Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it:
To deactivate Spyware Doctor's OnGuard Tools
1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".
You can reenable it once your system is clean.
2. Rerun Hijackthis (scan only) and place checks beside the following entries
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:42:12 AM, on 2/13/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal
[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn
OS Type: Microsoft Windows XP Professional Build: 5.1.2600 Service Pack: 3.0
====== Files with Hidden Attributes====== C:\hiberfil.sys C:\IO.SYS C:\MSDOS.SYS C:\pagefile.sys C:\NTDETECT.COM C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009020320090204\index.dat
Please download
Combofix and save to your desktop:
Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the contents of the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang.
wow, that took lonnger that I thought it would. Anyway, here is the log from comboFix:
ComboFix 10-02-16.01 - Caroline S Hayes 02/16/2010 23:05:01.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.208 [GMT -6:00] Running from: c:\documents and settings\Caroline S Hayes\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - FEFEE6AA66D773E82CE44548C6B4C474
Thanks again for your help. I am running ComboFix again as requested. One thing I wanted to let you know was what went on last night when I tried to run ComboFix the first time. After the progress bar disappeared, I got an error message (probably nothing, but you never know):
Error- win 32 only- Incompatible OS- ComboFix only works with Windows 2000 and XP
Nevertheless, it did run, then ComboFix said it needed to be updated, which I did. It seemed to update sucessfully, asked for a reboot (which I did), and then when the computer rebooted, nothing happened, so I restarted ComboFix again. It ran again and then said it needed to be updated, which I declined, then when it finished running, the log was produced. Should I update combofix again, if it asks to be updated?
It also asked to install Windows Recovery Console, which I also installed. I think that's everything.
I will run ComboFix again and post the log tonight.
Can't start computer with Windows in normal or safe mode. I get the BSOD on normal start up (I did write down the technical information on the BSOD if you need that), and when I try to start in safe mode, a list of system files loads and nothing else happens. The list looks like this:
This weekend, I used Dell PC restore and got the computer up and running again. It's still a little hinky (I'm getting pop-ups when I'm on the interet, even though my pop-up blocker is set to high), are you still interested in a hijack this log?
Thank you for your previous help, my brother (another volunteer tech support on the Dell forums) is the one who suggested using Dell PC restore.
Seems like the problems are still happening, I was getting one or two pop-ups, ads for something called "regCure", closed it using Task Manager. IE is still hanging up, so I tried to download updates for IE, and I can't do that- MS suggested checking services.msc to make sure automatic update was on and running. Despite several attempts to start it, every time I would get the same error from MS, I would open the services window and update would be disabled. I rebooted, and got a bunch of trojan warnings from Avira (ex:TR/spy.Zbot.afkx, TR.Fraudpack.amgi, etc).
And I do have an XP disk (reinstallation disk) available, if needed.
Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:08:23 PM, on 2/24/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal
bamajim
10.4K Posts
0
February 12th, 2010 17:00
Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it:
To deactivate Spyware Doctor's OnGuard Tools
1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".
You can reenable it once your system is clean.
2. Rerun Hijackthis (scan only) and place checks beside the following entries
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
O17 - HKLM\System\CCS\Services\Tcpip\..\{846E1038-E925-4C50-9496-65A69A72D781}: NameServer = 93.188.163.117,93.188.161.65
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.117,93.188.161.65
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.117,93.188.161.65
Close all other open windows except Hijackthis and Select " Fix checked"
Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
sko6786
10 Posts
0
February 13th, 2010 07:00
Thank you for your help. Here is the new log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:12 AM, on 2/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Caroline S Hayes\My Documents\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ksn.com/content/weather/gardencity/default.aspx?zip=67846
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ksn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.8.98/cab/aolpPlugins.10.6.0.6.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129496018609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219923740419
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} - http://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/YgpUploader.9.3.2.3.cab
O16 - DPF: {A97B2058-825A-4B18-93CE-1483855578D1} - http://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/PicEditor.en-US.9.3.2.1.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8858 bytes
bamajim
10.4K Posts
0
February 15th, 2010 09:00
You are most welcome.
