Trojan help
- Thread starter mla34
- Start date
ComboFix 10-01-24.05 - Maureen 01/25/2010 11:39:09.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.618 [GMT -5:00]
Running from: c:\documents and settings\Maureen\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.
2010-01-25 00:56 . 2010-01-25 00:56 -------- d-----w- c:\program files\Common Files\Java
2010-01-25 00:55 . 2010-01-25 00:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-23 22:05 . 2010-01-23 22:05 -------- d-----w- c:\program files\Trend Micro
2010-01-20 17:08 . 2010-01-20 17:08 -------- d-sh--w- c:\documents and settings\Carolyn\PrivacIE
2010-01-20 17:04 . 2010-01-20 17:04 -------- d-sh--w- c:\documents and settings\Carolyn\IETldCache
2010-01-17 21:22 . 2010-01-17 21:29 -------- d-----w- c:\program files\Garmin
2010-01-17 21:22 . 2010-01-17 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2010-01-17 21:22 . 2010-01-17 21:22 -------- d-----w- C:\Garmin
2010-01-17 19:49 . 2010-01-17 20:25 -------- d-----w- c:\documents and settings\Maureen\Application Data\Download Manager
2010-01-17 19:39 . 2010-01-17 20:53 -------- d-----w- c:\documents and settings\Maureen\Application Data\GARMIN
2010-01-17 01:54 . 2010-01-17 01:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-17 01:47 . 2010-01-17 01:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-16 19:55 . 2010-01-16 19:55 -------- d-----w- c:\documents and settings\Maureen\Application Data\Malwarebytes
2010-01-16 19:55 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-16 19:55 . 2010-01-16 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-16 19:55 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-16 19:55 . 2010-01-17 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 03:16 . 2009-12-30 03:16 -------- d-sh--w- c:\documents and settings\Bob\PrivacIE
2009-12-30 03:14 . 2009-12-30 03:14 -------- d-sh--w- c:\documents and settings\Bob\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 16:54 . 2009-08-23 20:04 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-25 16:54 . 2009-08-23 20:02 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-01-25 15:36 . 2007-07-04 12:37 -------- d-----w- c:\program files\iTunes
2010-01-25 15:36 . 2007-07-04 12:34 -------- d-----w- c:\program files\QuickTime
2010-01-25 15:36 . 2007-04-08 18:25 -------- d-----w- c:\program files\DellSupport
2010-01-25 00:55 . 2004-04-13 06:25 -------- d-----w- c:\program files\Java
2010-01-24 03:49 . 2005-04-03 16:04 -------- d-----w- c:\documents and settings\Carolyn\Application Data\Viewpoint
2010-01-24 03:49 . 2005-04-03 01:34 -------- d-----w- c:\documents and settings\Gregory Arnold\Application Data\Viewpoint
2010-01-24 03:49 . 2004-04-13 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-23 02:54 . 2008-10-24 23:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-10 15:49 . 2004-04-20 23:23 41224 ----a-w- c:\documents and settings\Maureen\Application Data\wklnhst.dat
2010-01-10 12:39 . 2004-11-08 01:35 12086 -c--a-w- c:\documents and settings\Gregory Arnold\Application Data\wklnhst.dat
2009-12-21 19:14 . 2004-02-06 22:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-21 09:31 . 2005-09-10 18:28 -------- d-----w- c:\program files\Google
2009-12-05 18:50 . 2009-08-23 20:10 -------- d-----w- c:\documents and settings\Maureen\Application Data\Skype
2009-12-05 13:05 . 2009-08-23 20:14 -------- d-----w- c:\documents and settings\Maureen\Application Data\skypePM
2009-12-02 03:14 . 2009-12-02 02:51 -------- d-----w- c:\documents and settings\Gregory Arnold\Application Data\Skype
2009-11-21 15:51 . 2002-08-29 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2008-07-31 11:32 . 2008-07-31 11:32 27024112 -c--a-w- c:\program files\PowerPointViewer.exe
2008-03-10 18:35 . 2008-03-10 18:35 0 -c--a-w- c:\program files\temp01
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-13 8466432]
"nwiz"="nwiz.exe" [2007-08-13 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-13 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
c:\documents and settings\Bob\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-7-8 225280]
