Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

T

TSignus

16 Posts

5963

December 3rd, 2008 18:00

I Need Help- My Computer has slow internet, little warning triangles are popping up in the lower right corner of the screeen occassionally, Safe Mode doesn't work, and I often get redirected to random advertising sites

I've tried running Kapersky's online scanner as well as Trend Micro's online scanner; I also have used Spybot to try and figure out what's wrong. The only major problem these seem to find appears to be the dmconfigk.dll file that is mentioned in part of the HijackThis log. But Nothing seems capable of getting rid of the dmconfigk.dll file. When I try and start my computer in safe mode now I just get a blue screen full of text once i select Safe Mode and then the whole thing just shuts down. I have no idea whether dmconfigk is part of the problem, the entire problem or nothing to do with the problem, but it's the only lead I have. I'd be eternally grateful to anyone who can help me try and fix my computer and get rid of all the bad things. Thanks!

Oh yeah I also have that free McAfee virus scanner that you can download via AOL, but it doesn't ever seem to find anything when I try adn scan my computer with it.

The HijackThis log is below.

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:21 PM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless Guard\WscGuard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9BBCDEA8-6E27-4842-862E-CC739792746D} - C:\WINDOWS\system32\dmconfigk.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Linksys Wireless Guard.lnk = C:\Program Files\Linksys Wireless Guard\WscGuard.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Linksys Wireless Guard Network Manager Service (WSCNetManager) - Wireless Security Corporation - C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe

--
End of file - 3264 bytes

bamajim

10.4K Posts

December 15th, 2008 06:00


TSignus


Please download Combofix and save to your desktop:
  • Note: It is important that it is saved directly to your desktop
    Close any open browsers.
    Double click on combofix.exe and follow the prompts.
    When it's finished it will produce a log.
    Post the contents of the C:\ComboFix.txt into your next reply.
    Note: Do not mouseclick combofix's window whilst it's running.
    That may cause the program to freeze/hang.

TSignus

16 Posts

December 15th, 2008 07:00

Here it is:

 

ComboFix 08-12-14.05 - Tim 2008-12-15  7:21:49.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.502.226 [GMT -8:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-11-15 to 2008-12-15  )))))))))))))))))))))))))))))))
.

2008-12-14 17:56 . 2008-12-15 04:13 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-14 17:56 . 2008-12-14 17:56 1,409 --a------ c:\windows\QTFont.for
2008-12-14 15:34 . 2008-12-14 15:34 

 d-------- c:\documents and settings\Tim\Application Data\acccore
2008-12-14 15:33 . 2008-12-14 15:35   d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-12-14 15:33 . 2008-12-14 15:33   d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-14 15:31 . 2008-12-14 15:34   d-------- c:\program files\AIM6
2008-12-03 18:39 . 2008-12-03 18:39   d-------- c:\program files\Trend Micro
2008-12-01 19:59 . 2008-12-15 05:02   d-------- c:\documents and settings\Tim\.housecall6.6
2008-11-25 17:12 . 2002-08-29 04:00 99,840 --a------ c:\windows\system32\dmconfigk.dll
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 08:34 --------- d-----w c:\documents and settings\All Users\Application Data\WSC Guard
2008-12-14 23:33 --------- d-----w c:\program files\Viewpoint
2008-12-14 23:33 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-14 23:32 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-14 23:23 --------- d-----w c:\program files\AIM95
2008-12-10 07:08 --------- d-----w c:\documents and settings\Tim\Application Data\BitTorrent
2008-12-03 10:29 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 06:35 --------- d-----w c:\program files\DivX
2008-12-03 05:07 --------- d-----w c:\program files\Common Files\AOL
2008-12-03 05:01 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-01 22:03 --------- d-----w c:\program files\BYOND
2008-11-22 04:21 --------- d-----w c:\program files\Incomplete
2008-11-22 04:20 --------- d-----w c:\program files\LimeWire
2008-11-22 00:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-21 03:13 --------- d-----w c:\program files\DNA
2008-11-21 03:13 --------- d-----w c:\documents and settings\Tim\Application Data\DNA
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:20 --------- d-----w c:\documents and settings\Other\Application Data\Aim
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 02:43 --------- d-----w c:\program files\BitTorrent
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-07 23:40 21,656 -c--a-w c:\documents and settings\Tim\Application Data\GDIPFONTCACHEV1.DAT
2008-09-04 00:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

