Please download Combofix and save to your desktop:
Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the contents of the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang.
bamajim, many thanks for your help. Here is the combofix.txt file
ComboFix 08-02.05.3 - Family 2008-02-06 13:12:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.601 [GMT -5:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! .
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
Save the File as
CFScript(exactly as shown no spaces) ->> Save it to your
Desktop
Using the Image as a reference, drag
CFScript into
ComboFix.exe
You will be prompted to run Combofix again, Do so Following the same rules as indicated in my first post Then post the contents of the C:\ComboFix.txt log in your reply
ComboFix 08-02.05.3 - Family 2008-02-06 16:36:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.292 [GMT -5:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Family\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
and In the file to submit box, click Browse.Using Windows Explorer
(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the file
C:\Program Files\tmp14825781.exe
In the comments tell them that I asked you to upload the file Then Select Send File.
Repeat for this file as well
C:\Program Files\tmp14825625.exe
2. Do you have any USB storage devices connected to the PC, or USB storage devices that you plug in on a regular basis?
Save the File as
CFScript(exactly as shown no spaces) ->> Save it to your
Desktop
Using the Image as a reference, drag
CFScript into
ComboFix.exe
You will be prompted to run Combofix again, Do so Following the same rules as indicated in my first post Then post the contents of the C:\ComboFix.txt log in your reply
2. Rerun Hijackthis and post a fresh Hiajckthis log as well
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:41 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Below is the log files for combofix. Hijackthis log is a separate reply. I tried to delete kmd.exe but I don't think I was successful. The file is not listed in c:\ anymore but it is not in my recycle bin (view hidden files is on).
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
Most recent HJT log is below after following your instructions. I have not experienced the pop-up windows that was an issue before. The browser hijacking was only within IE7. I tried to delete all the IE items I could and have not used IE for the last few days. I am using firefox and I never had a hijacking problem with the firefox browser. The only remaining issue that is obvious to me is that Mcafee and sypware doctor report some aspects of combofix as being a virus. Once this episode is over I would like to delete combofix from my machine. In case you think my machine looks clean, my sincere thanks for your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:34 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
McAfee has been known to flag some files of malware removal as infected, which they are not.
Your problems iwth IE indicate you may need to reinstall the application
You may now remove/delete/uninstall the tools we used to clean your PC
Now that your log is clean
There are some final notes: Disable and Enable System Restore
Lets create a clean System Restore point the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6.u4. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the " Download" button to the right. Check the box that says: " Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software
Use and maintain a Firewall
Visit Microsoft's Windows Update Site Frequently for critical updates
Backup your Important Documents and Files on a regular basis
bamajim
10.4K Posts
0
February 6th, 2008 12:00
Please download Combofix and save to your desktop:
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.
"The world is what you make of it"
midwestguy
10 Posts
0
February 6th, 2008 16:00
ComboFix 08-02.05.3 - Family 2008-02-06 13:12:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.601 [GMT -5:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.
2008-02-05 17:59 . 2008-02-05 17:59 10,240 --a------ C:\Program Files\tmp14825781.exe
2008-02-05 17:59 . 2008-02-05 17:59 10,240 --a------ C:\Program Files\tmp14825625.exe
2008-02-05 13:37 . 2008-02-05 13:37
2008-02-05 13:35 . 2008-02-05 13:35 812,344 --a------ C:\Temp\HJTInstall.exe
2008-02-05 13:23 . 2008-02-05 13:23 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-02-04 18:46 . 2008-02-04 18:45 6,489,077 --a------ C:\Temp\Trumpeter Swan 2008.zip
2008-02-02 12:17 . 2008-02-02 12:21
2008-02-02 12:00 . 2008-02-02 12:00
2008-02-01 13:46 . 2008-02-01 13:47 15,452,536 --a------ C:\Temp\IE7-WindowsXP-x86-enu.exe
2008-02-01 12:06 . 2008-02-01 12:06
2008-02-01 12:06 . 2008-02-01 12:05 1,528,418 --a------ C:\Temp\revosetup.exe
2008-01-31 19:01 . 2008-01-31 15:33 7,467,056 --a------ C:\Temp\spybotsd15.exe