c:\documents and settings\Carolyn\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-12-5 24651]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2006-6-26 610304]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2004-08-25 15:27 65536 -c--a-w- c:\windows\SYSTEM32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 -c--a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 -c--a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-06-02 18:25 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 06:04 114741 -c--a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 -c--a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 02:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-10-06 15:05 53248 -c--a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
2004-08-13 21:41 86016 -c--a-w- c:\program files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 -c----w- c:\program files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 05:01 110592 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c----w- c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\SYSTEM32\DRIVERS\ZD1211BU.sys [4/11/2008 8:52 PM 722432]
S2 gupdate1c9aff7d14c6f00;Google Update Service (gupdate1c9aff7d14c6f00);c:\program files\Google\Update\GoogleUpdate.exe [3/28/2009 5:52 PM 133104]
S2 MtxVideo;Matrox WDM capture/crossbar driver;c:\windows\SYSTEM32\DRIVERS\mtxvideo.sys [5/4/2008 11:22 AM 103296]
S3 SysInfo;SysInfo;c:\program files\PlayOnline\SquareEnix\PlayOnlineViewer\polcfg\sysinfo.sys [8/29/2003 2:40 PM 6912]
.
Contents of the 'Scheduled Tasks' folder
2010-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
2010-01-25 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2002-08-29 00:12]
2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 22:51]
2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 22:51]
2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-16 17:22]
2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-16 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/home.html
uInternet Settings,ProxyOverride = *.local
Trusted Zone: dslreports.com\www
Trusted Zone: mcafee.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.gamehouse.com/games/gamehouse/ghplayer.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://webgames.d.tmsrv.com/c=fdb86f236d4106103ae39aef993e7860/aff=t_03cm_wg/p/release/playfirst/wg_dreamchronicles/dreamchronicles/dreamweb.1.0.0.9.cab
DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} - hxxp://www.shockwave.com/content/dreamchronicles2/sis/dream2web.1.0.0.13.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Sonic RecordNow! - (no file)
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
MSConfigStartUp-AsioReg - CTASIO.DLL
MSConfigStartUp-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MSConfigStartUp-CTHelper - CTHELPER.EXE
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_05\bin\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 11:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(5732)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2010-01-25 12:11:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 17:11
ComboFix2.txt 2010-01-23 21:48
Pre-Run: 30,423,629,824 bytes free
Post-Run: 30,417,563,648 bytes free
- - End Of File - - 3712C78E3B94289795482FE583CADB47
ok...just fyi - I will be away from my computer for a few hours but will be back to do the next task...thank you!
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.618 [GMT -5:00]
Running from: c:\documents and settings\Maureen\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.
2010-01-25 00:56 . 2010-01-25 00:56 -------- d-----w- c:\program files\Common Files\Java
2010-01-25 00:55 . 2010-01-25 00:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-23 22:05 . 2010-01-23 22:05 -------- d-----w- c:\program files\Trend Micro
2010-01-20 17:08 . 2010-01-20 17:08 -------- d-sh--w- c:\documents and settings\Carolyn\PrivacIE
2010-01-20 17:04 . 2010-01-20 17:04 -------- d-sh--w- c:\documents and settings\Carolyn\IETldCache
2010-01-17 21:22 . 2010-01-17 21:29 -------- d-----w- c:\program files\Garmin
2010-01-17 21:22 . 2010-01-17 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2010-01-17 21:22 . 2010-01-17 21:22 -------- d-----w- C:\Garmin
2010-01-17 19:49 . 2010-01-17 20:25 -------- d-----w- c:\documents and settings\Maureen\Application Data\Download Manager
2010-01-17 19:39 . 2010-01-17 20:53 -------- d-----w- c:\documents and settings\Maureen\Application Data\GARMIN