1. Go HERE and download File Lister.
Copy and paste the contents of that log in your reply.
sko6786
10 Posts
0
February 15th, 2010 12:00
Here are the results of the File Lister log:
====== Running Processes ======
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\SoftwareDistribution\Download\abce9aad3dbe2b7775faf585c070cc03\update\update.exe
====== BHO's ======
BHO: (NO NAME) - -
====== HKLM\~\Run Keys ======
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
====== HKCU\~\Run Keys ======
====== DNS Info (List may be empty) ======
====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======
2/10/2010 3:28:57 PM 0 C:\Config.Msi
2/15/2010 2:40:39 PM 2069 32 C:\Files.txt
1/12/2010 6:47:41 PM 2281213 C:\WINDOWS\$NtUninstallKB955759$
1/12/2010 6:47:41 PM 626219 C:\WINDOWS\$NtUninstallKB955759$\spuninst
1/12/2010 6:46:18 PM 827910 C:\WINDOWS\$NtUninstallKB972270$
1/12/2010 6:46:18 PM 626182 C:\WINDOWS\$NtUninstallKB972270$\spuninst
2/15/2010 2:39:13 PM 0 C:\WINDOWS\LastGood
2/15/2010 2:39:13 PM 0 C:\WINDOWS\LastGood\INF
1/12/2010 6:47:30 PM 8343 32 C:\WINDOWS\KB955759.log
1/12/2010 6:45:07 PM 6765 32 C:\WINDOWS\KB972270.log
2/15/2010 2:39:55 PM 4175 32 C:\WINDOWS\KB975560.log
2/15/2010 2:40:11 PM 3935 32 C:\WINDOWS\KB975713.log
2/15/2010 2:39:33 PM 5685 32 C:\WINDOWS\KB977914.log
2/15/2010 2:40:16 PM 4013 32 C:\WINDOWS\KB978037.log
1/22/2010 3:00:27 AM 14170 32 C:\WINDOWS\KB978207-IE8.log
2/15/2010 2:39:11 PM 5317 32 C:\WINDOWS\KB978706.log
2/10/2010 3:42:05 PM 1409 32 C:\WINDOWS\QTFont.for
2/10/2010 3:42:05 PM 54156 34 C:\WINDOWS\QTFont.qfn
12/18/2009 3:38:05 PM 1221512 32 C:\WINDOWS\system32\zpeng25.dll
====== "\Administrator\Startup" Last 60 Days======
====== "\All Users\Startup" Last 60 Days======
====== "\Program Files" Last 60 Days======
2/10/2010 3:28:15 PM 67804697 C:\Program Files\Spyware Doctor
2/11/2010 5:14:15 PM 59507624 C:\Program Files\Windows Live Safety Center
======"Drivers" Modified Last 60 Days======
====== Files Deleted under "%Temp%" ======
37 Files deleted
======"All Users\Application Data" Last 60 Days======
2/10/2010 3:28:15 PM 0 C:\Documents and Settings\All Users\Application Data\PC Tools
2/10/2010 3:28:15 PM 0 C:\Documents and Settings\All Users\Application Data\PC Tools\Temp
====== HKLM\~\ShellServiceObjectDelayLoad======
====== HKLM\~\SharedTaskScheduler======
======HKLM\~\msconfig\startupreg======
HKLM\Software\microsoft\shared tools\msconfig\startupreg\
====== Services ( Services that are Whitelisted are not shown) ======
avipbb (avipbb)- C:\WINDOWS\system32\DRIVERS\avipbb.sys - System/Running
bvrp_pci (bvrp_pci)- - Manual/Stopped
drvmcdb (drvmcdb)- C:\WINDOWS\system32\drivers\drvmcdb.sys - Boot/Running
drvnddm (drvnddm)- C:\WINDOWS\system32\drivers\drvnddm.sys - Auto/Running
E100B (Intel(R) PRO Network Connection Driver)- C:\WINDOWS\system32\DRIVERS\e100b325.sys - Manual/Running
IntelC51 (IntelC51)- C:\WINDOWS\system32\DRIVERS\IntelC51.sys - Manual/Running
IntelC52 (IntelC52)- C:\WINDOWS\system32\DRIVERS\IntelC52.sys - Manual/Running
IntelC53 (IntelC53)- C:\WINDOWS\system32\DRIVERS\IntelC53.sys - Manual/Running
MCSTRM (MCSTRM)- C:\WINDOWS\system32\drivers\MCSTRM.sys - Auto/Running
MHNDRV (MHN driver)- C:\WINDOWS\system32\DRIVERS\mhndrv.sys - Manual/Stopped
mohfilt (mohfilt)- C:\WINDOWS\system32\DRIVERS\mohfilt.sys - Manual/Running
NdisIP (Microsoft TV/Video Connection)- C:\WINDOWS\system32\DRIVERS\NdisIP.sys - Manual/Stopped
PCTCore (PCTools KDS)- C:\WINDOWS\system32\drivers\PCTCore.sys - Boot/Running
SLIP (BDA Slip De-Framer)- C:\WINDOWS\system32\DRIVERS\SLIP.sys - Manual/Stopped
srescan (srescan)- C:\WINDOWS\system32\ZoneLabs\srescan.sys - Boot/Running
sscdbhk5 (sscdbhk5)- C:\WINDOWS\system32\drivers\sscdbhk5.sys - System/Running
ssmdrv (ssmdrv)- C:\WINDOWS\system32\DRIVERS\ssmdrv.sys - System/Running
ssrtln (ssrtln)- C:\WINDOWS\system32\drivers\ssrtln.sys - System/Running
STHDA (High Definition Audio Driver (WDM) - SigmaTel CODEC)- C:\WINDOWS\system32\drivers\sthda.sys - Manual/Running
tfsnboio (tfsnboio)- C:\WINDOWS\system32\dla\tfsnboio.sys - Auto/Running
tfsncofs (tfsncofs)- C:\WINDOWS\system32\dla\tfsncofs.sys - Auto/Running
tfsndrct (tfsndrct)- C:\WINDOWS\system32\dla\tfsndrct.sys - Auto/Running
tfsndres (tfsndres)- C:\WINDOWS\system32\dla\tfsndres.sys - Auto/Running
tfsnifs (tfsnifs)- C:\WINDOWS\system32\dla\tfsnifs.sys - Auto/Running
tfsnopio (tfsnopio)- C:\WINDOWS\system32\dla\tfsnopio.sys - Auto/Running
tfsnpool (tfsnpool)- C:\WINDOWS\system32\dla\tfsnpool.sys - Auto/Running
tfsnudf (tfsnudf)- C:\WINDOWS\system32\dla\tfsnudf.sys - Auto/Running
tfsnudfa (tfsnudfa)- C:\WINDOWS\system32\dla\tfsnudfa.sys - Auto/Running
wanatw (WAN Miniport (ATW))- C:\WINDOWS\system32\DRIVERS\wanatw4.sys - Manual/Running
WinDriver6 (Alohabob USB Bridge Cable Driver)- C:\WINDOWS\system32\drivers\windrvr6.sys - Manual/Stopped
ZSMC303 (VIMICRO USB PC Camera (ZC0301PLH))- C:\WINDOWS\system32\Drivers\usbVM303.sys - Manual/Stopped
====== Uninstall List ======
======== Other Info ========
TOTAL PHYSICAL RAM: 526 MB
Boot Info
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn
OS Type: Microsoft Windows XP Professional
Build: 5.1.2600
Service Pack: 3.0
====== Files with Hidden Attributes======
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\NTDETECT.COM
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009020320090204\index.dat
==End of Report==
bamajim
10.4K Posts
0
February 16th, 2010 06:00
Please download Combofix and save to your desktop:
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.
sko6786
10 Posts
0
February 16th, 2010 21:00
wow, that took lonnger that I thought it would. Anyway, here is the log from comboFix:
ComboFix 10-02-16.01 - Caroline S Hayes 02/16/2010 23:05:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.208 [GMT -6:00]
Running from: c:\documents and settings\Caroline S Hayes\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\AUHook.dll
c:\windows\system32\devmgr32.dll
c:\windows\system32\DMUSIC32.DLL
.
((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.