2008-01-31 06:30 . 2008-01-31 06:30
2008-01-31 06:29 . 2008-01-31 06:30
2008-01-31 06:29 . 2008-01-31 06:29
2008-01-31 06:27 . 2008-01-31 06:35
2008-01-30 16:57 . 2008-01-30 16:57
2008-01-23 19:57 . 2008-01-23 19:57
2008-01-23 13:56 . 2008-01-23 13:56
2008-01-23 13:52 . 2008-01-23 13:52
2008-01-23 13:47 . 2008-01-23 13:46 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-01-23 13:47 . 2008-01-23 13:46 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-23 13:47 . 2008-01-23 13:46 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 15:09 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-05 15:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 14:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 22:15 --------- d-----w C:\Program Files\ProfessorFizzwizzleFull_at
2008-02-02 17:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 17:14 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-02 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-02 11:43 --------- d-----w C:\Program Files\McAfee
2008-01-31 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 20:56 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-31 19:41 --------- d-----w C:\Program Files\DIGStream
2008-01-23 18:46 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-23 18:46 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-01-23 18:46 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-01-13 00:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-07 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Thayer Birding Software
2007-12-28 01:15 --------- d-----w C:\Documents and Settings\Family\Application Data\PKWARE
2007-12-28 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\PKWARE
2007-12-28 01:14 --------- d-----w C:\Program Files\PKWARE
2007-12-28 01:14 --------- d-----w C:\Program Files\Common Files\PKWARE
2007-12-27 21:29 --------- d-----w C:\Documents and Settings\Family\Application Data\CoreFTP
2007-12-26 22:18 --------- d-----w C:\Documents and Settings\Family\Application Data\SmartFTP
2007-12-24 21:46 --------- d-----w C:\Program Files\WonderlandAdventures_at
2007-12-23 15:13 --------- d-----w C:\Documents and Settings\Family\Application Data\Canon
2007-12-14 23:51 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-12-14 23:51 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2006-06-18 15:26 251 ----a-w C:\Program Files\wt3d.ini
2005-12-28 19:52 56 --sh--r C:\WINDOWS\system32\532815B022.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-07 14:41 155648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33 582992]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 00:43 67488]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-05-18 17:53:24 155648]
SecureZIP Attachments Status.lnk - C:\Program Files\PKWARE\PKZIPM\11.20.0008\PKTray.exe [2007-12-27 20:14:55 197984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {a94eb56a-1dd6-4c9d-9bcc-ca3afc957c62} - C:\WINDOWS\Installer\{a94eb56a-1dd6-4c9d-9bcc-ca3afc957c62}\zip.dll [2008-01-31 13:31 38950]
"AlrtRunOnce"= {19daedaa-6e4e-4080-ba9f-bfaa8002291a} - C:\WINDOWS\Installer\{19daedaa-6e4e-4080-ba9f-bfaa8002291a}\AlrtRunOnce.dll [2008-02-04 20:09 14374]
"VolumeRom"= {457122cb-03ba-4c1c-a3e0-70ebde136f98} - C:\WINDOWS\Installer\{457122cb-03ba-4c1c-a3e0-70ebde136f98}\VolumeRom.dll [2008-02-05 18:22 14374]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AEVITA Tracks Eraser]
C:\Program Files\AEVITA Tracks Eraser\trackseraser.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 22:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 15:01 67584 C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-06-17 08:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 11:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-04-07 14:41 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-12-19 20:15 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 00:45]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
S2 0221291201952599mcinstcleanup;McAfee Application Installer Cleanup (0221291201952599);C:\WINDOWS\TEMP\ 022129~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 mosuport;USB Serial/Parallel Ports;C:\WINDOWS\system32\DRIVERS\mosuport.sys [2006-05-04 02:54]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 06:07:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:00:07 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 13:15:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\Installer\{19daedaa-6e4e-4080-ba9f-bfaa8002291a}\AlrtRunOnce.dll
-> C:\WINDOWS\Installer\{457122cb-03ba-4c1c-a3e0-70ebde136f98}\VolumeRom.dll
.
Completion time: 2008-02-06 13:15:54
ComboFix-quarantined-files.txt 2008-02-06 18:15:50
ComboFix2.txt 2007-11-16 01:47:07
ComboFix3.txt 2007-11-15 21:45:16
ComboFix4.txt 2007-11-15 19:05:37
.
2008-02-02 19:19:29 --- E O F ---
bamajim
10.4K Posts
0
February 6th, 2008 18:00
You are most welcome.