2010-01-17 01:54 . 2010-01-17 01:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-17 01:47 . 2010-01-17 01:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-16 19:55 . 2010-01-16 19:55 -------- d-----w- c:\documents and settings\Maureen\Application Data\Malwarebytes
2010-01-16 19:55 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-16 19:55 . 2010-01-16 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-16 19:55 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-16 19:55 . 2010-01-17 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 03:16 . 2009-12-30 03:16 -------- d-sh--w- c:\documents and settings\Bob\PrivacIE
2009-12-30 03:14 . 2009-12-30 03:14 -------- d-sh--w- c:\documents and settings\Bob\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 16:54 . 2009-08-23 20:04 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-25 16:54 . 2009-08-23 20:02 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-01-25 15:36 . 2007-07-04 12:37 -------- d-----w- c:\program files\iTunes
2010-01-25 15:36 . 2007-07-04 12:34 -------- d-----w- c:\program files\QuickTime
2010-01-25 15:36 . 2007-04-08 18:25 -------- d-----w- c:\program files\DellSupport
2010-01-25 00:55 . 2004-04-13 06:25 -------- d-----w- c:\program files\Java
2010-01-24 03:49 . 2005-04-03 16:04 -------- d-----w- c:\documents and settings\Carolyn\Application Data\Viewpoint
2010-01-24 03:49 . 2005-04-03 01:34 -------- d-----w- c:\documents and settings\Gregory Arnold\Application Data\Viewpoint
2010-01-24 03:49 . 2004-04-13 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-23 02:54 . 2008-10-24 23:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-10 15:49 . 2004-04-20 23:23 41224 ----a-w- c:\documents and settings\Maureen\Application Data\wklnhst.dat
2010-01-10 12:39 . 2004-11-08 01:35 12086 -c--a-w- c:\documents and settings\Gregory Arnold\Application Data\wklnhst.dat
2009-12-21 19:14 . 2004-02-06 22:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-21 09:31 . 2005-09-10 18:28 -------- d-----w- c:\program files\Google
2009-12-05 18:50 . 2009-08-23 20:10 -------- d-----w- c:\documents and settings\Maureen\Application Data\Skype
2009-12-05 13:05 . 2009-08-23 20:14 -------- d-----w- c:\documents and settings\Maureen\Application Data\skypePM
2009-12-02 03:14 . 2009-12-02 02:51 -------- d-----w- c:\documents and settings\Gregory Arnold\Application Data\Skype
2009-11-21 15:51 . 2002-08-29 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2008-07-31 11:32 . 2008-07-31 11:32 27024112 -c--a-w- c:\program files\PowerPointViewer.exe
2008-03-10 18:35 . 2008-03-10 18:35 0 -c--a-w- c:\program files\temp01
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-13 8466432]
"nwiz"="nwiz.exe" [2007-08-13 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-13 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
c:\documents and settings\Bob\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-7-8 225280]
c:\documents and settings\Carolyn\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-12-5 24651]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2006-6-26 610304]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2004-08-25 15:27 65536 -c--a-w- c:\windows\SYSTEM32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 -c--a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 -c--a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-06-02 18:25 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 06:04 114741 -c--a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 -c--a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 02:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-10-06 15:05 53248 -c--a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
2004-08-13 21:41 86016 -c--a-w- c:\program files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 -c----w- c:\program files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 05:01 110592 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c----w- c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\SYSTEM32\DRIVERS\ZD1211BU.sys [4/11/2008 8:52 PM 722432]
S2 gupdate1c9aff7d14c6f00;Google Update Service (gupdate1c9aff7d14c6f00);c:\program files\Google\Update\GoogleUpdate.exe [3/28/2009 5:52 PM 133104]
S2 MtxVideo;Matrox WDM capture/crossbar driver;c:\windows\SYSTEM32\DRIVERS\mtxvideo.sys [5/4/2008 11:22 AM 103296]
S3 SysInfo;SysInfo;c:\program files\PlayOnline\SquareEnix\PlayOnlineViewer\polcfg\sysinfo.sys [8/29/2003 2:40 PM 6912]
.
