In our last communication, you were advised to update Java because of the outdated version that caused that machine to be vulnerable to that infection. It appears that it was not updated. That is part of the problem. The other part is that now the infection(s) are more difficult to remove. This may take a while.
I am reviewing the log.
In the meantime, you can help me by doing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.
The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.
** We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.
I am going to ask you to run a tool that will need a log review before you will be able to reboot. It is after midnight here now, so I think it would be best if we do this later on Sunday. Please reply when you have at least an hour to work on this. Thanks.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Note: The above instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:35:12 PM, on 2/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
Sorry it took me about a month to get back to this. Had some foot problems that ended up in surgery. Sitting home now with foot bandaged up and doped on pain pills.
Anyway, here's the Combofix log and another HJT scan:
ComboFix 08-02-22 - Andrea 2008-02-21 14:08:44.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.132 [GMT -7:00] Running from: C:\Documents and Settings\Andrea\Desktop\ComboFix.exe * Created a new restore point .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
That is quite a mess she's gotten herself into this time. That vulnerable version of Java probably contributed to this. Each time you reboot, another legitimate file gets corrupted. I will have to write some script to deal with this but it will be a few hours before I will have it ready. Please do not reboot until we can get this cleaned. Thanks.
Open Notepad and copy/paste the following text between the lines. Do not copy the lines.
** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces. It will copy correctly to Notepad if you highlight and copy as is.
Referring to the picture above,
drag CFScript into ComboFix.exe You will be prompted to run Combofix again. Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.
When finished, a log is produced here: C:\ComboFix.txt
In your next reply, please post that log along with a new HijackThis log.
Do I understand you to say that the virus changes the executable filename every time Windows is restarted?
If so, I turned off her computer after running the last HJT scan that I sent you, before I got your reply.
Does that mean that it won't do me any good to run the script you sent me?
Yes, that is correct.
Please follow the steps in order. If you have to rerun them, do them from beginning to end in the same order.
1. Run the script and ComboFix
2. Post the log along with a fresh HJT log.
Here's the HJT log, will leave computer on this time:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:12:02 AM, on 2/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
ComboFix 08-02-22 - Andrea 2008-02-26 10:44:28.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.123 [GMT -7:00] Running from: C:\Documents and Settings\Andrea\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Andrea\Desktop\CFScript.txt * Created a new restore point
Good job :) We're getting there, but we have more to do.
Open
Notepad and copy/paste the following text between the dotted lines. Do not copy the lines.
** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces. It will copy correctly to Notepad if you highlight and copy as is.
Referring to the picture above,
drag CFScript into ComboFix.exe You will be prompted to run Combofix again. Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.
When finished, a log is produced here: C:\ComboFix.txt
When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
Click on Start Scan.
If any infections are found, Click on Remove Infections.
In your next reply, please post your ComboFix log and a new HijackThis log.
Most of the infection will be gone after completing the above steps, so if you want to power down the computer overnight, that will probably be okay. Give it a try, and we'll see how your logs look.
OK, several things went a little differently that time.
1. Had to restart Windows manually after running Combofix.
2. Got a message when windows restarted saying it couldn't run Spruce.exe.vir, clicked cancel and Windows finished bootup.
3. Tried to run AVG Online Scan, said to wait for definition download, 20 minute wait, nothing. Closed window, restarted, never got in. Ran AdAware SE with latest definitions, found 4 or 5 infections which it healed,quarantined a bunch of tracking cookies.
Here's the combofix log:
ComboFix 08-02-22 - Andrea 2008-02-26 14:18:33.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.111 [GMT -7:00] Running from: C:\Documents and Settings\Andrea\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Andrea\Desktop\CFScript.txt * Created a new restore point
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:29:15 PM, on 2/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
Bugbatter
3 Apprentice
•
20.5K Posts
0
January 19th, 2008 19:00
In our last communication, you were advised to update Java because of the outdated version that caused that machine to be vulnerable to that infection. It appears that it was not updated. That is part of the problem. The other part is that now the infection(s) are more difficult to remove. This may take a while.
I am reviewing the log.