1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\Installer\{a94eb56a-1dd6-4c9d-9bcc-ca3afc957c62}\zip.dll
C:\WINDOWS\Installer\{19daedaa-6e4e-4080-ba9f-bfaa8002291a}\AlrtRunOnce.dll
C:\WINDOWS\Installer\{457122cb-03ba-4c1c-a3e0-70ebde136f98}\VolumeRom.dll
Folder::
C:\WINDOWS\Installer\{a94eb56a-1dd6-4c9d-9bcc-ca3afc957c62}
C:\WINDOWS\Installer\{19daedaa-6e4e-4080-ba9f-bfaa8002291a}
C:\WINDOWS\Installer\{457122cb-03ba-4c1c-a3e0-70ebde136f98}
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"=-
"AlrtRunOnce"=-
"VolumeRom"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop
Using the Image as a reference, drag CFScript into ComboFix.exe
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
"The world is what you make of it"
midwestguy
10 Posts
0
February 6th, 2008 19:00
ComboFix 08-02.05.3 - Family 2008-02-06 16:36:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.292 [GMT -5:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Family\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\Installer\{19daedaa-6e4e-4080-ba9f-bfaa8002291a}\AlrtRunOnce.dll
C:\WINDOWS\Installer\{457122cb-03ba-4c1c-a3e0-70ebde136f98}\VolumeRom.dll
C:\WINDOWS\Installer\{a94eb56a-1dd6-4c9d-9bcc-ca3afc957c62}\zip.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Installer\{19daedaa-6e4e-4080-ba9f-bfaa8002291a}
C:\WINDOWS\Installer\{19daedaa-6e4e-4080-ba9f-bfaa8002291a}\AlrtRunOnce.dll
C:\WINDOWS\Installer\{457122cb-03ba-4c1c-a3e0-70ebde136f98}
C:\WINDOWS\Installer\{457122cb-03ba-4c1c-a3e0-70ebde136f98}\VolumeRom.dll
C:\WINDOWS\Installer\{a94eb56a-1dd6-4c9d-9bcc-ca3afc957c62}
C:\WINDOWS\Installer\{a94eb56a-1dd6-4c9d-9bcc-ca3afc957c62}\zip.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.
2008-02-06 13:11 . 2004-08-10 06:00 388,608 --a------ C:\kmd.exe
2008-02-05 17:59 . 2008-02-05 17:59 10,240 --a------ C:\Program Files\tmp14825781.exe
2008-02-05 17:59 . 2008-02-05 17:59 10,240 --a------ C:\Program Files\tmp14825625.exe
2008-02-05 13:37 . 2008-02-05 13:37
2008-02-05 13:35 . 2008-02-05 13:35 812,344 --a------ C:\Temp\HJTInstall.exe
2008-02-05 13:23 . 2008-02-05 13:23 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-02-04 18:46 . 2008-02-04 18:45 6,489,077 --a------ C:\Temp\Trumpeter Swan 2008.zip
2008-02-02 12:17 . 2008-02-02 12:21
2008-02-02 12:00 . 2008-02-02 12:00
2008-02-01 13:46 . 2008-02-01 13:47 15,452,536 --a------ C:\Temp\IE7-WindowsXP-x86-enu.exe
2008-02-01 12:06 . 2008-02-01 12:06
2008-02-01 12:06 . 2008-02-01 12:05 1,528,418 --a------ C:\Temp\revosetup.exe
2008-01-31 19:01 . 2008-01-31 15:33 7,467,056 --a------ C:\Temp\spybotsd15.exe
2008-01-31 06:30 . 2008-01-31 06:30
2008-01-31 06:29 . 2008-01-31 06:30
2008-01-31 06:29 . 2008-01-31 06:29
2008-01-31 06:27 . 2008-01-31 06:35
2008-01-30 16:57 . 2008-01-30 16:57
2008-01-23 19:57 . 2008-01-23 19:57
2008-01-23 13:56 . 2008-01-23 13:56
2008-01-23 13:52 . 2008-01-23 13:52
2008-01-23 13:47 . 2008-01-23 13:46 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-01-23 13:47 . 2008-01-23 13:46 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-23 13:47 . 2008-01-23 13:46 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 15:09 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-05 15:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 14:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 22:15 --------- d-----w C:\Program Files\ProfessorFizzwizzleFull_at
2008-02-02 17:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 17:14 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-02 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-02 11:43 --------- d-----w C:\Program Files\McAfee
2008-01-31 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 20:56 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-31 19:41 --------- d-----w C:\Program Files\DIGStream
2008-01-23 18:46 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-23 18:46 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-01-23 18:46 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-01-13 00:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-07 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Thayer Birding Software