Contents of the 'Scheduled Tasks' folder
2010-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
2010-01-25 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2002-08-29 00:12]
2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 22:51]
2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 22:51]
2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-16 17:22]
2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-16 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/home.html
uInternet Settings,ProxyOverride = *.local
Trusted Zone: dslreports.com\www
Trusted Zone: mcafee.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.gamehouse.com/games/gamehouse/ghplayer.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://webgames.d.tmsrv.com/c=fdb86f236d4106103ae39aef993e7860/aff=t_03cm_wg/p/release/playfirst/wg_dreamchronicles/dreamchronicles/dreamweb.1.0.0.9.cab
DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} - hxxp://www.shockwave.com/content/dreamchronicles2/sis/dream2web.1.0.0.13.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Sonic RecordNow! - (no file)
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
MSConfigStartUp-AsioReg - CTASIO.DLL
MSConfigStartUp-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MSConfigStartUp-CTHelper - CTHELPER.EXE
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_05\bin\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 11:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(5732)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2010-01-25 12:11:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 17:11
ComboFix2.txt 2010-01-23 21:48
Pre-Run: 30,423,629,824 bytes free
Post-Run: 30,417,563,648 bytes free
- - End Of File - - 3712C78E3B94289795482FE583CADB47
ok...just fyi - I will be away from my computer for a few hours but will be back to do the next task...thank you!
ken545
Emeritus-Security Expert
Hi
c:\program files\temp01<--This is back, did you delete it ?
c:\\Program Files\\LimeWire <--If you use file sharing programs like this one I guarantee that you will become infected again in the future. Your downloading files and whatnot from an unknown source and some include malicious code bundled with them. Its kind of like playing Russian Roulette malwarewise.
The rest of your log looks fine, how are things running now ?
c:\program files\temp01<--This is back, did you delete it ?
c:\\Program Files\\LimeWire <--If you use file sharing programs like this one I guarantee that you will become infected again in the future. Your downloading files and whatnot from an unknown source and some include malicious code bundled with them. Its kind of like playing Russian Roulette malwarewise.
The rest of your log looks fine, how are things running now ?
Hi, Ken.
I deleted LimeWire (kid's program) and the temp01 file is still there becuase I never deleted it. You asked me in post#10 if I knew what it was and although I responded about it in post#11 I didn't realize that you wanted me to delete it. I don't want to do a thing unless you have specifically asked me to do it...lol..I am a bit timid about screwing something up, I guess...
Should I go ahead and delete that temp01 file?
As I posted in my initial post, the symptoms have been on my husband's user account and it got to the point where we couldn't even establish an internet connection. So I have been doing all of this work while on my user account. My account seems to be free of issues thus far.
I just tried to connect on his account and was not able to. I switched his account to have admin rights so I could do a connection diagnostics and after running the short wizard it tells me to contact my network administrator. The connection icon in his task bar is fine and shows the connection but when I try to go to a website I get the "Internet Explorer cannot display this webpage" msg along with the "Diagnose connection problem" box. The other issue with the connection is that on his user account, the wireless sometimes connects to a neighbor's FIOS account. If I try to switch it to our account, sometimes it will work, sometimes not. I also got a msg that there was no wireless card found. After deciding to come back to my user account to post to you I tried to log off his user account and the computer froze. The desktop icons disappeared but I was still looking at his desktop screen. I ended up having to hit the button and turn the computer off. How do I check to see if his account is working normally if I can't connect to the internet?
I am seeing now that all the accounts at any given time will connect to the neighbor's FIOS account, even though it sometimes starts with our account. I'm not sure why that is happening. Even my connection right now has switched to the FIOS. His user account is the only one that I can't get connected. Should I put things on hold and call Comcast to check on things?
The task manager is also still grayed out on that one account.
It also appears that our other computer is infected but since we have been working on this one I shut it down and disconnected the internet connection. I would like to get this one cleaned up before tackling that one. I will eventually have to deal with that one but realize that I will probably have to start from the beginning by posting a new thread. I am not sure you will want to work with me on that and I completely understand if you need to move on.
Please advise me on what you think my next step should be. Thanks so much.
I deleted LimeWire (kid's program) and the temp01 file is still there becuase I never deleted it. You asked me in post#10 if I knew what it was and although I responded about it in post#11 I didn't realize that you wanted me to delete it. I don't want to do a thing unless you have specifically asked me to do it...lol..I am a bit timid about screwing something up, I guess...