(((((((((((((((((((((((((((((   snapshot@2008-12-03_ 2.26.18.82   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-24 01:41:42 841,304 ----a-w c:\windows\Downloaded Program Files\ampAx3.0.84.2.dll
+ 2008-12-14 23:33:17 38,428 ----a-w c:\windows\Downloaded Program Files\unagiuninst.exe
+ 2008-08-26 07:24:28 124,928 -c----w c:\windows\ie7updates\KB958215-IE7\advpack.dll
+ 2008-08-26 07:24:28 347,136 -c----w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll
+ 2008-08-26 07:24:28 214,528 -c----w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll
+ 2008-08-26 07:24:28 133,120 -c----w c:\windows\ie7updates\KB958215-IE7\extmgr.dll
+ 2008-08-26 07:24:28 63,488 -c----w c:\windows\ie7updates\KB958215-IE7\icardie.dll
+ 2008-08-25 08:37:59 70,656 -c----w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe
+ 2008-08-26 07:24:28 153,088 -c----w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll
+ 2008-08-26 07:24:28 230,400 -c----w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll
+ 2008-08-23 05:54:51 161,792 -c----w c:\windows\ie7updates\KB958215-IE7\ieakui.dll
+ 2008-08-26 07:24:28 383,488 -c----w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll
+ 2008-08-26 07:24:29 384,512 -c----w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\ie7updates\KB958215-IE7\ieframe.dll
+ 2008-08-26 07:24:29 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\iernonce.dll
+ 2008-08-26 07:24:29 267,776 -c----w c:\windows\ie7updates\KB958215-IE7\iertutil.dll
+ 2008-08-25 08:38:00 13,824 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2008-08-23 05:56:15 635,848 -c----w c:\windows\ie7updates\KB958215-IE7\iexplore.exe
+ 2008-08-26 07:24:30 27,648 -c----w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll
+ 2008-08-26 07:24:30 459,264 -c----w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll
+ 2008-08-26 07:24:30 52,224 -c----w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll
+ 2008-08-27 08:24:32 3,593,216 -c----w c:\windows\ie7updates\KB958215-IE7\mshtml.dll
+ 2008-08-26 07:24:30 477,696 -c----w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll
+ 2008-08-26 07:24:30 193,024 -c----w c:\windows\ie7updates\KB958215-IE7\msrating.dll
+ 2008-08-26 07:24:30 671,232 -c----w c:\windows\ie7updates\KB958215-IE7\mstime.dll
+ 2008-08-26 07:24:30 102,912 -c----w c:\windows\ie7updates\KB958215-IE7\occache.dll
+ 2008-08-26 07:24:30 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll
+ 2008-08-26 07:24:30 105,984 -c----w c:\windows\ie7updates\KB958215-IE7\url.dll
+ 2008-08-26 07:24:31 1,159,680 -c----w c:\windows\ie7updates\KB958215-IE7\urlmon.dll
+ 2008-08-26 07:24:31 233,472 -c----w c:\windows\ie7updates\KB958215-IE7\webcheck.dll
+ 2008-08-26 07:24:31 826,368 -c----w c:\windows\ie7updates\KB958215-IE7\wininet.dll
- 2008-08-26 07:24:28 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-08-26 07:24:28 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
- 2008-08-26 07:24:28 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-26 07:24:28 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:38:35 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-23 12:36:14 286,720 -c----w c:\windows\system32\dllcache\gdi32.dll
- 2008-08-26 07:24:28 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-08-25 08:37:59 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2008-08-26 07:24:28 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2008-08-23 05:54:51 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2008-08-26 07:24:28 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-08-26 07:24:29 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-08-26 07:24:29 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
- 2008-08-26 07:24:29 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-08-25 08:38:00 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-08-23 05:56:15 635,848 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2008-08-26 07:24:30 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-19 03:03:58 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 09:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-26 07:24:30 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-08-26 07:24:30 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-08-27 08:24:32 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-10-17 10:08:40 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-26 07:24:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-26 07:24:30 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:38:38 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-08-26 07:24:30 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:38:39 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-08-26 07:24:30 102,912 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2008-08-26 07:24:30 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-04-14 00:12:07 246,814 -c----w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:02:42 247,326 -c----w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-26 07:24:30 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-08-26 07:24:31 1,159,680 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-26 07:24:31 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-08-26 07:24:31 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:38:40 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 04:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 04:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-08-26 07:24:28 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-26 07:24:28 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-08-26 07:24:28 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-08-25 08:37:59 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-08-26 07:24:28 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-08-23 05:54:51 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-08-26 07:24:28 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-08-26 07:24:29 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2008-08-26 07:24:29 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-08-26 07:24:29 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-08-25 08:38:00 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-08-26 07:24:30 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2006-10-19 03:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 09:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2008-11-04 00:10:26 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-12-09 23:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
- 2008-08-26 07:24:30 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-08-26 07:24:30 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-08-27 08:24:32 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-26 07:24:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-26 07:24:30 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-08-26 07:24:30 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-08-26 07:24:30 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-08-26 07:24:30 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:38 60,416 ------w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ------w c:\windows\system32\tzchange.exe
- 2008-08-26 07:24:30 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-08-26 07:24:31 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-26 07:24:31 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2006-10-19 04:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 04:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
+ 2008-12-15 09:05:36 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7b4.dat
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BBCDEA8-6E27-4842-862E-CC739792746D}]
2002-08-29 04:00 99840 --a------ c:\windows\system32\dmconfigk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-06 8720384]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2003-08-27 245760]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 180224]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-06 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Linksys Wireless Guard.lnk - c:\program files\Linksys Wireless Guard\WscGuard.exe [2004-04-18 872526]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-12 06:17 50776 c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-r---c--- 2006-10-23 04:50 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-05-14 17:01 644696 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a--c--- 2007-04-12 13:23 42032 c:\program files\Common Files\AOL\1113882168\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2006-06-26 09:46 497200 c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2006-06-26 10:34 614960 c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-06-26 10:33 243248 c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2007-02-04 11:02 79400 c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 08:03 210472 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-26 21:49 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a------ 2006-09-20 07:35 20480 c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"mnmsrvc"=3 (0x3)
"McShield"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1113882168\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP 2.5\\MediaManager.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\AOL\\1113882168\\EE\\aolsoftware.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\DRIVERS\ppa.sys [2005-04-17 17792]
R0 rwdvcfvv;rwdvcfvv;c:\windows\system32\drivers\rwdvcfvv.sys [2002-08-29 23424]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-14 24652]
R2 WSCNetManager;Linksys Wireless Guard Network Manager Service;"c:\program files\Linksys Wireless Guard\WscNetMgrSvc.exe" [2004-04-18 663635]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2004-02-17 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2004-02-17 273536]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\DRIVERS\DP83815.SYS [2004-07-15 18432]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2005-04-18 23296]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\DRIVERS\rt2500usb.sys [2005-06-07 239488]
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-12 c:\windows\Tasks\ecrunXP.job
- c:\enigmaclient\ecrunXP.bat []

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-crazy4horses).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-crazy4horses).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Danny).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Danny).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Other).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Other).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]

2008-12-15 c:\windows\Tasks\McAfee.com Update Check (HD-1-Tim).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-15 c:\windows\Tasks\McAfee.com Update Check (HD-1-Tim).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride =

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 07:26:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-12-15  7:29:07
ComboFix-quarantined-files.txt  2008-12-15 15:27:49
ComboFix2.txt  2008-12-03 11:47:37
ComboFix3.txt  2008-12-03 10:28:41

Pre-Run: 6,070,079,488 bytes free
Post-Run: 6,198,378,496 bytes free

402 --- E O F --- 2008-12-11 07:28:10

bamajim

10.4K Posts

December 15th, 2008 08:00


TSignus

Got it.


1. Open NotePad (not wordpad). Copy and paste the following into Notepad


Driver::
rwdvcfvv

File::
c:\windows\system32\dmconfigk.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\StubInstaller.exe"=-

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image
  • You will be prompted to run Combofix again, Do so
    Following the same rules as indicated in my first post
    Then post the contents of the C:\ComboFix.txt log in your reply

2. Rerun Hijackthis and post a fresh Hijackthis log as well

TSignus

16 Posts

December 15th, 2008 17:00

HERE'S THE COMBOFIX LOG:

 

 

ComboFix 08-12-14.05 - Tim 2008-12-15 17:19:37.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.502.259 [GMT -8:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tim\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
c:\windows\system32\dmconfigk.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dmconfigk.dll . . . . failed to delete

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RWDVCFVV
-------\Service_rwdvcfvv


(((((((((((((((((((((((((   Files Created from 2008-11-16 to 2008-12-16  )))))))))))))))))))))))))))))))
.

2008-12-14 17:56 . 2008-12-15 04:13 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-14 17:56 . 2008-12-14 17:56 1,409 --a------ c:\windows\QTFont.for
2008-12-14 15:34 . 2008-12-14 15:34 

 d-------- c:\documents and settings\Tim\Application Data\acccore
2008-12-14 15:33 . 2008-12-14 15:35   d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-12-14 15:33 . 2008-12-14 15:33   d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-14 15:31 . 2008-12-14 15:34   d-------- c:\program files\AIM6
2008-12-03 18:39 . 2008-12-03 18:39   d-------- c:\program files\Trend Micro
2008-12-01 19:59 . 2008-12-15 05:02   d-------- c:\documents and settings\Tim\.housecall6.6
2008-11-25 17:12 . 2002-08-29 04:00 99,840 --a------ c:\windows\system32\dmconfigk.dll
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 08:34 --------- d-----w c:\documents and settings\All Users\Application Data\WSC Guard
2008-12-14 23:33 --------- d-----w c:\program files\Viewpoint
2008-12-14 23:33 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-14 23:32 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-14 23:23 --------- d-----w c:\program files\AIM95
2008-12-10 07:08 --------- d-----w c:\documents and settings\Tim\Application Data\BitTorrent
2008-12-03 10:29 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 06:35 --------- d-----w c:\program files\DivX
2008-12-03 05:07 --------- d-----w c:\program files\Common Files\AOL
2008-12-03 05:01 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-01 22:03 --------- d-----w c:\program files\BYOND
2008-11-22 04:21 --------- d-----w c:\program files\Incomplete
2008-11-22 04:20 --------- d-----w c:\program files\LimeWire
2008-11-22 00:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-21 03:13 --------- d-----w c:\program files\DNA
2008-11-21 03:13 --------- d-----w c:\documents and settings\Tim\Application Data\DNA
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:20 --------- d-----w c:\documents and settings\Other\Application Data\Aim
2008-10-22 02:43 --------- d-----w c:\program files\BitTorrent
2008-08-07 23:40 21,656 -c--a-w c:\documents and settings\Tim\Application Data\GDIPFONTCACHEV1.DAT
2008-09-04 00:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

(((((((((((((((((((((((((((((   snapshot_2008-12-15_ 7.27.09.85   )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-12-16 01:26:14 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_794.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BBCDEA8-6E27-4842-862E-CC739792746D}]
2002-08-29 04:00 99840 --a------ c:\windows\system32\dmconfigk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-06 8720384]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2003-08-27 245760]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 180224]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-06 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Linksys Wireless Guard.lnk - c:\program files\Linksys Wireless Guard\WscGuard.exe [2004-04-18 872526]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-12 06:17 50776 c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-r---c--- 2006-10-23 04:50 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-05-14 17:01 644696 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a--c--- 2007-04-12 13:23 42032 c:\program files\Common Files\AOL\1113882168\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2006-06-26 09:46 497200 c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2006-06-26 10:34 614960 c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-06-26 10:33 243248 c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2007-02-04 11:02 79400 c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 08:03 210472 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-26 21:49 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a------ 2006-09-20 07:35 20480 c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"mnmsrvc"=3 (0x3)
"McShield"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1113882168\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP 2.5\\MediaManager.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\AOL\\1113882168\\EE\\aolsoftware.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\DRIVERS\ppa.sys [2005-04-17 17792]
R0 rwdvcfvv;rwdvcfvv;c:\windows\system32\drivers\rwdvcfvv.sys [2002-08-29 23424]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-14 24652]
R2 WSCNetManager;Linksys Wireless Guard Network Manager Service;"c:\program files\Linksys Wireless Guard\WscNetMgrSvc.exe" [2004-04-18 663635]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2004-02-17 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2004-02-17 273536]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\DRIVERS\DP83815.SYS [2004-07-15 18432]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2005-04-18 23296]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\DRIVERS\rt2500usb.sys [2005-06-07 239488]

*Newly Created Service* - RWDVCFVV
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-12 c:\windows\Tasks\ecrunXP.job
- c:\enigmaclient\ecrunXP.bat []

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-crazy4horses).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-crazy4horses).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Danny).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Danny).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Other).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Other).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]

2008-12-16 c:\windows\Tasks\McAfee.com Update Check (HD-1-Tim).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-16 c:\windows\Tasks\McAfee.com Update Check (HD-1-Tim).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride =

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 17:26:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\progra~1\McAfee.com\VSO\mcvsrte.exe
c:\windows\system32\snmp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\America Online 9.0\waol.exe
c:\program files\McAfee.com\Shared\mcinfo.exe
c:\program files\America Online 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-12-15 17:34:26 - machine was rebooted
ComboFix-quarantined-files.txt  2008-12-16 01:33:17
ComboFix2.txt  2008-12-15 15:29:09
ComboFix3.txt  2008-12-03 11:47:37
ComboFix4.txt  2008-12-03 10:28:41

Pre-Run: 6,155,579,392 bytes free
Post-Run: 6,071,824,384 bytes free

225 --- E O F --- 2008-12-11 07:28:10

 

AND HERE'S THE HIJACKTHIS LOG:

 

Logfile of HijackThis v1.99.1
Scan saved at 5:45:02 PM, on 12/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless Guard\WscGuard.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tim\Desktop\Useful Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9BBCDEA8-6E27-4842-862E-CC739792746D} - C:\WINDOWS\system32\dmconfigk.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Linksys Wireless Guard.lnk = C:\Program Files\Linksys Wireless Guard\WscGuard.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Linksys Wireless Guard Network Manager Service (WSCNetManager) - Wireless Security Corporation - C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe

 

bamajim

10.4K Posts

December 17th, 2008 05:00


TSignus

Sorry for the delay

1. We need to uninstall SpyBot S&D. (Start ->> Control Panel ->> Add or Remove Programs)
You can reinstall it when we are finished. I need to make sure the infection hasn't hooked into any protection devices.

Once uninstalled, reboot your PC.

Rerun Combofix, we are going to run a new script

1. Open NotePad (not wordpad). Copy and paste the following into Notepad


File::
c:\windows\system32\drivers\rwdvcfvv.sys
c:\windows\system32\dmconfigk.dll

Driver::
rwdvcfvv
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image
  • You will be prompted to run Combofix again, Do so
    Following the same rules as indicated in my first post
    Then post the contents of the C:\ComboFix.txt log in your reply




TSignus

16 Posts

December 17th, 2008 18:00

Hey, no worries at all about the delay. I really appreciate all the help you've been giving me and am very grateful.

I uninstalled Spybot and then ran that script on ComboFix and will post the log below. You mentioned being concerned that the infection might have hooked into my protection devices. I also have adaware and mcAfee and something called WSCGuard (i think it's the protection program that i installed that came with my wireless internet router). Should I uninstall any or all of these as well?

Anyway, here's the combofix log from after I uninstalled Spybot:

 

ComboFix 08-12-14.05 - Tim 2008-12-17 18:04:16.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.502.263 [GMT -8:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tim\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
c:\windows\system32\dmconfigk.dll
c:\windows\system32\drivers\rwdvcfvv.sys
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dmconfigk.dll
c:\windows\system32\drivers\rwdvcfvv.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RWDVCFVV
-------\Service_rwdvcfvv


(((((((((((((((((((((((((   Files Created from 2008-11-18 to 2008-12-18  )))))))))))))))))))))))))))))))
.