2010-02-11 23:14 . 2010-02-11 23:20 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-10 21:57 . 2010-02-10 21:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-10 21:31 . 2010-02-10 21:31 -------- d-----w- c:\documents and settings\Caroline S Hayes\Local Settings\Application Data\Threat Expert
2010-02-10 21:29 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-10 21:29 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-10 21:29 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-10 21:28 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-10 21:28 . 2010-02-13 15:34 -------- d-----w- c:\program files\Spyware Doctor
2010-02-10 21:28 . 2010-02-10 21:30 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-10 21:28 . 2010-02-10 21:28 -------- d-----w- c:\documents and settings\Caroline S Hayes\Application Data\PC Tools
2010-02-10 21:28 . 2010-02-10 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 15:35 . 2008-11-28 13:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-13 11:56 . 2010-02-13 15:31 1476608 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-02-12 23:24 . 2009-10-06 13:32 -------- d-----w- c:\documents and settings\Caroline S Hayes\Application Data\Pharaohs Secret
2010-02-12 23:21 . 2009-05-05 22:54 10823452 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-10 23:26 . 2005-10-23 16:44 -------- d---a-w- c:\program files\Spybot - Search & Destroy
2010-02-10 23:26 . 2005-11-07 00:56 -------- d-----w- c:\documents and settings\Caroline S Hayes\Application Data\Spybot - Search & Destroy
2010-02-10 23:26 . 2008-04-27 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 22:51 . 2005-10-30 12:30 6294 ----a-w- c:\documents and settings\Caroline S Hayes\Application Data\wklnhst.dat
2010-02-08 12:05 . 2005-11-13 15:55 -------- d-----w- c:\program files\Dl_cats
2010-02-02 12:08 . 2005-10-16 21:39 -------- d-----w- c:\program files\Google
2010-01-30 05:30 . 2010-01-30 11:27 1410560 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-01-16 15:38 . 2010-01-16 16:03 1403904 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-12-31 16:50 . 2005-10-08 19:33 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-23 10:23 . 2009-12-31 11:56 1371648 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-12-21 19:14 . 2004-08-19 20:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 21:38 . 2005-10-16 21:44 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-16 18:43 . 2004-08-19 21:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-19 20:49 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 13:39 . 2009-12-12 13:39 6725632 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll
2009-12-12 13:36 . 2009-05-30 13:14 245760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-12-07 23:02 . 2009-11-26 15:38 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-04 18:22 . 2005-10-08 19:33 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-19 20:49 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-19 20:49 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-19 20:49 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-19 20:49 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-19 20:49 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2005-12-23 14:29 . 2005-12-23 14:29 251 -c--a-w- c:\program files\wt3d.ini
2006-06-04 23:48 . 2006-01-02 01:18 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-05 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-04-28 294912]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"DLBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2004-11-10 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-08 98304]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 05:46 57344 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-07 17:07 496752 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2006-04-06 15:51 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2008-04-14 00:12 50176 -c--a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-04-06 00:19 77824 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-04-06 00:22 94208 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 -c--a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 19:03 53248 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-17 19:03 135168 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
2007-11-07 22:59 69632 -c--a-w- c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-06 00:23 114688 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-10-08 20:05 98304 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-11-07 22:59 214608 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 19:03 36975 -c--a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-11-07 22:59 185632 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2009-02-16 06:10 981384 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=c:\program files\AIM95\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2/10/2010 3:29 PM 207792]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/26/2009 9:38 AM 108289]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/11/2009 5:26 AM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 6:08 AM 135664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/10/2010 3:28 PM 359624]
.
Contents of the 'Scheduled Tasks' folder
2010-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 12:08]
2010-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 12:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ksn.com/content/weather/gardencity/default.aspx?zip=67846
uDefault_Search_URL =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
mWindow Title = Microsoft Internet Explorer provided by America Online
uInternet Connection Wizard,ShellNext = hxxp://www.ksn.com/
uSearchAssistant = hxxp://www.google.com/ie
uCustomizeSearch =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: c:\program files\COMMON FILES\BTLINK\BTLINK.DLL//iemenu
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} - hxxp://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/YgpUploader.9.3.2.3.cab
DPF: {A97B2058-825A-4B18-93CE-1483855578D1} - hxxp://pictures.aolcdn.com/ap/Resources/1.0.2.19.b//cab/PicEditor.en-US.9.3.2.1.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
MSConfigStartUp-AIM - c:\program files\AIM95\aim.exe
MSConfigStartUp-BigDog303 - c:\windows\VM303_STI.EXE
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
AddRemove-HijackThis - c:\documents and settings\Caroline S Hayes\My Documents\HijackThis.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-16 23:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys atapi.sys >>UNKNOWN [0x82B728C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8539f28
\Driver\ACPI -> ACPI.sys @ 0xf83accb8
\Driver\atapi -> atapi.sys @ 0xf8341b3a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2464)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-02-16 23:23:44
ComboFix-quarantined-files.txt 2010-02-17 05:23
Pre-Run: 109,935,161,344 bytes free
Post-Run: 109,986,938,880 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - FEFEE6AA66D773E82CE44548C6B4C474
bamajim
10.4K Posts
0
February 17th, 2010 09:00
Sometimes it takes a while, depending on the depth of the infection.
But we still have a problem. So rerun Combofix again (In Normal Windows mode) and post the next Combofix log.
sko6786
10 Posts
0
February 17th, 2010 14:00
Thanks again for your help. I am running ComboFix again as requested. One thing I wanted to let you know was what went on last night when I tried to run ComboFix the first time. After the progress bar disappeared, I got an error message (probably nothing, but you never know):
Error- win 32 only- Incompatible OS- ComboFix only works with Windows 2000 and XP
Nevertheless, it did run, then ComboFix said it needed to be updated, which I did. It seemed to update sucessfully, asked for a reboot (which I did), and then when the computer rebooted, nothing happened, so I restarted ComboFix again. It ran again and then said it needed to be updated, which I declined, then when it finished running, the log was produced. Should I update combofix again, if it asks to be updated?
It also asked to install Windows Recovery Console, which I also installed. I think that's everything.
I will run ComboFix again and post the log tonight.
sko6786
10 Posts
0
February 17th, 2010 15:00
Big Problems! Never even got to rerun ComboFix.
Can't start computer with Windows in normal or safe mode. I get the BSOD on normal start up (I did write down the technical information on the BSOD if you need that), and when I try to start in safe mode, a list of system files loads and nothing else happens. The list looks like this:
multi(0)disk(0)disk(0)partition(2)\windows\system32\drivers\ANCI.sys
with several different files listed.
As I said above, I did download the windows recovery console, and that option is available (I can get to that screen at least).
Let me know what to do.
bamajim
10.4K Posts
0
February 18th, 2010 06:00
The infection has corrupted the system driver atapi.sys
See if you can reboot into the Safe mode screen, then select Last known good configuration setting
and see if it will reboot.
sko6786
10 Posts
0
February 18th, 2010 15:00
Still getting the BSOD, even after trying to start the last known good configuration.
Don't know if it will help, but here is the error listed:
***STOP: 0x0000007E (0xC000001d, 0x80537008, 0xF89103B8, 0xF89100B4)
bamajim
10.4K Posts
0
February 23rd, 2010 14:00
Do you have the XP OS (Operating System) disk that came with your PC?
If so, we are going to do a Repair install.
Follow the instructions HERE.
Scroll down to XP Repair install
Once done reply with a fresh Hijackthis log
sko6786
10 Posts
0
February 23rd, 2010 15:00
Hi bamajim,
This weekend, I used Dell PC restore and got the computer up and running again. It's still a little hinky (I'm getting pop-ups when I'm on the interet, even though my pop-up blocker is set to high), are you still interested in a hijack this log?
Thank you for your previous help, my brother (another volunteer tech support on the Dell forums) is the one who suggested using Dell PC restore.
Let me know.
bamajim
10.4K Posts
0
February 24th, 2010 11:00
sko6786
Glad to hear it. Let's see a fresh Hijackthis log please.
sko6786
10 Posts
0
February 24th, 2010 15:00
Seems like the problems are still happening, I was getting one or two pop-ups, ads for something called "regCure", closed it using Task Manager. IE is still hanging up, so I tried to download updates for IE, and I can't do that- MS suggested checking services.msc to make sure automatic update was on and running. Despite several attempts to start it, every time I would get the same error from MS, I would open the services window and update would be disabled. I rebooted, and got a bunch of trojan warnings from Avira (ex:TR/spy.Zbot.afkx, TR.Fraudpack.amgi, etc).
And I do have an XP disk (reinstallation disk) available, if needed.
Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:23 PM, on 2/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Caroline Hayes\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ksn.com/content/weather/gardencity/default.aspx?zip=67846
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe amht.xfo kixxkk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Ywumihodu] rundll32.exe "C:\WINDOWS\ukudarib.dll",Startup
O4 - HKLM\..\Run: [huhupizan] Rundll32.exe "c:\windows\system32\soyabodu.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266795033437
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: zunadahi.dll c:\windows\system32\soyabodu.dll
O21 - SSODL: hayiluvar - {2a1169e6-088e-4caf-8ff8-ffaa044687ce} - c:\windows\system32\soyabodu.dll
O22 - SharedTaskScheduler: tokatiluy - {2a1169e6-088e-4caf-8ff8-ffaa044687ce} - c:\windows\system32\soyabodu.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8797 bytes