Should I go ahead and delete that temp01 file?
As I posted in my initial post, the symptoms have been on my husband's user account and it got to the point where we couldn't even establish an internet connection. So I have been doing all of this work while on my user account. My account seems to be free of issues thus far.
I just tried to connect on his account and was not able to. I switched his account to have admin rights so I could do a connection diagnostics and after running the short wizard it tells me to contact my network administrator. The connection icon in his task bar is fine and shows the connection but when I try to go to a website I get the "Internet Explorer cannot display this webpage" msg along with the "Diagnose connection problem" box. The other issue with the connection is that on his user account, the wireless sometimes connects to a neighbor's FIOS account. If I try to switch it to our account, sometimes it will work, sometimes not. I also got a msg that there was no wireless card found. After deciding to come back to my user account to post to you I tried to log off his user account and the computer froze. The desktop icons disappeared but I was still looking at his desktop screen. I ended up having to hit the button and turn the computer off. How do I check to see if his account is working normally if I can't connect to the internet?
I am seeing now that all the accounts at any given time will connect to the neighbor's FIOS account, even though it sometimes starts with our account. I'm not sure why that is happening. Even my connection right now has switched to the FIOS. His user account is the only one that I can't get connected. Should I put things on hold and call Comcast to check on things?
The task manager is also still grayed out on that one account.
It also appears that our other computer is infected but since we have been working on this one I shut it down and disconnected the internet connection. I would like to get this one cleaned up before tackling that one. I will eventually have to deal with that one but realize that I will probably have to start from the beginning by posting a new thread. I am not sure you will want to work with me on that and I completely understand if you need to move on.
Please advise me on what you think my next step should be. Thanks so much.
ken545
Emeritus-Security Expert
Good Morning,
Sorry for the late reply , big storm came through our area and was without power the past 12 hours or so.
temp01 Look for this in the Add Remove programs in the Control Panel and if its there and you dont know what it is than uninstall it, then delete the folder if its still there.
As far as the problems with the other user accounts, why don't you post here as we just do malware removal on this forum.
http://forums.whatthetech.com/Microsoft_Windows_f119.html
As far as the other computer, just start a new topic for it, if I miss it one of our fine staff of helpers will pick it up.
AWF <--Drag it to the trash
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
The above procedure will:
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Safe Surfn
Ken
Sorry for the late reply , big storm came through our area and was without power the past 12 hours or so.
temp01 Look for this in the Add Remove programs in the Control Panel and if its there and you dont know what it is than uninstall it, then delete the folder if its still there.
As far as the problems with the other user accounts, why don't you post here as we just do malware removal on this forum.
http://forums.whatthetech.com/Microsoft_Windows_f119.html
As far as the other computer, just start a new topic for it, if I miss it one of our fine staff of helpers will pick it up.
AWF <--Drag it to the trash
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
-
- When shown the disclaimer, Select "2"
The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Reset System Restore.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.- Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
- WhattheTech
- Grinler BleepingComputer
- GeeksTo Go
- Dslreports
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
- Spybot Search and Destroy 1.6
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
- Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
- Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
- IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Good Morning, Ken.
So sorry to hear about the power outage. Hope you had some candles and a good book!
I deleted the temp01 file again. Not sure why it is there again. It seems the PrcViewer is somehow attached to the AWF program so I guess when I drag that, it will go as well.
I'm sorry for putting up such a lengthy post last night. It seems that I have to do some reading and figuring out with the internet issues. I thought perhaps they were caused by a trojan. McAfee continues to find, repair, or quarantine trojans on my computer. Does that mean they are still there or are they okay as long as McAfee is dealing with them? McAfee is also popping up msgs that my computer is not protected. Sometimes when I hit the fix button, it will try but unsuccessfully and yet, when I close it, the McAfee home box will say I'm protected. The protection seems to go in and out. Not sure what that's about.
Anyway, thank you so much for your valuable time and most generous attention to me for the past several days. I do appreciate it tremendously! Also, thank you for all the links for recommended reading and programs. I have my work cut out for me! Thanks again and have a great day!