2008-12-14 17:56 . 2008-12-16 10:17 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-14 17:56 . 2008-12-14 17:56 1,409 --a------ c:\windows\QTFont.for
2008-12-14 15:33 . 2008-12-14 15:35 

 d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-12-03 18:39 . 2008-12-03 18:39   d-------- c:\program files\Trend Micro
2008-12-01 19:59 . 2008-12-15 05:02   d-------- c:\documents and settings\Tim\.housecall6.6
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-20 20:04 . 2008-11-20 20:04   d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 01:54 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-18 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-18 01:16 --------- d-----w c:\documents and settings\All Users\Application Data\WSC Guard
2008-12-17 01:46 --------- d-----w c:\documents and settings\Tim\Application Data\BitTorrent
2008-12-14 23:33 --------- d-----w c:\program files\Viewpoint
2008-12-14 23:33 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-14 23:32 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-14 23:23 --------- d-----w c:\program files\AIM95
2008-12-03 06:35 --------- d-----w c:\program files\DivX
2008-12-03 05:07 --------- d-----w c:\program files\Common Files\AOL
2008-12-03 05:01 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-01 22:03 --------- d-----w c:\program files\BYOND
2008-11-22 04:21 --------- d-----w c:\program files\Incomplete
2008-11-22 04:20 --------- d-----w c:\program files\LimeWire
2008-11-21 03:13 --------- d-----w c:\program files\DNA
2008-11-21 03:13 --------- d-----w c:\documents and settings\Tim\Application Data\DNA
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:20 --------- d-----w c:\documents and settings\Other\Application Data\Aim
2008-10-22 02:43 --------- d-----w c:\program files\BitTorrent
2008-08-07 23:40 21,656 -c--a-w c:\documents and settings\Tim\Application Data\GDIPFONTCACHEV1.DAT
2008-09-04 00:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

(((((((((((((((((((((((((((((   snapshot_2008-12-15_ 7.27.09.85   )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-10-17 10:08:40 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-18 02:11:27 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7ec.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-06 8720384]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2003-08-27 245760]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 180224]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-26 185632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-06 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Linksys Wireless Guard.lnk - c:\program files\Linksys Wireless Guard\WscGuard.exe [2004-04-18 872526]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-12 06:17 50776 c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-r---c--- 2006-10-23 04:50 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-05-14 17:01 644696 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a--c--- 2007-04-12 13:23 42032 c:\program files\Common Files\AOL\1113882168\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2006-06-26 09:46 497200 c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2006-06-26 10:34 614960 c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-06-26 10:33 243248 c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2007-02-04 11:02 79400 c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 08:03 210472 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-26 21:49 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a------ 2006-09-20 07:35 20480 c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"mnmsrvc"=3 (0x3)
"McShield"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1113882168\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP 2.5\\MediaManager.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\AOL\\1113882168\\EE\\aolsoftware.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\DRIVERS\ppa.sys [2005-04-17 17792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-14 24652]
R2 WSCNetManager;Linksys Wireless Guard Network Manager Service;"c:\program files\Linksys Wireless Guard\WscNetMgrSvc.exe" [2004-04-18 663635]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2004-02-17 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2004-02-17 273536]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\DRIVERS\DP83815.SYS [2004-07-15 18432]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2005-04-18 23296]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\DRIVERS\rt2500usb.sys [2005-06-07 239488]

*Newly Created Service* - RWDVCFVV
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-12 c:\windows\Tasks\ecrunXP.job
- c:\enigmaclient\ecrunXP.bat []

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-crazy4horses).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-crazy4horses).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Danny).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Danny).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Other).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-12 c:\windows\Tasks\McAfee.com Update Check (HD-1-Other).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (HD-1-Tim).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-21 17:10]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (HD-1-Tim).job
- c:\progra~1\mcafee.com\agent [2007-04-19 16:40]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9BBCDEA8-6E27-4842-862E-CC739792746D} - c:\windows\system32\dmconfigk.dll
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride =

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 18:11:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\progra~1\McAfee.com\VSO\mcvsrte.exe
c:\windows\system32\snmp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\America Online 9.0\waol.exe
c:\program files\America Online 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-12-17 18:18:49 - machine was rebooted
ComboFix-quarantined-files.txt  2008-12-18 02:18:02
ComboFix2.txt  2008-12-16 01:34:30
ComboFix3.txt  2008-12-15 15:29:09
ComboFix4.txt  2008-12-03 11:47:37
ComboFix5.txt  2008-12-18 02:03:05

Pre-Run: 4,793,348,096 bytes free
Post-Run: 4,845,137,920 bytes free

227 --- E O F --- 2008-12-11 07:28:10

bamajim

10.4K Posts

December 18th, 2008 05:00


TSignus

Those other programs would not interfere with the removal tools we are using.
Looks like we successfully removed the infection.

Rerun Hijackthis and post a fresh Hijackthis log. And in your reply, give me an update on how your PC is running now

TSignus

16 Posts

December 18th, 2008 06:00

Well, since I performed the previous step, the pop-up windows have completely ceased as have the little warning triangles that were constantly popping up in the bottom right corner of my screen. I've shut down and restarted several times and they haven't come back yet. I haven't checked to see if my computer is able to start in safe mode yet; i'm not sure if that had anything to do with the worm or not. Here's the latest HijackThis log:

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:44 AM, on 12/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless Guard\WscGuard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Linksys Wireless Guard.lnk = C:\Program Files\Linksys Wireless Guard\WscGuard.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Linksys Wireless Guard Network Manager Service (WSCNetManager) - Wireless Security Corporation - C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe

--
End of file - 2860 bytes

bamajim

10.4K Posts

December 18th, 2008 08:00

TSignus

Excellent. Try Safe Mode and reply with the results

TSignus

16 Posts

December 18th, 2008 09:00

No luck. When I select safe mode it starts to load it (you can see it listing the various drivers it's loading in a column) and then the screen flashes blue with white text for less than a second and the whole computer just restarts. There's no time for me to read what that text says but it looks more like one of those screens when you have a computer without an operating system loaded on it than a normal screen of text.

bamajim

10.4K Posts

December 22nd, 2008 13:00


TSignus

Let's do this

Download and run this file: SafeBoot repair tool


Reboot your PC and reply with the results

TSignus

16 Posts

December 22nd, 2008 19:00

I ran the SafeBot repair program and will post the log below. After running SafeBoot, I tried to go into safe mode again (just to see if anything had changed) and it still does the exact same blue screen then restart thing rather than going into safe mode. But here's the log that SafeBoot created:

 

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sharedaccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\UploadMgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\procexp90.Sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC

bamajim

10.4K Posts

December 29th, 2008 09:00


TSignus

Open Notepad (Not Wordpad)
Select Edit and uncheck Wordwrap
Copy and paste the following into Notepad
(Making sure there is no space between the top of the window and the first line)


Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\procexp90.Sys]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\procexp90.Sys]
After you copy and paste it your cursor should be at the end of the first line
Hit Enter so your cursor is under the last line
  • Click File->> Save as->>type in fix.reg->>
    Under " Save as type" Select " All Files"->> save it to your Desktop
    Close Notepad

The fix.reg file should now appear on your Desktop (If it saved properly it will look like a stack of small blue blocks)


Rt Click and Select merge->>If prompted to Merge this Select Yes (it will appear that nothing has happened but that's o.k.)

Reboot and reply with the results

TSignus

16 Posts

December 29th, 2008 19:00

I wasn't sure if you meant you want the results of another HijackThis scan so I ran another and will post the results below. Still restarting whenever I try to open in safe mode after giving me that blue screen briefly.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:49 PM, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Linksys Wireless Guard.lnk = C:\Program Files\Linksys Wireless Guard\WscGuard.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Linksys Wireless Guard Network Manager Service (WSCNetManager) - Wireless Security Corporation - C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe

--
End of file - 2408 bytes

View More

View All

No Events found!

Top