In the meantime, you can help me by doing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you are using any cracked software, please remove it.
Definition of cracked software:
http://en.wikipedia.org/wiki/Software_cracking
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.
The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.
** We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.
I look forward to your reply.
jmaple
16 Posts
0
January 20th, 2008 02:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
January 20th, 2008 03:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
January 20th, 2008 12:00
Please print these instructions and refer to them for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Note: The above instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
jmaple
16 Posts
0
February 21st, 2008 20:00
HJT log follows, wouldn't fit:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:12 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Andrea\Desktop\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://valley.qwest.net/cgi-bin/index.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26B5F83E-2CDD-4EFA-A43F-171B87008F36} - C:\Program Files\Common Files\sadeq555077.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {B41A1399-4EE6-4B05-9F24-1BC0F7689837} - C:\WINDOWS\system32\ctl3d3.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [{7C-CE-E5-58-ZN}] C:\WINDOWS\system32\dwdsrngt .exe CHD001
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: efcbcyv - efcbcyv.dll (file missing)
O20 - Winlogon Notify: efcbyax - C:\WINDOWS\SYSTEM32\efcbyax.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 7940 bytes
jmaple
16 Posts
0
February 21st, 2008 20:00
Sorry it took me about a month to get back to this. Had some foot problems that ended up in surgery. Sitting home now with foot bandaged up and doped on pain pills.
Anyway, here's the Combofix log and another HJT scan:
ComboFix 08-02-22 - Andrea 2008-02-21 14:08:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.132 [GMT -7:00]
Running from: C:\Documents and Settings\Andrea\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Andrea\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Andrea\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Andrea\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Andrea\Start Menu\Programs\Startup\ta_start.lnk
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\Spruce
C:\Program Files\Spruce\Spruce.dll
C:\Program Files\Spruce\Spruce.dll.intermediate.manifest
C:\Program Files\Spruce\Spruce.exe
C:\Program Files\Spruce\Spruce.original
C:\Program Files\Spruce\SpruceRg.dll
C:\Program Files\Spruce\un_SpruceSetup_17737.exe
C:\Program Files\Spruce\un_SpruceSetup_17737.txt
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Spruce\X_Spruce.log
C:\Temp\tpBe12
C:\WINDOWS\system32\000070.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX57.tmp
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm
.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 02:57 33,734 ----a-w C:\Documents and Settings\Andrea\Application Data\wklnhst.dat
2008-01-28 05:04 --------- d-----w C:\Documents and Settings\Andrea\Application Data\Apple Computer
2008-01-26 21:42 --------- d-----w C:\Program Files\QuickTime
2008-01-19 18:56 --------- d-----w C:\Documents and Settings\Andrea\Application Data\AVG7
2008-01-13 17:05 --------- d-----w C:\Program Files\NetWaiting
2008-01-13 17:05 --------- d-----w C:\Program Files\iTunes
2008-01-13 17:05 --------- d-----w C:\Program Files\DellSupport
2008-01-13 17:05 --------- d-----w C:\Program Files\AIM6
2008-01-08 17:28 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-24 22:42 --------- d-----w C:\Documents and Settings\Andrea\Application Data\Talkback
2007-12-24 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-10-12 19:08 111,360 ----a-w C:\Documents and Settings\Andrea\Application Data\GDIPFONTCACHEV1.DAT
2006-01-09 23:33 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-08-20 04:27 1,418,512 --sha-w C:\WINDOWS\system32\cbeeg.bak1
2006-09-06 04:13 1,453,896 --sha-w C:\WINDOWS\system32\cbeeg.bak2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B5F83E-2CDD-4EFA-A43F-171B87008F36}]
C:\Program Files\Common Files\sadeq555077.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B41A1399-4EE6-4B05-9F24-1BC0F7689837}]
2004-08-04 04:00 84992 --a------ C:\WINDOWS\system32\ctl3d3.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-23 22:42 393216 C:\WINDOWS\stsystra.exe]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [2008-01-26 14:42 616448]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-14 23:51 755472]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [2008-01-26 14:42 653824]
"{7C-CE-E5-58-ZN}"="C:\WINDOWS\system32\dwdsrngt .exe" [2008-01-26 14:42 400896]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-04 04:00 388608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 08:16 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-24 00:43:04 113664]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-12-05 07:28:27 156784]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-05 07:23:20 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-12-28 15:45:25 315392]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbcyv]
efcbcyv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbyax]
efcbyax.dll 2008-01-12 23:41 40448 C:\WINDOWS\system32\efcbyax.dll
R0 syiwdekn;syiwdekn;C:\WINDOWS\system32\drivers\ipocptzd.dat []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00ac7edf-4c70-11dc-a4a7-0014a452b7ca}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00ac7ee0-4c70-11dc-a4a7-0014a452b7ca}]
\Shell\AutoRun\command - F:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 18:11:59 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 14:21:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
.
**************************************************************************
.
Completion time: 2008-02-22 14:27:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-22 21:27:19
.
2008-02-21 20:15:15 --- E O F ---
Bugbatter
3 Apprentice
•
20.5K Posts
0
February 21st, 2008 22:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
February 21st, 2008 23:00
Open Notepad and copy/paste the following text between the lines. Do not copy the lines.
** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces. It will copy correctly to Notepad if you highlight and copy as is.
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\SYSTEM32\efcbyax.dll
C:\WINDOWS\system32\drivers\ipocptzd.dat
Folder::
C:\Program Files\Spruce
RenV::
----a-w 50,736 2008-01-13 17:05:43 C:\Program Files\AIM6\aim6 .exe
----a-w 81,920 2008-01-13 17:04:56 C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w 616,448 2008-01-26 21:42:31 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 616,448 2008-01-13 17:04:17 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 106,496 2008-01-13 17:05:05 C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
----a-w 53,248 2008-01-13 17:04:54 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 610,304 2008-01-13 17:04:56 C:\Program Files\Dell\QuickSet\quickset .exe
----a-w 460,784 2008-01-13 17:05:33 C:\Program Files\DellSupport\DSAgnt .exe
----a-w 579,072 2008-01-13 17:05:13 C:\Program Files\Grisoft\AVG Free\avgcc .exe
----a-w 49,152 2008-01-13 17:05:13 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 267,048 2008-01-13 17:05:27 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 32,881 2008-01-13 17:04:49 C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w 634,880 2008-01-13 17:05:21 C:\Program Files\Maxtor\OneTouch\Utils\Onetouch .exe
----a-w 81,920 2008-01-13 17:05:22 C:\Program Files\Maxtor\OneTouch Status\maxmenumgr .exe
----a-w 1,694,208 2008-01-13 17:05:35 C:\Program Files\Messenger\msmsgs .exe
----a-w 8,192 2008-01-13 17:05:04 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
----a-w 110,592 2008-01-13 17:05:06 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
----a-w 20,480 2008-01-13 17:05:28 C:\Program Files\NetWaiting\netWaiting .exe
----a-w 653,824 2008-01-26 21:42:32 C:\Program Files\QuickTime\QTTask .exe
----a-w 26,112 2008-01-13 17:04:51 C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w 729,178 2008-01-13 17:04:45 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 823,362 2008-01-13 17:05:07 C:\Program Files\Trend Micro\Internet Security 12\pccguide .exe
----a-w 20,553 2008-01-13 17:05:32 C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon .exe
----a-w 400,896 2008-01-26 21:42:33 C:\WINDOWS\system32\dwdsrngt .exe
----a-w 77,824 2008-01-13 17:04:46 C:\WINDOWS\system32\hkcmd .exe
----a-w 114,688 2008-01-13 17:04:46 C:\WINDOWS\system32\igfxpers .exe
----a-w 94,208 2008-01-13 17:04:45 C:\WINDOWS\system32\igfxtray .exe
----a-w 127,035 2008-01-13 17:04:55 C:\WINDOWS\system32\dla\tfswctrl .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B5F83E-2CDD-4EFA-A43F-171B87008F36}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B41A1399-4EE6-4B05-9F24-1BC0F7689837}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbcyv]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbyax]
--------------------------------------------------------------------------------------------
Save this as CFScript.txt
Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again. Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.
When finished, a log is produced here: C:\ComboFix.txt
In your next reply, please post that log along with a new HijackThis log.
Bugbatter
3 Apprentice
•
20.5K Posts
0
February 25th, 2008 00:00
If so, I turned off her computer after running the last HJT scan that I sent you, before I got your reply.
Does that mean that it won't do me any good to run the script you sent me?
Yes, that is correct.
Please follow the steps in order. If you have to rerun them, do them from beginning to end in the same order.
1. Run the script and ComboFix
2. Post the log along with a fresh HJT log.
jmaple
16 Posts
0
February 25th, 2008 00:00
Before I run the script you sent me, I have a question.
Do I understand you to say that the virus changes the executable filename every time Windows is restarted?
If so, I turned off her computer after running the last HJT scan that I sent you, before I got your reply.
Does that mean that it won't do me any good to run the script you sent me?
Should I run that script, or rerun combofix and HJT, send the new scan results, then leave the computer on until you send me a new script?
Please advise.
Thanks,
Jerry
jmaple
16 Posts
0
February 25th, 2008 16:00
Here's the HJT log, will leave computer on this time:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:02 AM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Documents and Settings\Andrea\Desktop\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://valley.qwest.net/cgi-bin/index.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [{7C-CE-E5-58-ZN}] C:\WINDOWS\system32\dwdsrngt .exe CHD001
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 7983 bytes
Thanks,
Jerry
jmaple
16 Posts
0
February 25th, 2008 16:00
Ran Combofix with the script. Here's the log:
ComboFix 08-02-22 - Andrea 2008-02-26 10:44:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.123 [GMT -7:00]
Running from: C:\Documents and Settings\Andrea\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrea\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\system32\drivers\ipocptzd.dat
C:\WINDOWS\SYSTEM32\efcbyax.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\system32\drivers\ipocptzd.dat
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\SYSTEM32\efcbyax.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.
2008-02-22 14:36 . 2008-02-22 14:36 281 --a------ C:\WINDOWS\Shortcut to Local Disk (C).lnk
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 17:44 --------- d-----w C:\Program Files\QuickTime
2008-02-26 17:44 --------- d-----w C:\Program Files\NetWaiting
2008-02-26 17:43 --------- d-----w C:\Program Files\iTunes
2008-02-26 17:43 --------- d-----w C:\Program Files\DellSupport
2008-02-26 17:43 --------- d-----w C:\Program Files\AIM6
2008-02-12 02:57 33,734 ----a-w C:\Documents and Settings\Andrea\Application Data\wklnhst.dat
2008-01-28 05:43 138,752 ----a-w C:\WINDOWS\Internet Logs\xDB37.tmp
2008-01-28 05:04 --------- d-----w C:\Documents and Settings\Andrea\Application Data\Apple Computer
2008-01-26 05:10 14,265,599 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-19 21:03 3,377,664 ----a-w C:\WINDOWS\Internet Logs\xDB36.tmp
2008-01-19 18:56 --------- d-----w C:\Documents and Settings\Andrea\Application Data\AVG7
2008-01-13 17:04 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-13 17:04 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-13 17:04 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-01-13 06:48 339,968 ----a-w C:\WINDOWS\system32\jkhfd.exe
2008-01-08 17:28 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-03 03:44 69,120 ----a-w C:\WINDOWS\Internet Logs\xDB35.tmp
2007-12-28 17:53 2,773,504 ----a-w C:\WINDOWS\Internet Logs\xDB33.tmp
2007-12-28 17:53 1,808,384 ----a-w C:\WINDOWS\Internet Logs\xDB34.tmp
2007-12-24 20:54 4,569,088 ----a-w C:\WINDOWS\Internet Logs\xDB31.tmp
2007-12-24 20:53 1,803,776 ----a-w C:\WINDOWS\Internet Logs\xDB32.tmp
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-07 14:37 3,059,200 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-11-14 10:08 7,067,136 ----a-w C:\WINDOWS\Internet Logs\xDB30.tmp
2007-11-02 16:04 1,751,040 ----a-w C:\WINDOWS\Internet Logs\xDB2F.tmp
2007-10-12 19:08 111,360 ----a-w C:\Documents and Settings\Andrea\Application Data\GDIPFONTCACHEV1.DAT
2007-09-24 16:56 1,665,536 ----a-w C:\WINDOWS\Internet Logs\xDB2E.tmp
2007-07-30 17:04 2,779,648 ----a-w C:\WINDOWS\Internet Logs\xDB2D.tmp
2007-07-16 04:03 4,251,136 ----a-w C:\WINDOWS\Internet Logs\xDBEE.tmp
2007-07-16 04:03 1,532,416 ----a-w C:\WINDOWS\Internet Logs\xDB16E.tmp
2007-04-21 14:16 2,749,952 ----a-w C:\WINDOWS\Internet Logs\xDB2B.tmp
2007-04-21 14:16 1,492,992 ----a-w C:\WINDOWS\Internet Logs\xDB2C.tmp
2007-04-15 13:53 2,805,248 ----a-w C:\WINDOWS\Internet Logs\xDB29.tmp
2007-04-15 13:53 1,492,480 ----a-w C:\WINDOWS\Internet Logs\xDB2A.tmp
2007-04-03 21:57 3,422,208 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp
2007-02-15 05:37 6,665,728 ----a-w C:\WINDOWS\Internet Logs\xDB5B.tmp
2007-02-15 05:37 1,473,024 ----a-w C:\WINDOWS\Internet Logs\xDB198.tmp
2007-02-08 05:00 1,467,904 ----a-w C:\WINDOWS\Internet Logs\xDB28.tmp
2007-01-27 07:20 4,718,592 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp
2007-01-27 07:20 1,456,640 ----a-w C:\WINDOWS\Internet Logs\xDB67.tmp
2007-01-09 06:13 5,460,480 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2007-01-09 06:13 1,443,840 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp
2006-12-21 04:51 10,268,160 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2006-12-21 04:51 1,427,456 ----a-w C:\WINDOWS\Internet Logs\xDBD0.tmp
2006-12-17 04:38 1,423,872 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2006-12-08 22:19 181,729 ----a-w C:\WINDOWS\Fonts\el_font_gohtic.zip
2006-12-08 18:32 6,982 ----a-w C:\WINDOWS\Fonts\barcode_font.zip
2006-12-05 23:31 118,187 ----a-w C:\WINDOWS\Fonts\pulse_sans.zip
2006-12-05 00:39 111,646 ----a-w C:\WINDOWS\Fonts\ambulance_shotgun.zip
2006-11-09 05:42 4,238,848 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp
2006-11-09 05:42 1,397,248 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp
2006-11-06 03:18 1,394,176 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2006-11-01 00:27 6,276,096 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2006-10-05 07:06 4,347,392 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2006-10-05 07:06 1,373,184 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2006-09-27 21:44 2,446,336 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2006-09-27 21:44 1,366,016 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2006-09-24 06:47 3,317,248 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2006-09-24 06:47 1,363,456 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2006-09-15 05:07 3,302,912 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2006-09-15 05:07 1,355,776 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2006-08-28 04:31 2,890,752 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2006-08-28 04:31 1,329,152 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2006-08-26 06:13 1,324,544 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2006-08-24 03:33 2,279,424 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2006-08-24 03:33 1,321,984 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2006-08-21 05:05 2,853,888 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2006-08-21 05:05 1,319,424 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2006-08-04 23:50 1,313,280 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2006-08-04 23:50 1,048,576 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2006-08-04 07:28 6,066,176 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2006-07-14 02:49 1,299,968 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2006-06-30 15:33 2,759,680 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2006-06-25 21:51 7,699,968 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2006-06-25 21:51 1,287,680 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2006-05-19 01:31 45,750 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_05_18_07_22_05_small.dmp.zip
2006-05-19 01:31 43,892 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_05_18_07_20_55_small.dmp.zip
2006-05-18 03:16 3,160,576 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2006-04-19 05:09 4,583,424 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2006-04-19 05:09 1,234,944 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2006-03-02 01:09 2,865,152 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2006-02-25 00:28 1,190,400 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2006-02-19 10:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-02-19 00:30 3,232,768 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2006-02-19 00:30 1,179,648 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2006-01-09 23:33 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-23 22:42 393216 C:\WINDOWS\stsystra.exe]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [2008-01-26 14:42 616448]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-14 23:51 755472]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"{7C-CE-E5-58-ZN}"="C:\WINDOWS\system32\dwdsrngt .exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 08:16 219136]
C:\Documents and Settings\Andrea\Start Menu\Programs\Startup\
Spruce - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir [2007-12-20 14:04:40 178390]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-24 00:43:04 113664]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-12-05 07:28:27 156784]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-05 07:23:20 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-12-28 15:45:25 315392]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
S0 syiwdekn;syiwdekn;C:\WINDOWS\system32\drivers\ipocptzd.dat []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00ac7edf-4c70-11dc-a4a7-0014a452b7ca}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00ac7ee0-4c70-11dc-a4a7-0014a452b7ca}]
\Shell\AutoRun\command - F:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 18:11:59 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 10:53:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2008-02-26 10:59:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 17:59:16
ComboFix2.txt 2008-02-22 21:27:26
.
2008-02-21 20:15:15 --- E O F ---
HJT log in following post.
Jerry
Bugbatter
3 Apprentice
•
20.5K Posts
0
February 25th, 2008 17:00
Open Notepad and copy/paste the following text between the dotted lines. Do not copy the lines.
** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces. It will copy correctly to Notepad if you highlight and copy as is.
------------------------------------------------------------------------
File::
C:\WINDOWS\Internet Logs\xDB35.tmp
C:\WINDOWS\Internet Logs\xDB33.tmp
C:\WINDOWS\Internet Logs\xDB34.tmp
C:\WINDOWS\Internet Logs\xDB31.tmp
C:\WINDOWS\Internet Logs\xDB32.tmp
C:\WINDOWS\Internet Logs\xDB30.tmp
C:\WINDOWS\Internet Logs\xDB2F.tmp
C:\WINDOWS\Internet Logs\xDB2E.tmp
C:\WINDOWS\Internet Logs\xDB2D.tmp
C:\WINDOWS\Internet Logs\xDBEE.tmp
C:\WINDOWS\Internet Logs\xDB16E.tmp
C:\WINDOWS\Internet Logs\xDB2B.tmp
C:\WINDOWS\Internet Logs\xDB2C.tmp
C:\WINDOWS\Internet Logs\xDB29.tmp
C:\WINDOWS\Internet Logs\xDB2A.tmp
C:\WINDOWS\Internet Logs\xDB27.tmp
C:\WINDOWS\Internet Logs\xDB5B.tmp
C:\WINDOWS\Internet Logs\xDB198.tmp
C:\WINDOWS\Internet Logs\xDB28.tmp
C:\WINDOWS\Internet Logs\xDB26.tmp
C:\WINDOWS\Internet Logs\xDB67.tmp
C:\WINDOWS\Internet Logs\xDB24.tmp
C:\WINDOWS\Internet Logs\xDB25.tmp
C:\WINDOWS\Internet Logs\xDB23.tmp
C:\WINDOWS\Internet Logs\xDBD0.tmp
C:\WINDOWS\Internet Logs\xDB22.tmp
C:\WINDOWS\Internet Logs\xDB20.tmp
C:\WINDOWS\Internet Logs\xDB21.tmp
C:\WINDOWS\Internet Logs\xDB1F.tmp
C:\WINDOWS\Internet Logs\xDB1E.tmp
C:\WINDOWS\Internet Logs\xDB1C.tmp
C:\WINDOWS\Internet Logs\xDB1D.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB16.tmp
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
RenV::
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
-----------------------------------------------------------------------
Save this as CFScript.txt
Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again. Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.
When finished, a log is produced here: C:\ComboFix.txt
Please perform an AVG AS Online Malware Scan
In your next reply, please post your ComboFix log and a new HijackThis log.
Most of the infection will be gone after completing the above steps, so if you want to power down the computer overnight, that will probably be okay. Give it a try, and we'll see how your logs look.
jmaple
16 Posts
0
February 25th, 2008 20:00
OK, several things went a little differently that time.
1. Had to restart Windows manually after running Combofix.
2. Got a message when windows restarted saying it couldn't run Spruce.exe.vir, clicked cancel and Windows finished bootup.
3. Tried to run AVG Online Scan, said to wait for definition download, 20 minute wait, nothing. Closed window, restarted, never got in. Ran AdAware SE with latest definitions, found 4 or 5 infections which it healed,quarantined a bunch of tracking cookies.
Here's the combofix log:
ComboFix 08-02-22 - Andrea 2008-02-26 14:18:33.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.111 [GMT -7:00]
Running from: C:\Documents and Settings\Andrea\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrea\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB16.tmp
C:\WINDOWS\Internet Logs\xDB16E.tmp
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB198.tmp
C:\WINDOWS\Internet Logs\xDB1C.tmp
C:\WINDOWS\Internet Logs\xDB1D.tmp
C:\WINDOWS\Internet Logs\xDB1E.tmp
C:\WINDOWS\Internet Logs\xDB1F.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB20.tmp
C:\WINDOWS\Internet Logs\xDB21.tmp
C:\WINDOWS\Internet Logs\xDB22.tmp
C:\WINDOWS\Internet Logs\xDB23.tmp
C:\WINDOWS\Internet Logs\xDB24.tmp
C:\WINDOWS\Internet Logs\xDB25.tmp
C:\WINDOWS\Internet Logs\xDB26.tmp
C:\WINDOWS\Internet Logs\xDB27.tmp
C:\WINDOWS\Internet Logs\xDB28.tmp
C:\WINDOWS\Internet Logs\xDB29.tmp
C:\WINDOWS\Internet Logs\xDB2A.tmp
C:\WINDOWS\Internet Logs\xDB2B.tmp
C:\WINDOWS\Internet Logs\xDB2C.tmp
C:\WINDOWS\Internet Logs\xDB2D.tmp
C:\WINDOWS\Internet Logs\xDB2E.tmp
C:\WINDOWS\Internet Logs\xDB2F.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB30.tmp
C:\WINDOWS\Internet Logs\xDB31.tmp
C:\WINDOWS\Internet Logs\xDB32.tmp
C:\WINDOWS\Internet Logs\xDB33.tmp
C:\WINDOWS\Internet Logs\xDB34.tmp
C:\WINDOWS\Internet Logs\xDB35.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB5B.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB67.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBD0.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBEE.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB16.tmp
C:\WINDOWS\Internet Logs\xDB16E.tmp
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB198.tmp
C:\WINDOWS\Internet Logs\xDB1C.tmp
C:\WINDOWS\Internet Logs\xDB1D.tmp
C:\WINDOWS\Internet Logs\xDB1E.tmp
C:\WINDOWS\Internet Logs\xDB1F.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB20.tmp
C:\WINDOWS\Internet Logs\xDB21.tmp
C:\WINDOWS\Internet Logs\xDB22.tmp
C:\WINDOWS\Internet Logs\xDB23.tmp
C:\WINDOWS\Internet Logs\xDB24.tmp
C:\WINDOWS\Internet Logs\xDB25.tmp
C:\WINDOWS\Internet Logs\xDB26.tmp
C:\WINDOWS\Internet Logs\xDB27.tmp
C:\WINDOWS\Internet Logs\xDB28.tmp
C:\WINDOWS\Internet Logs\xDB29.tmp
C:\WINDOWS\Internet Logs\xDB2A.tmp
C:\WINDOWS\Internet Logs\xDB2B.tmp
C:\WINDOWS\Internet Logs\xDB2C.tmp
C:\WINDOWS\Internet Logs\xDB2D.tmp
C:\WINDOWS\Internet Logs\xDB2E.tmp
C:\WINDOWS\Internet Logs\xDB2F.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB30.tmp
C:\WINDOWS\Internet Logs\xDB31.tmp
C:\WINDOWS\Internet Logs\xDB32.tmp
C:\WINDOWS\Internet Logs\xDB33.tmp
C:\WINDOWS\Internet Logs\xDB34.tmp
C:\WINDOWS\Internet Logs\xDB35.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB5B.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB67.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBD0.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBEE.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.
2008-02-22 14:36 . 2008-02-22 14:36 281 --a------ C:\WINDOWS\Shortcut to Local Disk (C).lnk
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 17:44 --------- d-----w C:\Program Files\QuickTime
2008-02-26 17:44 --------- d-----w C:\Program Files\NetWaiting
2008-02-26 17:43 --------- d-----w C:\Program Files\iTunes
2008-02-26 17:43 --------- d-----w C:\Program Files\DellSupport
2008-02-26 17:43 --------- d-----w C:\Program Files\AIM6
2008-02-12 02:57 33,734 ----a-w C:\Documents and Settings\Andrea\Application Data\wklnhst.dat
2008-01-28 05:43 138,752 ----a-w C:\WINDOWS\Internet Logs\xDB37.tmp
2008-01-28 05:04 --------- d-----w C:\Documents and Settings\Andrea\Application Data\Apple Computer
2008-01-26 05:10 14,265,599 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-19 21:03 3,377,664 ----a-w C:\WINDOWS\Internet Logs\xDB36.tmp
2008-01-19 18:56 --------- d-----w C:\Documents and Settings\Andrea\Application Data\AVG7
2008-01-13 17:04 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-13 17:04 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-13 17:04 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-01-13 06:48 339,968 ----a-w C:\WINDOWS\system32\jkhfd.exe
2008-01-08 17:28 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-07 14:37 3,059,200 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-10-12 19:08 111,360 ----a-w C:\Documents and Settings\Andrea\Application Data\GDIPFONTCACHEV1.DAT
2006-12-08 22:19 181,729 ----a-w C:\WINDOWS\Fonts\el_font_gohtic.zip
2006-12-08 18:32 6,982 ----a-w C:\WINDOWS\Fonts\barcode_font.zip
2006-12-05 23:31 118,187 ----a-w C:\WINDOWS\Fonts\pulse_sans.zip
2006-12-05 00:39 111,646 ----a-w C:\WINDOWS\Fonts\ambulance_shotgun.zip
2006-09-27 21:44 2,446,336 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2006-09-27 21:44 1,366,016 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2006-05-19 01:31 45,750 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_05_18_07_22_05_small.dmp.zip
2006-05-19 01:31 43,892 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_05_18_07_20_55_small.dmp.zip
2006-02-19 10:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-01-09 23:33 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-23 22:42 393216 C:\WINDOWS\stsystra.exe]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [2008-01-26 14:42 616448]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-14 23:51 755472]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"{7C-CE-E5-58-ZN}"="C:\WINDOWS\system32\dwdsrngt .exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 08:16 219136]
C:\Documents and Settings\Andrea\Start Menu\Programs\Startup\
Spruce - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir [2007-12-20 14:04:40 178390]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-24 00:43:04 113664]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-12-05 07:28:27 156784]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-05 07:23:20 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-12-28 15:45:25 315392]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
S0 syiwdekn;syiwdekn;C:\WINDOWS\system32\drivers\ipocptzd.dat []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00ac7edf-4c70-11dc-a4a7-0014a452b7ca}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00ac7ee0-4c70-11dc-a4a7-0014a452b7ca}]
\Shell\AutoRun\command - F:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 18:11:59 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 14:24:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-26 14:25:38
ComboFix-quarantined-files.txt 2008-02-26 21:25:30
ComboFix2.txt 2008-02-26 17:59:22
ComboFix3.txt 2008-02-22 21:27:26
.
2008-02-21 20:15:15 --- E O F ---
jmaple
16 Posts
0
February 25th, 2008 20:00
and heres the hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:15 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Andrea\Desktop\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://valley.qwest.net/cgi-bin/index.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [{7C-CE-E5-58-ZN}] C:\WINDOWS\system32\dwdsrngt .exe CHD001
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 8153 bytes
thnx,
Jerry