So sorry to hear about the power outage. Hope you had some candles and a good book!
I deleted the temp01 file again. Not sure why it is there again. It seems the PrcViewer is somehow attached to the AWF program so I guess when I drag that, it will go as well.
I'm sorry for putting up such a lengthy post last night. It seems that I have to do some reading and figuring out with the internet issues. I thought perhaps they were caused by a trojan. McAfee continues to find, repair, or quarantine trojans on my computer. Does that mean they are still there or are they okay as long as McAfee is dealing with them? McAfee is also popping up msgs that my computer is not protected. Sometimes when I hit the fix button, it will try but unsuccessfully and yet, when I close it, the McAfee home box will say I'm protected. The protection seems to go in and out. Not sure what that's about.
Anyway, thank you so much for your valuable time and most generous attention to me for the past several days. I do appreciate it tremendously! Also, thank you for all the links for recommended reading and programs. I have my work cut out for me! Thanks again and have a great day!
ken545
Emeritus-Security Expert
Lets run this scanner, not sure if McAfee is giving you false positives and why its causing issues.
Please run this free online virus scanner from ESET
Please run this free online virus scanner from ESET
- Note: You will need to use Internet explorer for this scan
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the activex control to install
- Click Start
- Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
- Click Scan
- Wait for the scan to finish
- Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
Hey, Ken...lol
Thought maybe you were happy to close this case...lol...but thank you for checking this out as well...
I am ready to run this scan but I need you to clarify your verbage.
"Ticked" means with a check or without a check in the box? I just want to be sure I am doing this scan correctly.
Just FYI - I have scheduled a service call tomorrow from my internet provider to see if we can figure out what's going on with that one user account and why the connections that work keep changing back and forth from our service to my neighbor's FIOS. Once that is figured out maybe I can confirm that our trojan issues are dealt with.
McAfee continues to go from protection mode to unprotected on its own. I'm hoping this scan will help to show what's going on with that.
I'll run the scan as soon as I hear back from you about the options. Thanks.
Thought maybe you were happy to close this case...lol...but thank you for checking this out as well...
I am ready to run this scan but I need you to clarify your verbage.
"Ticked" means with a check or without a check in the box? I just want to be sure I am doing this scan correctly.
Just FYI - I have scheduled a service call tomorrow from my internet provider to see if we can figure out what's going on with that one user account and why the connections that work keep changing back and forth from our service to my neighbor's FIOS. Once that is figured out maybe I can confirm that our trojan issues are dealt with.
McAfee continues to go from protection mode to unprotected on its own. I'm hoping this scan will help to show what's going on with that.
I'll run the scan as soon as I hear back from you about the options. Thanks.
ken545
Emeritus-Security Expert
Another words, just tick the box to remove anything it finds
It looks like someone in your household at one time connected to your neighbors network and it was saved on your computer. Go to your control panel >Network Connections and look for your neighbors connections and either delete or disable it
It looks like someone in your household at one time connected to your neighbors network and it was saved on your computer. Go to your control panel >Network Connections and look for your neighbors connections and either delete or disable it
Last edited:
Ken...
The scan is still running...has been for an hour and a half so far and only 64% done so I will post as soon as it finishes. So far it is showing one infected file.
On a side note - remember when I couldn't find the ComboFix icon on my desktop to run it again and I had to redownload and install it? I am sure the icon was on my desktop, certainly the second time. It is gone again...very strange...
I'll post when this is done...thanks.
The scan is still running...has been for an hour and a half so far and only 64% done so I will post as soon as it finishes. So far it is showing one infected file.
On a side note - remember when I couldn't find the ComboFix icon on my desktop to run it again and I had to redownload and install it? I am sure the icon was on my desktop, certainly the second time. It is gone again...very strange...
I'll post when this is done...thanks.
