:38 -------- d-----w- c:\program files\Common Files\Real
    2009-11-27 18:50 . 2008-04-09 18:05 -------- d-----w- c:\program files\Common Files\Apple
    2009-11-27 18:47 . 2007-09-10 20:18 -------- d-----w- c:\program files\Alibre Design
    2009-11-26 17:06 . 2008-12-06 02:36 -------- d-----w- c:\program files\Bonjour
    2009-11-24 02:17 . 2008-01-08 00:24 -------- d-----w- c:\program files\M1
    2009-11-11 02:21 . 2009-11-05 04:53 127325 ----a-w- c:\documents and settings\JProcter\Application Data\Move Networks\uninstall.exe
    2009-11-11 02:21 . 2007-11-09 02:27 -------- d-----w- c:\documents and settings\JProcter\Application Data\Move Networks
    2009-11-11 02:21 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\JProcter\Application Data\Move Networks\plugins\npqmp071505000011.dll
    2009-11-05 04:53 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\JProcter\Application Data\Move Networks\plugins\npqmp071505000010.dll
    2009-11-05 04:53 . 2009-11-05 04:52 1407680 ----a-w- c:\documents and settings\JProcter\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
    2009-10-07 03:27 . 2009-06-01 02:17 -------- d-----w- c:\program files\Microsoft Silverlight
    2007-07-18 02:10 . 2007-09-05 01:23 5154304 ----a-w- c:\program files\WindowsDefender.msi
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1" [X]
    "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
    "TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-26 271872]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-05-13 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-05-13 126976]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
    "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
    "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-04-03 753664]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

    c:\documents and settings\JProcter\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
    "NoAutoUpdate"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-10-15 19:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
    2004-08-04 12:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
    2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
    2004-08-04 12:00 30208 ----a-w- c:\windows\system32\tpgwlnot.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "1711:UDP"= 1711:UDP:Windows Media Format SDK (IEXPLORE.EXE)
    "1710:UDP"= 1710:UDP:Windows Media Format SDK (IEXPLORE.EXE)

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/1/2009 11:43 PM 108289]
    R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [3/22/2007 6:04 PM 9728]
    R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [1/20/2006 7:23 AM 17280]
    R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [1/20/2006 7:23 AM 9600]
    S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/21/2005 9:25 PM 69692]
    S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 3:55 PM 39424]
    S3 RDID1070;Roland SonicCell;c:\windows\system32\drivers\RDWM1070.sys [1/2/2009 12:02 AM 135424]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2009-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-05 14:24
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1424)
    c:\program files\Intel\Wireless\Bin\LgNotify.dll

    - - - - - - - > 'explorer.exe'(2664)
    c:\progra~1\WINDOW~3\wmpband.dll
    c:\program files\windows journal\nbmaptip.dll
    c:\windows\IME\SPGRMR.DLL
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\RealVNC\VNC4\WinVNC4.exe
    c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
    c:\windows\SYSTEM32\WISPTIS.EXE
    c:\windows\System32\tabbtnu.exe
    c:\windows\system32\wscntfy.exe
    c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
    c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
    c:\progra~1\MI3AA1~1\rapimgr.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    .
    **************************************************************************
    .
    Completion time: 2009-12-05 14:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-12-05 20:29
    ComboFix2.txt 2009-12-05 03:10

    Pre-Run: 54,722,932,736 bytes free
    Post-Run: 54,620,426,240 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 620782001C85B777F7054CFB4EF2A8D0


    *************************************************
    Second DDS.txt:


    DDS (Ver_09-12-01.01) - NTFSx86
    Run by JProcter at 14:40:28.82 on Sat 12/05/2009
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.551 [GMT -6:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Kodak\printer\center\KodakSvc.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\SYSTEM32\WISPTIS.EXE
    C:\WINDOWS\System32\tabbtnu.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\JProcter\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
    mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
    mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
    mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
    mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
    mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
    mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\docume~1\jprocter\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189394558921
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189394541046
    DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} - hxxp://download.jaunt.com/public/jaunt.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
    DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: igfxcui - igfxsrvc.dll
    Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
    Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
    Notify: TabBtnWL - TabBtnWL.dll
    Notify: tpgwlnotify - tpgwlnot.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-1 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-1 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-1 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-1 55656]
    R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2007-3-22 9728]
    R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2006-1-20 17280]
    R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2006-1-20 9600]
    S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2005-6-21 69692]
    S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
    S3 RDID1070;Roland SonicCell;c:\windows\system32\drivers\RDWM1070.sys [2009-1-2 135424]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-10-27 278384]