2007-12-28 01:15 --------- d-----w C:\Documents and Settings\Family\Application Data\PKWARE
2007-12-28 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\PKWARE
2007-12-28 01:14 --------- d-----w C:\Program Files\PKWARE
2007-12-28 01:14 --------- d-----w C:\Program Files\Common Files\PKWARE
2007-12-27 21:29 --------- d-----w C:\Documents and Settings\Family\Application Data\CoreFTP
2007-12-26 22:18 --------- d-----w C:\Documents and Settings\Family\Application Data\SmartFTP
2007-12-24 21:46 --------- d-----w C:\Program Files\WonderlandAdventures_at
2007-12-23 15:13 --------- d-----w C:\Documents and Settings\Family\Application Data\Canon
2007-12-14 23:51 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-12-14 23:51 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2006-06-18 15:26 251 ----a-w C:\Program Files\wt3d.ini
2005-12-28 19:52 56 --sh--r C:\WINDOWS\system32\532815B022.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-07 14:41 155648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33 582992]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 00:43 67488]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 12:54 1051464]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-05-18 17:53:24 155648]
SecureZIP Attachments Status.lnk - C:\Program Files\PKWARE\PKZIPM\11.20.0008\PKTray.exe [2007-12-27 20:14:55 197984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {7243ec65-8df1-4dcf-acdc-69203feeaa11} - C:\WINDOWS\Installer\{7243ec65-8df1-4dcf-acdc-69203feeaa11}\zip.dll [2008-02-06 15:10 39462]
"AlrtRunOnce"= {19daedaa-6e4e-4080-ba9f-bfaa8002291a} - C:\WINDOWS\Installer\{19daedaa-6e4e-4080-ba9f-bfaa8002291a}\AlrtRunOnce.dll [ ]
"VolumeRom"= {457122cb-03ba-4c1c-a3e0-70ebde136f98} - C:\WINDOWS\Installer\{457122cb-03ba-4c1c-a3e0-70ebde136f98}\VolumeRom.dll [ ]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AEVITA Tracks Eraser]
C:\Program Files\AEVITA Tracks Eraser\trackseraser.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 22:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 15:01 67584 C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-06-17 08:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 11:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-04-07 14:41 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-12-19 20:15 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 00:45]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
S2 0221291201952599mcinstcleanup;McAfee Application Installer Cleanup (0221291201952599);C:\WINDOWS\TEMP\ 022129~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 mosuport;USB Serial/Parallel Ports;C:\WINDOWS\system32\DRIVERS\mosuport.sys [2006-05-04 02:54]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 06:07:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:00:07 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 16:38:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-06 16:39:48
ComboFix-quarantined-files.txt 2008-02-06 21:39:44
ComboFix2.txt 2008-02-06 18:15:55
ComboFix3.txt 2007-11-16 01:47:07
ComboFix4.txt 2007-11-15 21:45:16
ComboFix5.txt 2007-11-15 19:05:37
.
2008-02-02 19:19:29 --- E O F ---
bamajim
10.4K Posts
0
February 6th, 2008 20:00
Better, but not completely resolved.
1. You have a couple of suspicious files I would like to have a look at
Please go HERE
Put Your Name, and Dell HJT forum
and In the file to submit box, click Browse.Using Windows Explorer
- (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the fileIn the comments tell them that I asked you to upload the file
Then Select Send File.
Repeat for this file as well
2. Do you have any USB storage devices connected to the PC, or USB storage devices that you plug in on a regular basis?
"The world is what you make of it"
midwestguy
10 Posts
0
February 6th, 2008 21:00
The two files have been uploaded.
No, I do not use any USB storage devices. My USB usage is limited to printer, digital camera, and blood sugar meter.
bamajim
10.4K Posts
0
February 7th, 2008 11:00
I got the file samples, they are bad. Thanks
If the CFScript File we made earlier is still on your Desktop delete it, we are going to make another one.
1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\Program Files\tmp14825781.exe
C:\Program Files\tmp14825625.exe
C:\WINDOWS\Installer\{7243ec65-8df1-4dcf-acdc-69203feeaa11}\zip.dll
Folder::
C:\WINDOWS\Installer\{7243ec65-8df1-4dcf-acdc-69203feeaa11}
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop
Using the Image as a reference, drag CFScript into ComboFix.exe
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
2. Rerun Hijackthis and post a fresh Hiajckthis log as well
"The world is what you make of it"
midwestguy
10 Posts
0
February 7th, 2008 13:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:41 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\PKWARE\PKZIPM\11.20.0008\PKTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\McAfee\MSC\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2
- BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: SecureZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\11.20.0008\PKTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9
- Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9
- Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16
- DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF:
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System
Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16
- DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} -
http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O21 - SSODL: SrvChk - {8f99c996-933a-41ae-a8af-720389a9f4ba} - (no file)
O21
- SSODL: zip - {7243ec65-8df1-4dcf-acdc-69203feeaa11} -
C:\WINDOWS\Installer\{7243ec65-8df1-4dcf-acdc-69203feeaa11}\zip.dll
(file missing)
O23 - Service: McAfee Application Installer Cleanup
(0221291201952599) (0221291201952599mcinstcleanup) - Unknown owner -
C:\WINDOWS\TEMP\022129~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23
- Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) -
Unknown owner - C:\Program Files\Adobe\Photoshop Elements
6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DVD-RAM_Service - Matsushta Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23
- Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -
C:\Program Files\Common Files\Macrovision Shared\FLEXnet
Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix
Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program
Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service:
InstallDriver Table Manager (IDriverT) - Macrovision Corporation -
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel
32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23
- Service: SupportSoft Sprocket Service (dellsupportcenter)
(sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell
Support Center\bin\sprtsvc.exe
--
End of file - 9248 bytes
midwestguy
10 Posts
0
February 7th, 2008 13:00
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\Program Files\tmp14825625.exe
C:\Program Files\tmp14825781.exe
C:\WINDOWS\Installer\{7243ec65-8df1-4dcf-acdc-69203feeaa11}\zip.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\tmp14825625.exe
C:\Program Files\tmp14825781.exe
C:\WINDOWS\Installer\{7243ec65-8df1-4dcf-acdc-69203feeaa11}
C:\WINDOWS\Installer\{7243ec65-8df1-4dcf-acdc-69203feeaa11}\zip.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.
2008-02-06 16:33 . 2004-08-10 06:00 388,608 --a------ C:\kmd.exe
2008-02-05 13:37 . 2008-02-05 13:37
2008-02-05 13:35 . 2008-02-05 13:35 812,344 --a------ C:\Temp\HJTInstall.exe
2008-02-05 13:23 . 2008-02-05 13:23 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-02-04 18:46 . 2008-02-04 18:45 6,489,077 --a------ C:\Temp\Trumpeter Swan 2008.zip
2008-02-02 12:17 . 2008-02-02 12:21
2008-02-02 12:00 . 2008-02-02 12:00
2008-02-01 13:46 . 2008-02-01 13:47 15,452,536 --a------ C:\Temp\IE7-WindowsXP-x86-enu.exe
2008-02-01 12:06 . 2008-02-01 12:06
2008-02-01 12:06 . 2008-02-01 12:05 1,528,418 --a------ C:\Temp\revosetup.exe
2008-01-31 19:01 . 2008-01-31 15:33 7,467,056 --a------ C:\Temp\spybotsd15.exe
2008-01-31 06:30 . 2008-01-31 06:30
2008-01-31 06:29 . 2008-01-31 06:30
2008-01-31 06:29 . 2008-01-31 06:29
2008-01-31 06:27 . 2008-01-31 06:35
2008-01-30 16:57 . 2008-01-30 16:57
2008-01-23 19:57 . 2008-01-23 19:57
2008-01-23 13:56 . 2008-01-23 13:56
2008-01-23 13:52 . 2008-01-23 13:52
2008-01-23 13:47 . 2008-01-23 13:46 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-01-23 13:47 . 2008-01-23 13:46 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-23 13:47 . 2008-01-23 13:46 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 15:09 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-05 15:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 14:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 22:15 --------- d-----w C:\Program Files\ProfessorFizzwizzleFull_at
2008-02-02 17:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 17:14 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-02 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-02 11:43 --------- d-----w C:\Program Files\McAfee
2008-01-31 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 20:56 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-31 19:41 --------- d-----w C:\Program Files\DIGStream
2008-01-23 18:46 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-23 18:46 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-01-23 18:46 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-01-13 00:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-07 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Thayer Birding Software
2007-12-28 01:15 --------- d-----w C:\Documents and Settings\Family\Application Data\PKWARE
2007-12-28 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\PKWARE
2007-12-28 01:14 --------- d-----w C:\Program Files\PKWARE
2007-12-28 01:14 --------- d-----w C:\Program Files\Common Files\PKWARE
2007-12-27 21:29 --------- d-----w C:\Documents and Settings\Family\Application Data\CoreFTP
2007-12-26 22:18 --------- d-----w C:\Documents and Settings\Family\Application Data\SmartFTP
2007-12-24 21:46 --------- d-----w C:\Program Files\WonderlandAdventures_at
2007-12-23 15:13 --------- d-----w C:\Documents and Settings\Family\Application Data\Canon
2007-12-14 23:51 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-12-14 23:51 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2006-06-18 15:26 251 ----a-w C:\Program Files\wt3d.ini
2005-12-28 19:52 56 --sh--r C:\WINDOWS\system32\532815B022.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-07 14:41 155648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33 582992]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 00:43 67488]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 12:54 1051464]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-05-18 17:53:24 155648]
SecureZIP Attachments Status.lnk - C:\Program Files\PKWARE\PKZIPM\11.20.0008\PKTray.exe [2007-12-27 20:14:55 197984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {7243ec65-8df1-4dcf-acdc-69203feeaa11} - C:\WINDOWS\Installer\{7243ec65-8df1-4dcf-acdc-69203feeaa11}\zip.dll [ ]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AEVITA Tracks Eraser]
C:\Program Files\AEVITA Tracks Eraser\trackseraser.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 22:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 15:01 67584 C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-06-17 08:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 11:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-04-07 14:41 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-12-19 20:15 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
S2 0221291201952599mcinstcleanup;McAfee Application Installer Cleanup (0221291201952599);C:\WINDOWS\TEMP\ 022129~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 00:45]
S3 mosuport;USB Serial/Parallel Ports;C:\WINDOWS\system32\DRIVERS\mosuport.sys [2006-05-04 02:54]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 06:07:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:00:07 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 09:42:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-07 9:43:31
ComboFix-quarantined-files.txt 2008-02-07 14:43:24
ComboFix2.txt 2008-02-06 21:39:49
ComboFix3.txt 2008-02-06 18:15:55
ComboFix4.txt 2007-11-16 01:47:07
ComboFix5.txt 2007-11-15 21:45:16
.
2008-02-02 19:19:29 --- E O F ---
bamajim
10.4K Posts
0
February 7th, 2008 17:00
I tried to delete kmd.exe but I don't think I was successful.
Don't do that it is part of Combofix.
1. Rerun Hijackthis (scan only) and place checks beside the following entries
O21
- SSODL: zip - {7243ec65-8df1-4dcf-acdc-69203feeaa11} -
C:\WINDOWS\Installer\{7243ec65-8df1-4dcf-acdc-69203feeaa11}\zip.dll
(file missing)
Close all other open windows except Hijackthis and Select " Fix checked"
Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
And in your reply give me an update on how your PC is running now,
"The world is what you make of it"
midwestguy
10 Posts
0
February 7th, 2008 23:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:34 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\PKWARE\PKZIPM\11.20.0008\PKTray.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: SecureZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\11.20.0008\PKTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O23 - Service: McAfee Application Installer Cleanup (0221291201952599) (0221291201952599mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\022129~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DVD-RAM_Service - Matsushta Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 8518 bytes
bamajim
10.4K Posts
0
February 8th, 2008 15:00
McAfee has been known to flag some files of malware removal as infected, which they are not.
Your problems iwth IE indicate you may need to reinstall the application
You may now remove/delete/uninstall the tools we used to clean your PC
Now that your log is clean
There are some final notes:
Disable and Enable System Restore
the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Java Runtime Environment (JRE) 6.u4.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the " Download" button to the right.
Check the box that says: " Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software
Use and maintain a Firewall
Visit Microsoft's Windows Update Site Frequently for critical updates
Backup your Important Documents and Files on a regular basis
You may want to read this article" So how did I get infected in the first place" by Tony Klein
surf safe
"The world is what you make of it"