Here you go, Ken...I will also check into the network connections...thanks.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=13c153fe1fba7443b3d25793a54f4475
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-27 02:12:32
# local_time=2010-01-26 09:12:32 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 179808 179808 0 0
# compatibility_mode=5121 16776613 100 96 4899495 16555646 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=220366
# found=1
# cleaned=1
# scan_time=7832
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdwareWebext.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=13c153fe1fba7443b3d25793a54f4475
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-27 02:12:32
# local_time=2010-01-26 09:12:32 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 179808 179808 0 0
# compatibility_mode=5121 16776613 100 96 4899495 16555646 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=220366
# found=1
# cleaned=1
# scan_time=7832
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdwareWebext.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ken545
Emeritus-Security Expert
Good Morning,
Same thing happened to me awhile back, my wife used my laptop when visiting her sister in another town, she picked up a signal named Linksys ( lots of people don't know about renaming it ) and she saved it . Gets home and I want to use the laptop and would you believe someone up the street from me has the same signal Linksys and my laptop kept trying to connect to it. I just had to delete it and then it worked fine.
You can post here and they can help you sort it out, this is our sister site, like Safer its free but you will need to register
http://forums.whatthetech.com/Networking_f128.html
Let me know how you make out ??
Same thing happened to me awhile back, my wife used my laptop when visiting her sister in another town, she picked up a signal named Linksys ( lots of people don't know about renaming it ) and she saved it . Gets home and I want to use the laptop and would you believe someone up the street from me has the same signal Linksys and my laptop kept trying to connect to it. I just had to delete it and then it worked fine.
You can post here and they can help you sort it out, this is our sister site, like Safer its free but you will need to register
http://forums.whatthetech.com/Networking_f128.html
Let me know how you make out ??
Good Morning, Ken.
Thanks for the info. I am also using a Linksys so hopefully the techs coming today will get us squared away. I just can't seem to figure out how to delete the several signals that are "available" to us.
I am hoping since my antivirus is also through my provider that they will help me figure out why it keeps shutting itself down and starting itself back up again (or not). I did run another McAfee scan and it found an Artemis! in two files and quarantined them. Maybe that's the issue? I will shut down internet access when I'm done here just to be safe.
Is there a reason why the worm that was found in last night's scan was not found before by other scans? Malwarebytes scan didn't find it either. Just curious. These buggers are terrible!
Thanks again for all your help and I will continue to plug along! I will certainly let you know how I make out! Take care.
Thanks for the info. I am also using a Linksys so hopefully the techs coming today will get us squared away. I just can't seem to figure out how to delete the several signals that are "available" to us.
I am hoping since my antivirus is also through my provider that they will help me figure out why it keeps shutting itself down and starting itself back up again (or not). I did run another McAfee scan and it found an Artemis! in two files and quarantined them. Maybe that's the issue? I will shut down internet access when I'm done here just to be safe.
Is there a reason why the worm that was found in last night's scan was not found before by other scans? Malwarebytes scan didn't find it either. Just curious. These buggers are terrible!
Thanks again for all your help and I will continue to plug along! I will certainly let you know how I make out! Take care.
ken545
Emeritus-Security Expert
With Malware writers constantly changing there tactics and the files and what not they use, there really is no silver bullet to catch it all. Most of the tools we use get most of it but other scans need to be run also , what one misses the other finds...its never ending.
Ken
Ken
Hey, Ken.
I have been doing some tinkering and while I wait for the network guy to get here I thought I'd run a Malwarebyte scan on my husband's user account (the one that seems to be the one affected the most by the infection). Much to my dismay there were 6 infected items found. The task bar gray-out has been solved, although I'm not sure why that registry issue didn't show up sooner. I am including the txt file in hopes that maybe you can help me to understand more clearly.
I'm not clear on why, when I ran all the scans on my user account under your direction, these were not picked up. If I run a malware scan on one user account, shouldn't it pick up infections from all user accounts? I thought there was only one "common" hard drive in which all user accounts are serviced. Does this mean that every user account on my computer has to be scanned individually? McAfee along with whatever additional programs I end up installing?
Thank you, once again, for allowing me to take more of your time.
Malwarebytes' Anti-Malware 1.44
Database version: 3645
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/27/2010 1:31:36 PM
mbam-log-2010-01-27 (13-31-11).txt
Scan type: Full Scan (C:\|)
Objects scanned: 402966
Time elapsed: 1 hour(s), 42 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouuxwnw (Trojan.FakeAlert.N) -> No action taken.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I have been doing some tinkering and while I wait for the network guy to get here I thought I'd run a Malwarebyte scan on my husband's user account (the one that seems to be the one affected the most by the infection). Much to my dismay there were 6 infected items found. The task bar gray-out has been solved, although I'm not sure why that registry issue didn't show up sooner. I am including the txt file in hopes that maybe you can help me to understand more clearly.
I'm not clear on why, when I ran all the scans on my user account under your direction, these were not picked up. If I run a malware scan on one user account, shouldn't it pick up infections from all user accounts? I thought there was only one "common" hard drive in which all user accounts are serviced. Does this mean that every user account on my computer has to be scanned individually? McAfee along with whatever additional programs I end up installing?
Thank you, once again, for allowing me to take more of your time.
Malwarebytes' Anti-Malware 1.44
Database version: 3645
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/27/2010 1:31:36 PM
mbam-log-2010-01-27 (13-31-11).txt
Scan type: Full Scan (C:\|)
Objects scanned: 402966
Time elapsed: 1 hour(s), 42 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouuxwnw (Trojan.FakeAlert.N) -> No action taken.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Oops...
Ken...so sorry, I copied the logfile created before removal...here is the one saved after removal of found items....
Malwarebytes' Anti-Malware 1.44
Database version: 3645
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/27/2010 1:31:36 PM
mbam-log-2010-01-27 (13-31-11).txt
Scan type: Full Scan (C:\|)
Objects scanned: 402966
Time elapsed: 1 hour(s), 42 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouuxwnw (Trojan.FakeAlert.N) -> No action taken.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Ken...so sorry, I copied the logfile created before removal...here is the one saved after removal of found items....
Malwarebytes' Anti-Malware 1.44
Database version: 3645
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/27/2010 1:31:36 PM
mbam-log-2010-01-27 (13-31-11).txt
Scan type: Full Scan (C:\|)
Objects scanned: 402966
Time elapsed: 1 hour(s), 42 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouuxwnw (Trojan.FakeAlert.N) -> No action taken.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hi, Ken.
I'm not sure if you are even checking up on this thread but thought I would post and let you know what's up.
The internet tech came to help me with the internet access issues that we were having and it seems that the signal issues have been remedied. My antivirus is now working fine(I have uninstalled McAfee and installed MS Security Essentials)without the lapses of internet access that were part of the problem.
That said, his answer to IE8 not working on my husband's user account only was to install Firefox and just not use IE8. I am disappointed in his choosing the easy way out because my gut tells me there are still unresolved issues but for now that's fine. My husband's user account seems to be working fine...for now.
I'm not sure whether to wait for things to get screwy and then post anew here or, if you are up to dealing with me again, start from scratch, now that there is internet access from that user account. The Malwarebytes program, on his user account only, will not update. On all other user accounts it is fine. I just have a small red flag waving in the distance.
Now that I have internet access on that account, I can download and run the two programs that are asked of us in the "Before you post" section from the user account in question and then post the logfiles. What do you think?
Thank you again for your time, advice, help and patience.
Maureen
I'm not sure if you are even checking up on this thread but thought I would post and let you know what's up.
The internet tech came to help me with the internet access issues that we were having and it seems that the signal issues have been remedied. My antivirus is now working fine(I have uninstalled McAfee and installed MS Security Essentials)without the lapses of internet access that were part of the problem.
That said, his answer to IE8 not working on my husband's user account only was to install Firefox and just not use IE8. I am disappointed in his choosing the easy way out because my gut tells me there are still unresolved issues but for now that's fine. My husband's user account seems to be working fine...for now.
I'm not sure whether to wait for things to get screwy and then post anew here or, if you are up to dealing with me again, start from scratch, now that there is internet access from that user account. The Malwarebytes program, on his user account only, will not update. On all other user accounts it is fine. I just have a small red flag waving in the distance.
Now that I have internet access on that account, I can download and run the two programs that are asked of us in the "Before you post" section from the user account in question and then post the logfiles. What do you think?
Thank you again for your time, advice, help and patience.
Maureen