    =============== Created Last 30 ================

    2009-12-05 19:16:11 0 d-sha-r- C:\cmdcons
    2009-12-05 02:54:03 98816 ----a-w- c:\windows\sed.exe
    2009-12-05 02:54:03 77312 ----a-w- c:\windows\MBR.exe
    2009-12-05 02:54:03 260608 ----a-w- c:\windows\PEV.exe
    2009-12-05 02:54:03 161792 ----a-w- c:\windows\SWREG.exe
    2009-12-02 05:43:52 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-12-02 05:43:49 0 d-----w- c:\program files\Avira
    2009-12-02 05:43:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2009-11-27 19:00:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Avg8
    2009-11-23 02:57:43 0 d-----w- c:\program files\Spybot - Search & Destroy
    2009-11-23 02:57:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

    ==================== Find3M ====================

    2007-07-18 02:10:36 5154304 ----a-w- c:\program files\WindowsDefender.msi

    ============= FINISH: 14:40:43.00 ===============


    Interesting - Combox opened and seemed to run Avira AntiVir after reboot and logon to wondows. Normal?
    What about the files combofix says it stored?
    ComboFix-quarantined-files.txt 2009-12-05 20:29
    ComboFix2.txt 2009-12-05 03:10

    Also - a window popped up beore Combofox completed saying Combofixlog.txt would be found on C:\
    I do not see it there. ??

  3. #13
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Interesting - Combox opened and seemed to run Avira AntiVir after reboot and logon to wondows. Normal?
    As far as I'm aware ComboFix can open and cause other programs (like Avira) to run. I think that was Avira's own doing. It must have somehow reenabled itself when Windows loaded back up.

    What about the files combofix says it stored?
    ComboFix-quarantined-files.txt 2009-12-05 20:29
    ComboFix2.txt 2009-12-05 03:10
    Those logs are from previous runs that we did with ComboFix. They are there in case we need to look at them at a later time.


    Also - a window popped up beore Combofox completed saying Combofixlog.txt would be found on C:\
    I do not see it there. ??
    If its not there, it'd probably be in the C:\ComboFix folder. No need to worry since you posted the correct ComboFix Log anyways.


    Step # 1: Download and Run FileFind

    Download FileFind by Atribune.
    • Double click on FileFind.exe to open the program.
    • Enter proquota.exe into the File: box.
    • Click on the Search button.
    • After a while a list of file locations will appear in the List of Files: box.
    • Click on the Export button.


    This will create a Notepad file named Export.txt located in the C:\ folder, copy and paste it to your next post please.
    Malware Removal University Master
    Member of ASAP & UNITE

  4. #14
    Junior Member
    Join Date
    Nov 2009
    Posts
    9

    Default

    0 Files found in 6519 Directories

    FileFind List of Files: is blank / empty
    No text appears in the export.txt file.

    What now?

  5. #15
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Do you have access to a Flash/USB drive and to a clean computer that is running Windows XP SP2?
    Malware Removal University Master
    Member of ASAP & UNITE

  6. #16
    Junior Member
    Join Date
    Nov 2009
    Posts
    9

    Default

    Have a USB 1GB flash drive (memory stick)
    My clean XP computer belongs to my employer - I cannot load or install software to it.

    My other home computer with XP needs cleaning.

  7. #17
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Ok, since you don't have access to a clean computer running Windows XP SP2 (or at least can't use it), we'll go ahead and continue on ahead.



    Step # 1: Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.



    Step # 2 Download and Run Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.


    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.



    Step # 3: Run Kaspersky Online Scan

    Please make sure that all programs are closed when installing Java.

    1. Click here to visit Java's website.
    2. Scroll down to Java Runtime Environment (JRE) 6 Update 17. Click on Download.
    3. Select Windows from the drop-down list for Platform.
    4. Select Multi-language from the drop-down list for Language.
    5. Check (tick) I agree to the Java SE Runtime Environment 17 License Agreement box and click on Continue.
    6. Click on jre-6u17-windows-i586-p.exe link to download it and save this to a convenient location.
    7. Double click on jre-6u17-windows-i586-p.exe to install Java.
    8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
    9. Read through the requirements and privacy statement and click on Accept button.
    10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    11. When the downloads have finished, click on Settings.
    12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    13. Click on My Computer under Scan.
    14. Once the scan is complete, it will display the results. Click on View Scan Report.
    15. You will see a list of infected items there. Click on Save Report As....
    16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    17. Please post this log in your next reply.



    In your next post/reply, I need to see the following:

    1. MalwareBytes' Log
    2. Kaspersky Log
    3. A fresh DDS Log
    4. How is your computer doing, any problems?
    Malware Removal University Master
    Member of ASAP & UNITE

  8. #18
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    procter67? How are things coming along?
    Malware Removal University Master
    Member of ASAP & UNITE

  9. #19
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    This topic has been archived due to inactivity.

    If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

    Applies only to the original poster, anyone else with similar problems please start a new topic.
    Malware Removal University Master
    Member of ASAP & UNITE

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •