Jump to content
Sign in to follow this  
BDigital

Infected:PopUps & Homepage Change

Recommended Posts

Hello,

 

My computer has become infected resulting in:

 

1) Constant pop ups (like every minute) saying my computer has been infected with spyware and trying to get me to download spyware software

2) My homepage changes to C:\windows\system32\spywarewarning.mht

3) A red tray icon next to the clock saying that I have been infected

 

I've scanned my computer with AVG, Spybot, Spyware Doctor, and SmitfraudFix and can't get rid of it.

This problem seems to be similar to the one from this thread a few months back: http://www.bleepingcomputer.com/forums/ind...amp;hl=chenzln1

 

I have pasted my HijackThis log below. Any help that can be provided would be greatly appreciated!!

 

-----

 

Logfile of HijackThis v1.99.1

Scan saved at 6:19:51 AM, on 6/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\000080a.exe

C:\Program Files\Dell Photo Printer 720\dlbcserv.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Bobby Orr\My Documents\Documents\Programs\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iEUpdate] C:\WINDOWS\system32\000080a.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\RunServices: [iEUpdate] C:\WINDOWS\system32\000080a.exe

O4 - HKCU\..\Run: [iEUpdate] C:\WINDOWS\system32\000080a.exe

O4 - HKCU\..\RunServices: [iEUpdate] C:\WINDOWS\system32\000080a.exe

O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax3518.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

Share this post


Link to post
Share on other sites

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HJT log and start a new topic.

 

 

Hi and welcome

 

C:\Documents and Settings\Bobby Orr\My Documents\Documents\Programs\HijackThis.exe

HJT needs it's own folder and needs to be located on desktop.

 

 

Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it:

 

To deactivate Spyware Doctor's OnGuard Tools

1. From within Spyware Doctor, click the "OnGuard" button on the left side.

2. Uncheck "Activate OnGuard".

You can reenable it once your system is clean.

 

 

 

 

 

 

On this machine you are using AVG8 and Norton AntiVirus\Internet Security

This causes system clashes and instabilty, and the possiblty of false reports with a huge waste of system resources.While this may seem like greater protection, it can cause problems including slowdowns and system hangs.

You can keep both programs, but you must disable the real-time component of one AntiVirus, keeping it as an on-demand scanner, while the other AV will provide a real-time protection.

The alternative is to uninstall one AV and keep the other.

 

You make the call and if you need help uninstalling one please let me know.

 

 

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

 

 

Please follow the below instructions and in the order given.

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

O4 - HKLM\..\Run: [iEUpdate] C:\WINDOWS\system32\000080a.exe

O4 - HKLM\..\RunServices: [iEUpdate] C:\WINDOWS\system32\000080a.exe

O4 - HKCU\..\Run: [iEUpdate] C:\WINDOWS\system32\000080a.exe

O4 - HKCU\..\RunServices: [iEUpdate] C:\WINDOWS\system32\000080a.exe

 

 

 

 

NEXT**

Download SDFix or from Here and save it to your Desktop

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.cmd to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log

 

 

 

 

NEXT**

Please download Malwarebytes' Anti-Malware to your desktop

 

Additional Link

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

 

 

 

 

 

 

 

 

 

 

 

Next** we need to use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

 

Please ensure you read this guide carefully and install the Recovery Console first.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should see a blue screen prompt that says:

 

The Recovery Console was successfully installed.

 

Posted Image

 

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

 

 

You DO NOT need to have the Windows CD to install Recovery Console!

Windows 2000 users will need to install the Recovery Console from their installation CD

 

The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware.

 

 

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

Don't select to run the Recovery Console as we don't need it.

By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

 

 

 

In your next reply please post:

SDFix report.txt

Malwarebytes_Anti-Malware log

ComboFix.txt log

New HJT log taken after the above scans have run

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

Thanks for the quick reply. Here's an update on my end.

 

After posting my original post, I ran ComboFix (had to run it in safe mode) and that seemed to solve the problem of the "You may be infected" pop-ups and the changing homepage. What it didn't fix (which I didn't mention in my original post) was the frequent IE crashing that occurred (specifically when I searched on Yahoo or tried to post messages on certain message boards). That still happens so I basically just switched to Firefox and have been fine. Nonetheless, I want to make sure all the nasty stuff was properly removed. So with that said, here's the requested logs that I could generate. Two notes:

 

1) SDFix seemed to run properly but when it restarted and the prompt said "Finishing Malware check...Please wait", it just stayed at that point for over an hour so I closed out of it. Here is all that was generated in the Report.txt:

 

SDFix: Version 1.187

Run by Bobby Orr on Sun 06/01/2008 at 08:25 PM

 

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

 

2) Here is the MAB log:

 

Malwarebytes' Anti-Malware 1.14

Database version: 814

 

9:41:00 PM 6/1/2008

mbam-log-6-1-2008 (21-41-00).txt

 

Scan type: Quick Scan

Objects scanned: 34655

Time elapsed: 7 minute(s), 36 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\1EC.tmp (Adware.PurityScan) -> Quarantined and deleted successfully.

C:\B5.tmp (Adware.PurityScan) -> Quarantined and deleted successfully.

C:\C95.tmp (Adware.PurityScan) -> Quarantined and deleted successfully.

C:\msisetup.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

 

3) When I first ran ComboFix (before your response), it only seemed to run when I was in safe mode...the start-up loading bar would appear but once it filled up, nothing would happen. It worked in safe mode but upon running and auto-rebooting, similar to SDFix, it seemed to time out/stall upon startup and did not generate a ComboFix.txt log. I tried again just now to run it in non-safe mode with all of my spyware protection programs shut down but, again, no such luck in getting it to do anything. I did not try running it in safe mode again.

 

4) Here is the latest HJT log (I moved it to my desktop):

 

Logfile of HijackThis v1.99.1

Scan saved at 9:57 PM, on 6/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Internet Security\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Dell Photo Printer 720\dlbcserv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe

C:\WINDOWS\system32\attrib.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Documents and Settings\Bobby Orr\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax3518.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

 

I know ideally I would have been able to produce all 4 of the requested logs but SDFix and ComboFix stalled on me. Let me know if you have any further suggestions.

 

THANKS!!

Edited by BDigital

Share this post


Link to post
Share on other sites

Welcome back

SDFix seemed to run properly but when it restarted and the prompt said "Finishing Malware check...Please wait", it just stayed at that point for over an hour so I closed out of it.

Sometimes Antivirus and Firewalls can cause this hangup.

 

That was the full report.txt from SDFix?

 

Go to Start > Run and copy/paste the following, then press the Enter key:

C:\ComboFix.txt

A text file will open. That's what I need to see.

 

using AVG8 and Norton AntiVirus\Internet Security on the machine is going to cause some problems.

 

 

I've got to see some kind of logs to see what might be on the machine.

 

 

 

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

[*]Close all applications and windows.

[*]Double-click on dss.exe to run it, and follow the prompts.

[*]When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized

Use Save As to save both Notepad files to your Desktop and post them in your next reply.

Note:A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

 

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

 

 

 

 

NEXT**

Go to Start > Control Panel > Internet Options

In the General tab, Temporary Internet Files, click:Delete Files

When prompted, check:Delete all offline content

You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)

Click OK

 

 

 

 

NEXT**

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

 

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives

      Scan Mail Bases

  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information

Posted Image

 

Posted Image

 

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

 

 

 

In your next reply post:

ComboFix.txt

DSS log

Kaspersky log

New HJT log

Share this post


Link to post
Share on other sites

Hello,

 

I'll post each log as a separate reply to keep things cleaner.

 

1) ComboFix.txt

 

I tried running ComboFix in safe mode again and this time it worked fine.

 

ComboFix 08-05-29.1 - Bobby Orr 2008-06-02 21:06:56.2 - NTFSx86 MINIMAL

Running from: C:\Documents and Settings\Bobby Orr\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

C:\WINDOWS\megavid.cdt

C:\WINDOWS\muotr.so

C:\WINDOWS\system32\000080.exe

C:\WINDOWS\system32\000090.exe

C:\WINDOWS\system32\clbdll.dll

C:\WINDOWS\system32\clbinit.dll

C:\WINDOWS\system32\drivers\clbdriver.sys

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\MSINET.oca

C:\WINDOWS\system32\pac.txt

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\spywarewarning.mht

C:\WINDOWS\system32\wpcap.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_CLBDRIVER

 

 

((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))

.

 

2008-06-02 20:41 . 2008-06-02 20:41 <DIR> d-------- C:\Deckard

2008-06-01 21:32 . 2008-06-01 21:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-06-01 21:32 . 2008-06-01 21:32 <DIR> d-------- C:\Documents and Settings\Bobby Orr\Application Data\Malwarebytes

2008-06-01 21:32 . 2008-06-01 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-01 21:32 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-06-01 21:32 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-06-01 20:21 . 2008-06-01 20:21 <DIR> d-------- C:\WINDOWS\ERUNT

2008-06-01 20:17 . 2008-06-01 20:30 <DIR> d-------- C:\SDFix

2008-06-01 16:49 . 2008-06-01 16:49 1,160 --a------ C:\WINDOWS\mozver.dat

2008-06-01 16:21 . 2008-06-01 16:21 <DIR> d-------- C:\Documents and Settings\Bobby Orr\Application Data\Talkback

2008-06-01 16:21 . 2008-06-01 16:21 0 --a------ C:\WINDOWS\nsreg.dat

2008-06-01 14:47 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-06-01 14:47 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-06-01 14:47 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-06-01 14:47 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-06-01 14:47 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll

2008-06-01 14:47 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll

2008-06-01 14:47 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-06-01 14:47 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-06-01 14:46 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll

2008-06-01 12:12 . 2008-06-01 12:12 3,726 --a------ C:\WINDOWS\system32\tmp.reg

2008-06-01 04:57 . 2008-06-02 12:49 <DIR> d--h----- C:\$AVG8.VAULT$

2008-06-01 04:48 . 2008-06-01 04:48 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg

2008-06-01 04:48 . 2008-06-01 04:48 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys

2008-06-01 04:48 . 2008-06-01 04:48 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll

2008-06-01 04:47 . 2008-06-01 04:47 <DIR> d-------- C:\Program Files\AVG

2008-06-01 04:47 . 2008-06-01 04:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8

2008-06-01 02:56 . 2008-06-01 02:56 96,768 -r-hs---- C:\WINDOWS\system32\000080a.exe

2008-06-01 02:56 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

2008-06-01 02:55 . 2008-06-01 20:28 <DIR> d-------- C:\WINDOWS\system32\vntiho06

2008-06-01 02:55 . 2008-06-01 02:55 <DIR> d-------- C:\Temp\vtmp2

2008-06-01 02:55 . 2008-06-01 02:55 <DIR> d-------- C:\Temp

2008-06-01 02:53 . 2008-06-01 02:53 30,728 --a------ C:\WINDOWS\444.471

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-03 00:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-06-01 10:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-01 10:33 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-06-01 07:47 --------- d-----w C:\Program Files\Spyware Doctor

2008-05-17 19:56 69,632 ----a-w C:\WINDOWS\system32\userinit.exe

2008-04-27 19:09 --------- d-----w C:\Documents and Settings\Bobby Orr\Application Data\Move Networks

2008-04-13 05:02 --------- d-----w C:\Program Files\iTunes

2008-04-13 05:01 --------- d-----w C:\Program Files\iPod

2008-04-13 04:59 --------- d-----w C:\Program Files\QuickTime

2008-04-13 04:55 --------- d-----w C:\Program Files\Apple Software Update

2008-04-13 04:54 --------- d-----w C:\Program Files\Common Files\Apple

2008-04-13 04:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys

2008-02-05 18:45 39,504 ----a-w C:\Documents and Settings\Bobby Orr\Application Data\GDIPFONTCACHEV1.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]

"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-03-15 16:33 48752]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-07-14 19:37 100056]

"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 07:25 11776]

"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-01 04:48 1177368]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-07-16 13:53:08 315392]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

 

S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-01 04:48]

S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-01 04:48]

S2 WUSB54GSCSVC;WUSB54GSCSVC;"C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe" []

S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-09-22 16:33]

 

*Newly Created Service* - AEC

*Newly Created Service* - DMUSIC

*Newly Created Service* - KMIXER

*Newly Created Service* - SPLITTER

*Newly Created Service* - SWMIDI

*Newly Created Service* - SYSAUDIO

*Newly Created Service* - WDMAUD

.

Contents of the 'Scheduled Tasks' folder

"2008-06-03 00:42:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-05-31 01:50:27 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Bobby Orr.job"

- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:

"2008-06-03 00:58:52 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-02 21:10:14

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-06-02 21:12:16

ComboFix-quarantined-files.txt 2008-06-03 01:11:58

 

Pre-Run: 3,876,589,568 bytes free

Post-Run: 3,883,716,608 bytes free

 

164 --- E O F --- 2008-06-02 07:01:37

Share this post


Link to post
Share on other sites

2) DSS log

 

I tried running this in non-safe mode and it stalled at "Reviewing Resgistry" (or something along those lines) so I tried it in safe mode and it seemed to work fine:

 

Deckard's System Scanner v20071014.68

Run by Bobby Orr on 2008-06-02 21:13:15

Computer is in Safe Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

 

 

-- Last 5 Restore Point(s) --

40: 2008-06-03 00:42:54 UTC - RP1008 - Deckard's System Scanner Restore Point

39: 2008-06-02 07:00:31 UTC - RP1007 - Software Distribution Service 3.0

38: 2008-06-01 18:56:48 UTC - RP1006 - Software Distribution Service 3.0

37: 2008-06-01 18:55:36 UTC - RP1005 - Installed Windows Internet Explorer 7.

36: 2008-06-01 18:53:30 UTC - RP1004 - Installed Windows IDNMitigationAPIs.

 

 

-- First Restore Point --

1: 2008-04-30 19:19:09 UTC - RP969 - System Checkpoint

 

 

Backed up registry hives.

Performed disk cleanup.

 

Total Physical Memory: 510 MiB (512 MiB recommended).

System Drive C: has 3.63 GiB (less than 15%) free.

 

 

-- HijackThis (run as Bobby Orr.exe) -------------------------------------------

 

Unable to find log (file not found); running clone.

-- HijackThis Clone ------------------------------------------------------------

 

 

Emulating logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2008-06-02 21:14:17

Platform: Windows XP Service Pack 2 (5.01.2600)

MSIE: Internet Explorer (7.00.6000.16640)

Boot mode: Safe mode

 

Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Bobby Orr\Desktop\dss.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program Files\Spyware Doctor\tools\iesdsg.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\Program Files\TextAloud\TAForIE.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\NPJPI150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\NPJPI150_04.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax3518.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ISSVC - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe

O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe

 

 

--

End of file - 8395 bytes

 

-- HijackThis Fixed Entries (C:\DOCUME~1\BOBBYO~1\Desktop\backups\) ------------

 

backup-20080601-201143-307 O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

 

-- File Associations -----------------------------------------------------------

 

.js - JSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*

.vbs - VBSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

R4 catchme - c:\combofix\catchme.sys (file missing)

 

S2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>

S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 SndTDriverV32 - c:\windows\system32\drivers\sndtdriverv32.sys <Not Verified; Windows ® 2000/XP; Windows ® 2000/XP Driver>

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

S2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

 

 

-- Device Manager: Disabled ----------------------------------------------------

 

No disabled devices found.

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2008-06-02 20:58:52 372 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job

2008-06-02 20:42:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

2008-05-30 21:50:27 556 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Bobby Orr.job

 

 

-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

 

2008-06-01 22:20:07 0 d-------- C:\Documents and Settings\LocalService\Application Data\Symantec

2008-06-01 21:32:09 0 d-------- C:\Documents and Settings\Bobby Orr\Application Data\Malwarebytes

2008-06-01 21:32:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-01 21:32:02 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-06-01 20:21:02 0 d-------- C:\WINDOWS\ERUNT

2008-06-01 16:49:47 1160 --a------ C:\WINDOWS\mozver.dat

2008-06-01 16:21:30 0 d-------- C:\Documents and Settings\Bobby Orr\Application Data\Talkback

2008-06-01 16:21:11 0 --a------ C:\WINDOWS\nsreg.dat

2008-06-01 16:21:04 0 d-------- C:\Documents and Settings\Bobby Orr\Application Data\Mozilla

2008-06-01 14:49:10 0 d-------- C:\WINDOWS\network diagnostic

2008-06-01 13:33:49 68096 --a------ C:\WINDOWS\zip.exe

2008-06-01 13:33:49 49152 --a------ C:\WINDOWS\VFind.exe

2008-06-01 13:33:49 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>

2008-06-01 13:33:49 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>

2008-06-01 13:33:49 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>

2008-06-01 13:33:49 98816 --a------ C:\WINDOWS\sed.exe

2008-06-01 13:33:49 80412 --a------ C:\WINDOWS\grep.exe

2008-06-01 13:33:49 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >

2008-06-01 12:12:47 3726 --a------ C:\WINDOWS\system32\tmp.reg

2008-06-01 04:57:49 0 d--h----- C:\$AVG8.VAULT$

2008-06-01 04:48:16 0 d-------- C:\WINDOWS\system32\drivers\Avg

2008-06-01 04:47:59 0 d-------- C:\Program Files\AVG

2008-06-01 04:47:58 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8

2008-06-01 02:56:13 96768 -r-hs---- C:\WINDOWS\system32\000080a.exe

2008-06-01 02:55:53 0 d-------- C:\WINDOWS\system32\vntiho06

2008-06-01 02:55:52 0 d-------- C:\Temp

 

 

-- Find3M Report ---------------------------------------------------------------

 

2008-06-02 20:43:57 0 d-------- C:\Program Files\Common Files\Symantec Shared

2008-06-02 03:10:28 0 d-------- C:\Program Files\Common Files

2008-06-01 16:50:04 0 d-------- C:\Documents and Settings\Bobby Orr\Application Data\Adobe

2008-06-01 03:47:14 0 d-------- C:\Program Files\Spyware Doctor

2008-05-17 15:56:16 69632 --a------ C:\WINDOWS\system32\userinit.exe

2008-04-27 15:09:10 0 d-------- C:\Documents and Settings\Bobby Orr\Application Data\Move Networks

2008-04-13 01:02:02 0 d-------- C:\Program Files\iTunes

2008-04-13 01:01:47 0 d-------- C:\Program Files\iPod

2008-04-13 00:59:23 0 d-------- C:\Program Files\QuickTime

2008-04-13 00:55:41 0 d-------- C:\Program Files\Apple Software Update

2008-04-13 00:54:44 0 d-------- C:\Program Files\Common Files\Apple

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 20:42]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [06/03/2005 03:52]

"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 17:19]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 02:05]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 17:50]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 17:50]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/15/2005 16:33]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [07/14/2005 19:37]

"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [03/12/2005 07:25]

"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 10:35]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 10:32]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 10:36]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 23:37]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/01/2008 04:48]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [7/16/2005 1:53:08 PM]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

"DisableRegistryTools"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=avgrsstx.dll

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

*Newly Created Service* - AEC

*Newly Created Service* - DMUSIC

*Newly Created Service* - KMIXER

*Newly Created Service* - SPLITTER

*Newly Created Service* - SWMIDI

*Newly Created Service* - SYSAUDIO

*Newly Created Service* - WDMAUD

 

 

 

-- End of Deckard's System Scanner: finished at 2008-06-02 21:15:03 ------------

 

eckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

 

-- System Information ----------------------------------------------------------

 

Microsoft Windows XP Home Edition (build 2600) SP 2.0

Architecture: X86; Language: English

 

CPU 0: Intel® Pentium® 4 CPU 3.00GHz

CPU 1: Intel® Pentium® 4 CPU 3.00GHz

Percentage of Memory in Use: 31%

Physical Memory (total/avail): 509.98 MiB / 349.43 MiB

Pagefile Memory (total/avail): 1248.75 MiB / 1177.28 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1938.05 MiB

 

C: is Fixed (NTFS) - 33.97 GiB total, 3.63 GiB free.

D: is CDROM (No Media)

 

\\.\PHYSICALDRIVE0 - WDC WD400BB-75JHC0 - 37.25 GiB - 3 partitions

\PARTITION0 - Unknown - 39.19 MiB

\PARTITION1 (bootable) - Installable File System - 33.97 GiB - C:

\PARTITION2 - Unknown - 3.23 GiB

 

 

 

-- Security Center -------------------------------------------------------------

 

AUOptions is scheduled to auto-install.

Windows Internal Firewall is disabled.

 

FirstRunDisabled is set.

AntiVirusDisableNotify is set.

 

FW: Norton Internet Security v2005 (Symantec Corporation)

AV: AVG Anti-Virus Free v8.0 (AVG Technologies) Outdated

AV: Norton Internet Security v2005 (Symantec Corporation) Outdated

 

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

 

-- Environment Variables -------------------------------------------------------

 

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Bobby Orr\Application Data

CLASSPATH=.;C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=BOBBY

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Bobby Orr

LOGONSERVER=\\BOBBY

NUMBER_OF_PROCESSORS=2

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0401

ProgramFiles=C:\Program Files

PROMPT=$P$G

QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip

SAFEBOOT_OPTION=MINIMAL

SESSIONNAME=Console

SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\BOBBYO~1\LOCALS~1\Temp

TMP=C:\DOCUME~1\BOBBYO~1\LOCALS~1\Temp

USERDOMAIN=BOBBY

USERNAME=Bobby Orr

USERPROFILE=C:\Documents and Settings\Bobby Orr

windir=C:\WINDOWS

 

 

-- User Profiles ---------------------------------------------------------------

 

Bobby Orr (admin)

 

 

-- Add/Remove Programs ---------------------------------------------------------

 

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}

--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}

Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe

Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}

AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=

Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}

Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}

AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL

CC_ccProxyExt --> MsiExec.exe /I{DA42FDCA-7C5A-43EF-9A05-CCE148ADF919}

ccCommon --> MsiExec.exe /I{D8F6834B-D5E7-4451-8681-B051ABD8561D}

ccPxyCore --> MsiExec.exe /I{FC08587A-4F01-4188-819F-F55880022917}

Compact Wireless-G USB Network Adapter with SpeedBooster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65563451-00B6-458C-9F9A-03A7757355A6}\setup.exe" -l0x9

Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s

Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}

Dell Photo Printer 720 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720

Dell Photo Printer 720 Logger --> C:\Program Files\Dell Photo Printer 720\dlbcunst.exe

Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}

Dell Support 5.0.0 (630) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall

DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

HijackThis 1.99.1 --> C:\Documents and Settings\Bobby Orr\Desktop\HijackThis.exe /uninstall

Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572

Intel® PRO Network Adapters and Drivers --> Prounstl.exe

Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}

Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}

iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}

J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}

Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}

Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}

Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}

Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}

Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}

LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE

LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U

Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}

Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}

Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}

Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}

Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSf22.inf, Uninstall

Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Bobby Orr\Application Data\Move Networks\ie_bin\Uninst.exe

Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe

MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall

MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}

Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst

My Way Search Assistant --> rundll32 C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll,O

Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4e9e-9B58-3014A5B4E519}

Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485f-9E18-C5025306BB3F}

Norton AntiVirus 2005 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}

Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}

Norton Internet Security --> MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935}

Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}

Norton Internet Security --> MsiExec.exe /I{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}

Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}

Norton Internet Security --> MsiExec.exe /I{C9D599E1-6B68-4a1f-8A4F-A1DB433DB1BF}

Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}

Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}

Norton Internet Security --> MsiExec.exe /I{FC2C0536-583C-46c0-844A-62CECAE01F22}

Norton Internet Security 2005 (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X

Norton Security Center --> MsiExec.exe /X{503AA035-41E2-4858-B31F-1E49AC66C309}

Norton WMI Update --> MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}

Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}

PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall

QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}

RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"

Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"

Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}

Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}

Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}

Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}

SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}

Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"

Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"

Spyware Doctor 3.2 --> "C:\Program Files\Spyware Doctor\unins000.exe"

Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}

SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}

TextAloud --> "C:\Program Files\TextAloud\unins000.exe"

WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}

 

 

-- Application Event Log -------------------------------------------------------

 

Event Record #/Type2308 / Error

Event Submitted/Written: 06/02/2008 09:14:34 PM

Event ID/Source: 8 / crypt32

Event Description:

Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

 

Event Record #/Type2307 / Error

Event Submitted/Written: 06/02/2008 09:14:30 PM

Event ID/Source: 8 / crypt32

Event Description:

Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

 

Event Record #/Type2306 / Error

Event Submitted/Written: 06/02/2008 09:14:30 PM

Event ID/Source: 8 / crypt32

Event Description:

Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

 

Event Record #/Type2303 / Error

Event Submitted/Written: 06/02/2008 08:44:08 PM

Event ID/Source: 8 / crypt32

Event Description:

Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

 

Event Record #/Type2302 / Error

Event Submitted/Written: 06/02/2008 08:43:59 PM

Event ID/Source: 8 / crypt32

Event Description:

Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

 

 

 

-- Security Event Log ----------------------------------------------------------

 

No Errors/Warnings found.

 

 

-- System Event Log ------------------------------------------------------------

 

Event Record #/Type6990 / Error

Event Submitted/Written: 06/02/2008 09:12:21 PM

Event ID/Source: 10005 / DCOM

Event Description:

DCOM got error "%%1084" attempting to start the service netman with arguments ""

in order to run the server:

{BA126AE5-2166-11D1-B1D0-00805FC1270E}

 

Event Record #/Type6981 / Error

Event Submitted/Written: 06/02/2008 09:07:18 PM

Event ID/Source: 10005 / DCOM

Event Description:

DCOM got error "%%1084" attempting to start the service netman with arguments ""

in order to run the server:

{BA126AE5-2166-11D1-B1D0-00805FC1270E}

 

Event Record #/Type6980 / Error

Event Submitted/Written: 06/02/2008 09:06:49 PM

Event ID/Source: 7026 / Service Control Manager

Event Description:

The following boot-start or system-start driver(s) failed to load:

AFD

AvgLdx86

AvgMfx86

Fips

intelppm

IPSec

MRxSmb

NetBIOS

NetBT

RasAcd

Rdbss

SAVRTPEL

SPBBCDrv

SYMTDI

Tcpip

WS2IFSL

 

Event Record #/Type6979 / Error

Event Submitted/Written: 06/02/2008 09:06:49 PM

Event ID/Source: 7001 / Service Control Manager

Event Description:

The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:

%%31

 

Event Record #/Type6978 / Error

Event Submitted/Written: 06/02/2008 09:06:49 PM

Event ID/Source: 7001 / Service Control Manager

Event Description:

The Fax service depends on the Print Spooler service which failed to start because of the following error:

%%1068

 

 

 

-- End of Deckard's System Scanner: finished at 2008-06-02 21:15:03 ------------

 

Share this post


Link to post
Share on other sites

3) Kaspersky log

 

I first ran it in IE but that caused IE to crash after dl'ing the ActiveX. After that, my IE would crash every time it was opened so I dl'd the IE Tab addon for Firefox. That was going fine until the actual scan itself when it got stuck 169 files in on c:\dell\MEDIAEXE\ONDRVMED.BIN

 

I then restarted in safe mode and tried again (in both Firefox and IE) and it stalled at the same exact point. So here is what Kaspersky was able to capture in its log after 169 files:

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Monday, June 02, 2008 21:59:40

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 2/06/2008

Kaspersky Anti-Virus database records: 824085

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

C:\

D:\

 

Scan Statistics:

Total number of scanned objects: 169

Number of viruses found: 1

Number of infected objects: 4

Number of suspicious objects: 0

Duration of the scan process: 00:01:51

 

Infected Object Name / Virus Name / Last Action

C:\165.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\165.tmp NSIS: infected - 1 skipped

C:\DBE.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\DBE.tmp NSIS: infected - 1 skipped

 

Scan was interrupted by user!

Share this post


Link to post
Share on other sites

4) HJT log

 

Here's the latest HJT log after all other steps were taken:

 

Logfile of HijackThis v1.99.1

Scan saved at 22:23:13, on 6/2/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Internet Security\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Dell Photo Printer 720\dlbcserv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Bobby Orr\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax3518.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

Share this post


Link to post
Share on other sites

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

 

 

 

My Way Search Assistant needs to be uninstalled via Add/Remove control panel.

 

 

Two Antivirus programs are probably contributing to problems on the machine running the tools we need.

AVG8 and Norton.

 

If Norton is your choice of Antivirus keep it, if it has expired or is outdated please uninstall.

 

 

 

Run DSS again, using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\dss.exe" /daft

Click on Scan.

* This will start DSS in a different way. A small window will appear.

* Click on the Scan button.

 

If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.

Click the Fix button.

Click Scan again, you should get a message "All Associations OK!"

 

 

 

 

 

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

 

Posted Image

 

Windows XP SP2

 

Download the file & save it as it's originally named, next to ComboFix.exe.

 

 

 

Posted Image

 

 

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'NO' to run the full ComboFix scan.

     

     

     

    You DO NOT need to have the Windows CD to install Recovery Console!

     

    The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware.

     

    Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

    Don't select to run the Recovery Console as we don't need it.

    By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

     

     

     

     

     

    After you finish the above I want you to run the next part of the fix in Normal mode.

     

    Please be sure to disable all Antivirus/Firewalls, they will hinder running ComboFix.

     

     

     

    Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

    Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

    This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

     

    Click on this link Here to see a list of programs that should be disabled.

    The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

     

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

    Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

    KillAll::

     

    File::

    C:\WINDOWS\system32\000080a.exe

    C:\165.tmp

    C:\DBE.tmp

     

    Folder::

    C:\SDFix\backups

    C:\WINDOWS\system32\vntiho06

    C:\Temp\vtmp2

    C:\Temp

    C:\WINDOWS\444.471

    Posted Image

     

    Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

    ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

    When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

     

     

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

     

     

     

    NEXT**

    Let's update Java and see if that helps Kaspersky to run.

    Also note, having two antivirus on the machine checking for updates at different times can cause a stall or disrupt the scan.

     

     

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

    Please follow these steps to remove older version Java components and update.

    • Download the latest version of Java Runtime Environment (JRE) 6 Update 6
    • Scroll to Java Runtime Environment (JRE) 6 Update 6 and click on the download button

      Posted Image

       

      Click on the Accept License Agreement button

      Next select

      Download Now! Windows Offline Installation, Multi-language

       

      Now close all windows, including your browser.

      Double click on the Java installation that you downloaded and follow the prompts.

       

      NEXT-remove all older versions of Java

      Go to Start > Control Panel double-click on the Software icon > add/remove programs.

      Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

      Select it and click Remove.

    • Close any programs you may have running - especially your web browser.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.

     

     

     

    After following the above, please try to run Kaspersky once again.

     

    Go to Start > Control Panel > Internet Options

    In the General tab, Temporary Internet Files, click:Delete Files

    When prompted, check:Delete all offline content

    You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)

    Click OK

     

     

    NEXT**

    *Note

    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

    Please don't go surfing while your resident protection is disabled!

    Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

    Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

    Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

     

    Click Yes, when prompted to install its ActiveX component.

    (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

    Or use Firefox with IE-Tab plugin

    https://addons.mozilla.org/en-US/firefox/addon/1419

    The program launches and downloads the latest definition files.

    • Once the files are downloaded click on Next
    • Click on Scan Settings and configure as follows:
      • Scan using the following Anti-Virus database:Extended
  • Scan Options:Scan Archives

    Scan Mail Bases

Click OK and, under select a target to scan, select My ComputerWhen the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information

Posted Image

 

Posted Image

 

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

 

 

 

If it is still a No Go with Kaspersky, we'll try this one.

 

PANDA SCAN

Next go Here to run Panda's ActiveScan.

Once you are on the Panda site click the Scan your PC button

A new window will open...click the Check Now button.

Enter your State/Providence

Enter your E-mail address and click send.

Select either Home user or Company.

Click the big Scan Now button

  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a few minutes)
When the download is complete, click on My Computer to start the scan.

When the scan completes, if anything malicious is detected, click the See Report button, then Save report and save it to a convenient location (activescan.txt to desktop).

Post the contents of the ActiveScan report

 

 

 

In your next reply post:

ComboFix.txt

Kasperky-Panda log

New HJT log

 

Can you give me comments on how the computer is at the moment.

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

Hello,

 

Some updates:

 

- It wouldn't let me remove MyWaySearch because some .dll file was missing

- I uninstalled AVG altogether

- I re-ran DSS as you specified. Two items originally came up that I had fixed after which I got the "All Associations OK" message

- I dragged & dropped the XP Recovery file into ComboFix.exe in Safe Mode since nothing happened when I did it in Normal Mode

- After restarting my computer, disconnecting from the internet, and shutting down all firewall/spyware programs, I tried dropping the CFScript file into ComboFix but, as always, nothing happens in Normal Mode when it comes to ComboFix

 

That is where I left off. I was going to try the CFScript in Safe Mode but I wanted to consult with you first. Let me know how you think best to proceed.

 

Thanks!

Share this post


Link to post
Share on other sites

I think Norton Internet Security is interfering here.

I was going to try the CFScript in Safe Mode but I wanted to consult with you first. Let me know how you think best to proceed.

OK, try the script I created in safe mode, then continue with the rest of the fix.

 

 

It's late here so I may not be back tonight.

Share this post


Link to post
Share on other sites

Hello,

 

I'll break the logs out by post

 

1) ComboFix.txt

 

So I ran the CFScript in Safe Mode and it seemed to work as it should. The only thing that caught my eye was that at one point it said "Cannout print route table: The request is not supported" in the ComboFix window but it kept on running fine. Here is the text file:

 

ComboFix 08-05-29.1 - Bobby Orr 2008-06-04 20:13:17.3 - NTFSx86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383 [GMT -4:00]

Running from: C:\Documents and Settings\Bobby Orr\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Bobby Orr\Desktop\CFScript.txt

 

FILE ::

C:\165.tmp

C:\DBE.tmp

C:\WINDOWS\system32\000080a.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\165.tmp

C:\DBE.tmp

C:\SDFix\backups

C:\Temp

C:\WINDOWS\444.471\

C:\WINDOWS\system32\vntiho06

 

.

((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))

.

 

2008-06-03 22:06 . 2008-06-03 22:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8

2008-06-02 21:36 . 2008-06-02 21:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-06-02 21:36 . 2008-06-02 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-06-02 20:41 . 2008-06-02 20:41 <DIR> d-------- C:\Deckard

2008-06-01 21:32 . 2008-06-01 21:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-06-01 21:32 . 2008-06-01 21:32 <DIR> d-------- C:\Documents and Settings\Bobby Orr\Application Data\Malwarebytes

2008-06-01 21:32 . 2008-06-01 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-01 21:32 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-06-01 21:32 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-06-01 20:21 . 2008-06-01 20:21 <DIR> d-------- C:\WINDOWS\ERUNT

2008-06-01 20:17 . 2008-06-04 20:13 <DIR> d-------- C:\SDFix

2008-06-01 16:49 . 2008-06-01 16:49 1,160 --a------ C:\WINDOWS\mozver.dat

2008-06-01 16:21 . 2008-06-01 16:21 <DIR> d-------- C:\Documents and Settings\Bobby Orr\Application Data\Talkback

2008-06-01 16:21 . 2008-06-01 16:21 0 --a------ C:\WINDOWS\nsreg.dat

2008-06-01 14:47 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-06-01 14:47 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-06-01 14:47 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-06-01 14:47 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-06-01 14:47 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll

2008-06-01 14:47 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll

2008-06-01 14:47 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-06-01 14:47 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-06-01 14:46 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll

2008-06-01 12:12 . 2008-06-01 12:12 3,726 --a------ C:\WINDOWS\system32\tmp.reg

2008-06-01 04:57 . 2008-06-03 12:49 <DIR> d--h----- C:\$AVG8.VAULT$

2008-06-01 04:47 . 2008-06-01 04:47 <DIR> d-------- C:\Program Files\AVG

2008-06-01 02:56 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

2008-06-01 02:53 . 2008-06-01 02:53 30,728 --a------ C:\WINDOWS\444.471

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-04 12:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-06-01 10:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-01 10:33 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-06-01 07:47 --------- d-----w C:\Program Files\Spyware Doctor

2008-04-27 19:09 --------- d-----w C:\Documents and Settings\Bobby Orr\Application Data\Move Networks

2008-04-13 05:02 --------- d-----w C:\Program Files\iTunes

2008-04-13 05:01 --------- d-----w C:\Program Files\iPod

2008-04-13 04:59 --------- d-----w C:\Program Files\QuickTime

2008-04-13 04:55 --------- d-----w C:\Program Files\Apple Software Update

2008-04-13 04:54 --------- d-----w C:\Program Files\Common Files\Apple

2008-04-13 04:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple

2008-02-05 18:45 39,504 ----a-w C:\Documents and Settings\Bobby Orr\Application Data\GDIPFONTCACHEV1.DAT

.

 

((((((((((((((((((((((((((((( snapshot@2008-06-02_21.11.32.85 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-06-03 01:05:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-06-05 00:17:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll

+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]

"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-03-15 16:33 48752]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-07-14 19:37 100056]

"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 07:25 11776]

"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-07-16 13:53:08 315392]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

 

S2 WUSB54GSCSVC;WUSB54GSCSVC;"C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe" []

S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-09-22 16:33]

 

.

Contents of the 'Scheduled Tasks' folder

"2008-06-03 00:42:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-05-31 01:50:27 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Bobby Orr.job"

- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:

"2008-06-04 21:07:07 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-04 20:18:05

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-06-04 20:25:39 - machine was rebooted [bobby Orr]

ComboFix-quarantined-files.txt 2008-06-05 00:25:35

ComboFix2.txt 2008-06-03 01:12:17

 

Pre-Run: 4,479,954,944 bytes free

Post-Run: 4,468,387,840 bytes free

 

139 --- E O F --- 2008-06-02 07:01:37

Share this post


Link to post
Share on other sites

2) PandaScan

 

I downloaded the latest Java (JRE6) but when I click on the .exe file that I dl'd, it immediately just crashes. I tried it a number of times and each time it crashes. I can get more detail from the crash notice but it is mostly just numbers and code...I can paste it here if you think it would be helpful. I also tried to install it in Safe Mode but I get a notice saying that "System administrator has set policies to prevent this installation". Since I wasn't able to install the new version of Java, I've left the old version (J2SE) installed. Since my Java didn't change, I didn't even try Kaspersky. PandaScan seemed to work fine though (note: they've changed it around a little so you're PandaScan steps are a little off). Here is the ActiveScan.txt:

 

;***********************************************************************************************************************************************************************************

ANALYSIS: 2008-06-04 21:38:47

PROTECTIONS: 1

MALWARE: 26

SUSPECTS: 0

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description Version Active Updated

;===================================================================================================================================================================================

Norton Internet Security 2005 Yes No

;===================================================================================================================================================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===================================================================================================================================================================================

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.trafficmp.com/]

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.doubleclick.net/]

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.atdmt.com/]

00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe

00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Bobby Orr\Desktop\SmitfraudFix\Process.exe

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.fastclick.net/]

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.fastclick.net/]

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.fastclick.net/]

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.fastclick.net/]

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Cookies\bobby_orr@tribalfusion[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.tribalfusion.com/]

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.mediaplex.com/]

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.com.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Cookies\bobby_orr@ad.yieldmanager[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[ad.yieldmanager.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[ad.yieldmanager.com/]

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.apmebf.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.advertising.com/]

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[statse.webtrendslive.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.ads.pointroll.com/]

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.overture.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.realmedia.com/]

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.questionmarket.com/]

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.questionmarket.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.zedo.com/]

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.adrevolver.com/]

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.adrevolver.com/]

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.adrevolver.com/]

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.adrevolver.com/]

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.adrevolver.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.adultfriendfinder.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.go.com/]

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.go.com/]

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\cookies.txt[.ads.addynamix.com/]

00523137 Adware/PurityScan Adware No 0 No No C:\QooBox\Quarantine\C\165.tmp.vir[■++\Yazzle1552OinAdmin.exe]

00523137 Adware/PurityScan Adware No 0 No No C:\QooBox\Quarantine\C\DBE.tmp.vir[■++\Yazzle1552OinAdmin.exe]

01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Bobby Orr\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]

02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Bobby Orr\Desktop\SmitfraudFix\Reboot.exe

02994728 Generic Trojan Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir

02994728 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\SYSTEM32\USERINIT.EXE

03021302 Adware/GoodSearchNow Adware No 1 Yes No C:\QooBox\Quarantine\catchme2008-06-01_133849.34.zip[clbdriver.sys]

;===================================================================================================================================================================================

SUSPECTS

Sent Location

;===================================================================================================================================================================================

;===================================================================================================================================================================================

VULNERABILITIES

Id Severity Description

;===================================================================================================================================================================================

;===================================================================================================================================================================================

Share this post


Link to post
Share on other sites

3) HJT log

 

Here's the latest that was taken after all the above steps:

 

Logfile of HijackThis v1.99.1

Scan saved at 9:40 PM, on 6/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Internet Security\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Dell Photo Printer 720\dlbcserv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Bobby Orr\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax3518.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

Share this post


Link to post
Share on other sites

Welcome back

 

Can you tell me how the computer is acting?

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

C:\SDFix <--delete

C:\WINDOWS\444.471 <--delete this folder

C:\WINDOWS\444.471.exe <--delete this file if found

C:\Documents and Settings\Bobby Orr\Desktop\SmitfraudFix <--delete

 

 

Then reboot the machine.

 

 

Seems like I'm always saying it's late....lol

I want to ask a few colleagues for suggestions here, two minds are better then one.

It may be tomorrow before I can return.

Share this post


Link to post
Share on other sites

The computer is running fairly well...definitely better since I have uninstalled AVG (or so it seems).

 

I have deleted the files you specified above (444.471.exe was not present).

 

I'll check back tomorrow for any further directions.

 

Thanks again!

Share this post


Link to post
Share on other sites

The computer is running fairly well...definitely better since I have uninstalled AVG

 

It should.

People don't realize that running two Antivirus programs can bog down their machines, and actually do more harm then good.

 

 

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

==============

 

 

Please go to: VirusTotal

  • Posted Image

     

  • Click the Browse button and search for the following file: C:\WINDOWS\SYSTEM32\USERINIT.EXE
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

Share this post


Link to post
Share on other sites

Here is the scan I received:

 

Antivirus Version Last Update Result

AhnLab-V3 2008.5.30.1 2008.06.05 -

AntiVir 7.8.0.26 2008.06.05 TR/Hijacker.Gen

Authentium 5.1.0.4 2008.06.04 -

Avast 4.8.1195.0 2008.06.05 Win32:Rootkit-gen

AVG 7.5.0.516 2008.06.04 -

BitDefender 7.2 2008.06.05 Trojan.Generic.273524

CAT-QuickHeal 9.50 2008.06.04 -

ClamAV 0.92.1 2008.06.04 -

DrWeb 4.44.0.09170 2008.06.05 BACKDOOR.Trojan

eSafe 7.0.15.0 2008.06.04 -

eTrust-Vet 31.6.5850 2008.06.05 -

Ewido 4.0 2008.06.04 -

F-Prot 4.4.4.56 2008.06.04 -

F-Secure 6.70.13260.0 2008.06.05 -

Fortinet 3.14.0.0 2008.06.05 -

GData 2.0.7306.1023 2008.06.05 Win32:Rootkit-gen

Ikarus T3.1.1.26.0 2008.06.05 Trojan.Hijacker

Kaspersky 7.0.0.125 2008.06.05 Heur.Trojan.Generic

McAfee 5310 2008.06.04 Generic Dropper.p

Microsoft 1.3604 2008.06.05 -

NOD32v2 3160 2008.06.05 Win32/Rootkit.Agent.AIV

Norman 5.80.02 2008.06.04 -

Panda 9.0.0.4 2008.06.05 Generic Trojan

Prevx1 V2 2008.06.05 -

Rising 20.47.30.00 2008.06.05 -

Sophos 4.30.0 2008.06.05 Sus/Dropper-A

Sunbelt 3.0.1145.1 2008.06.05 Trojan.Hijacker.Gen

Symantec 10 2008.06.05 -

TheHacker 6.2.92.335 2008.06.05 -

VBA32 3.12.6.7 2008.06.05 Trojan.NtRootKit.1075

VirusBuster 4.3.26:9 2008.06.04 -

Webwasher-Gateway 6.6.2 2008.06.05 Trojan.Hijacker.Gen

Additional information

File size: 69632 bytes

MD5...: 90305b3c8b6c8ac6c457ff6387de0c72

SHA1..: 75129718f100219d71123e8ed71f2caea24238a2

SHA256: 33090bde6d15c9b359c70a4da90379f3d3f5d49765c272fdeb272edc8bb12195

SHA512: c353853306ec6737c5159a242325e7434bb4da283b01c87db48a63424dd45ead

d0311c4530c19e6e1eef77d9ba01fadff9ff901fb68b7b81986ea69635db55e6

PEiD..: -

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x41099a

timedatestamp.....: 0x482eabbf (Sat May 17 09:56:15 2008)

machinetype.......: 0x14c (I386)

 

( 2 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x102f0 0x10400 6.43 b3d93322b9b7bcbe70e079f463707bba

.reloc 0x12000 0x6e6 0x800 5.66 2f1021c3de7035fbd24cecbce511a40b

 

( 4 imports )

> ntdll.dll: NtFindAtom, NtAddAtom, _strcmpi, _strlwr, strncmp, _snwprintf, strstr, sprintf, NtQueryInformationThread, memset, memcmp, RtlAdjustPrivilege, NtProtectVirtualMemory, RtlInitUnicodeString, LdrLoadDll, NtQuerySystemInformation, _vsnprintf, memcpy

> KERNEL32.dll: WaitForSingleObject, CreateProcessA, InterlockedExchange, ExitProcess, GetVersion, lstrlenW, GetModuleFileNameA, MoveFileA, VirtualQuery, VirtualFree, VirtualAlloc, FreeLibrary, GetProcAddress, LoadLibraryExA, lstrcmpiW, CloseHandle, CreateRemoteThread, WriteProcessMemory, VirtualAllocEx, OpenProcess, GetModuleHandleA, ReadFile, GetFileSize, CreateFileA, lstrcatA, GetSystemDirectoryA, VirtualProtect, ReadProcessMemory, ExitThread, GetCurrentProcessId, lstrcmpA, lstrlenA, IsBadReadPtr, GetLastError, SetLastError, WideCharToMultiByte, DeviceIoControl, LoadLibraryA, lstrcpyA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, GetFileAttributesA, GetEnvironmentVariableA, CopyFileA

> ADVAPI32.dll: RegQueryValueExA, CloseServiceHandle, ControlService, StartServiceA, RegOpenKeyExA, RegEnumKeyA, RegCloseKey, OpenSCManagerA, OpenServiceA

> WININET.dll: InternetSetOptionA, HttpQueryInfoA, InternetQueryOptionA

 

( 0 exports )

Share this post


Link to post
Share on other sites

Welcome back

 

Next, launch Notepad, (Start > Run, type in: notepad)

copy and paste next present in the quotebox below in it:

@echo off

vfind -ltf %systemdrive%\userinit.exe > check.txt

notepad check.txt

del check.txt

del %0

Save this as look.bat and change the "Save as type" to "All Files" and place it on your desktop

Double click look.bat. A CMD window will open, please be patient while it scans for files.

Notepad will then open, copy and paste the contents in your reply.

Share this post


Link to post
Share on other sites

Here is what was in the check.txt file that opened:

 

----a-w 24,576 2004-08-04 10:00:00 C:\i386\userinit.exe

----a-w 69,632 2008-05-17 19:56:16 C:\WINDOWS\system32\userinit.exe

 

Entries: 2 (2)

Directories: 0 Files: 2

Bytes: 94,208 Blocks: 184

Share this post


Link to post
Share on other sites

Welcome back

Sorry for my delay.......we've been painting here, I think I'd rather stick needles in my eye!

 

 

Thank you for the info....

What I would like for you to do first:

 

Delete ComboFix, we need to download the latest updated version.

 

Please disable Norton for this program to run. Important!

 

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Link 1

Link 2

Link 3

 

**Note: It is important that it is saved directly to your desktop**

 

 

Click on this link to see a list of programs that should be disabled

http://www.bleepingcomputer.com/forums/topic114351.html

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Double click on combofix.exe & follow the prompts.

* When finished, it will produce a report for you.

* Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Share this post


Link to post
Share on other sites

Hi there,

 

I did everything that you listed above but ComboFix still won't run in Normal Mode. Let me know if you want me to run it in Safe Mode since that seems to work.

Share this post


Link to post
Share on other sites

Welcome back

Sorry for my delay

 

 

Are you able to...disable Norton?, my thoughts are Norton is causing the problem with ComboFix not being able to run in normal mode.

 

Did you delete the ComboFix you had earlier and download the newer version?

 

If you cannot run it in normal mode then please try it in safe mode.

Share this post


Link to post
Share on other sites

It looks like things have taken a turn for the worse.

 

So I ran ComboFix in Safe Mode and everything seemed to be running as usual...it said it deleted some file (didn't catch what it said), log opened up, ComboFix window closed so I restarted the computer back in Normal Mode. Everything was going as planned until it gets to my desktop. The background image (generic Dell background) is there but nothing else loads...no desktop icons, no Windows taskbar at the bottom, nada. Just the mouse cursor (which can be moved) and the desktop background. If I hit Ctrl+Alt+Del, the task manager pops up as usual with processes listed but that's about it. I tried restarting several times but the same thing happens. I then tried Safe Mode and it gets stuck at the same point as well.

 

So at this point I am not sure what to do. I went into the System Recovery menu (that appeared after dragging the XP file into ComboFix.exe last week) upon start-up but it was just a command prompt and I don't know what to type in to do whatever it needs to do to right itself.

 

I am currently on my work laptop so luckily I still have access to the internet so any direction you can provide at this point would be GREATLY appreciated.

Share this post


Link to post
Share on other sites

Open Task Manager,by pressing the Ctrl Alt and Del keys, at the same time or whatever method you use.

do you see Explorer.exe running?

 

If it's running, End process on it.

 

In the menu at the top of the Task Manager dialog box, click File>New Task (Run...)

 

Then type explorer.exe to start it.

If this loads I want to see the .txt combofix created....

Go to Start > Run and copy/paste the following, then press the Enter key:

C:\ComboFix.txt

A text file will open. That's what I need to see.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×