Unsolved
This post is more than 5 years old
58 Posts
0
3314
September 29th, 2008 17:00
HELP
Last night my computer was opening weird ad-type web pages without any help from me. The computer seemed very slow so I scanned it with Malware and ad-aware. Malware found 42 things wrong and 12 of them were trojans. I fixed it. As I type this another ad has popped open on it's own.
This is what I got from Hijack this
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:04 PM, on 9/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\moffice.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\MOUSE32A.DAT
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\?ystem\wuauclt.exe
C:\Program Files\VnrBlock\VnrBlock21.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\GetPack\GetPack21.exe
C:\PROGRA~1\SEMBLY~1\scanregw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: OIN Analytics - {6B221E01-F517-4959-8C41-81948E7F2F17} - C:\Program Files\OINAnalytics\OINAnalytics.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: {8db547de-5b8b-5dc9-b614-4237b4637a09} - {90a7364b-7324-416b-9cd5-b8b5ed745bd8} - C:\WINDOWS\system32\raygcv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Laser Mouse\moffice.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Kejjolnc] "C:\Program Files\Common Files\?ystem\wuauclt.exe"
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe"
O4 - HKCU\..\Run: [GetPack21] "C:\Program Files\GetPack\GetPack21.exe"
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SEMBLY~1\scanregw.exe" -vt yazb
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O18 - Filter hijack: text/html - {cbf3b054-3111-496a-b911-2266d46bbc25} - C:\WINDOWS\system32\msiebbar.dll
O20 - AppInit_DLLs: raygcv.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
--
End of file - 8799 bytes
thank you,
Linda
bamajim
10.4K Posts
0
September 29th, 2008 17:00
Please download Combofix and save to your desktop:
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.
"The world is what you make of it"
lkfort
58 Posts
0
September 29th, 2008 19:00
do I keep the results of combofix someplace on my computer? Can you tell from this information what/how a website did this to my computer? And should I be running combofix even when I don't think I have a problem?
thank you so much. Anytime I have a problem you are so helpful at this site. For those of us who are not very computer literate it is wonderful to have such help.
Linda
ComboFix 08-09-28.01 - Linda Fort 2008-09-29 14:25:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.636 [GMT -5:00]
Running from: C:\Documents and Settings\Linda Fort\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Linda Fort\Cookies\linda_fort@ad.yieldmanager[2].txt
C:\Documents and Settings\Linda Fort\Cookies\linda_fort@spamblockerutility[2].txt
C:\Documents and Settings\Linda Fort\Cookies\linda_fort@trafficmp[2].txt
C:\Documents and Settings\Linda Fort\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Linda Fort\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Linda Fort\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1554OinUninstaller.exe
C:\Program Files\Common Files\ystem~1
C:\Program Files\Common Files\ystem~1\wuauclt.exe
C:\Program Files\GetPack
C:\Program Files\GetPack\dictame.gz
C:\Program Files\GetPack\GetPack21.exe
C:\Program Files\GetPack\trgtame.gz
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\sembly~1
C:\Program Files\sembly~1\??sembly\
C:\Program Files\sembly~1\scanregw.exe
C:\Program Files\ssembl~1
C:\Program Files\VnrBlock
C:\Program Files\VnrBlock\VnrBlock21.exe
C:\Program Files\VnrBlock\xoffdic.gz
C:\Program Files\VnrBlock\xtarga.gz
C:\WINDOWS\BM2368bcb0.txt
C:\WINDOWS\BM2368bcb0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msiebbar.dll
C:\WINDOWS\system32\ssqNFvuR.dll
C:\WINDOWS\system32\ssqPffEV.dll
C:\WINDOWS\SYSTEM32\VEffPqss.ini
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.
2008-09-29 06:10 . 2008-09-29 06:10 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-09-28 19:58 . 2008-09-28 19:58 128,000 --a------ C:\WINDOWS\SYSTEM32\raygcv.dll
2008-09-28 19:58 . 2008-09-28 19:58 128,000 --a------ C:\WINDOWS\SYSTEM32\eovqjtoo.dll
2008-09-28 19:58 . 2008-09-28 20:55 105,984 --------- C:\WINDOWS\SYSTEM32\yyfhxiuf.dll
2008-09-28 19:58 . 2008-09-28 20:55 71,168 --------- C:\WINDOWS\SYSTEM32\pwhsapvb.dll
2008-09-28 19:45 . 2008-09-28 19:45
2008-09-28 19:44 . 2008-09-28 19:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-28 19:44 . 2008-09-28 19:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-10 14:01 . 2008-09-10 14:01
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 01:17 44,422 ----a-w C:\Documents and Settings\Linda Fort\Application Data\wklnhst.dat
2008-09-01 01:24 59,784 -c--a-w C:\Documents and Settings\Linda Fort\Application Data\GDIPFONTCACHEV1.DAT
2008-08-30 15:35 --------- d-----w C:\Documents and Settings\Linda Fort\Application Data\Image Zone Express
2008-08-19 17:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2001-07-26 22:58 47 -c--a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 18:46 8,116 -c--a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 17:39 53,248 -c--a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 22:36 114,688 -c--a-w C:\Program Files\lxarscan.dll
2001-04-23 20:22 1,437 -c--a-w C:\Program Files\gtx73.ini
2001-02-22 15:54 768 -c--a-w C:\Program Files\x73_lut.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B221E01-F517-4959-8C41-81948E7F2F17}]
2008-09-11 14:48 229376 --a------ C:\Program Files\OINAnalytics\OINAnalytics.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90a7364b-7324-416b-9cd5-b8b5ed745bd8}]
2008-09-28 19:58 128000 --a------ C:\WINDOWS\system32\raygcv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kejjolnc"="C:\Program Files\Common Files\?ystem\wuauclt.exe" [?]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2007-04-12 321040]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 68856]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u"
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-02 77824]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"FLMOFFICE4DMOUSE"="C:\Program Files\Micro Innovations\Wireless Laser Mouse\moffice.exe" [2006-12-17 806912]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-12 3429904]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
C:\Documents and Settings\Linda Fort\Start Menu\Programs\Startup\
Screen Saver Control.lnk - C:\WINDOWS\FSScrCtl.exe [2007-05-02 249344]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=raygcv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Micro Innovations\\Wireless Laser Mouse\\uninst00.exe"=
"C:\\Program Files\\MP3-Xtreme\\Shareaza.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:MP3-Xtreme TCP port 6346
"6346:UDP"= 6346:UDP:MP3-Xtreme UDP port 6346
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-VnrBlock21 - C:\Program Files\VnrBlock\VnrBlock21.exe
HKCU-Run-GetPack21 - C:\Program Files\GetPack\GetPack21.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
O8 -: &Search -
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
O9 -: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html -
O9 -: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe -
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 14:57:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\KQV05AFKPUZ4AFLQ
C:\Documents and Settings\Linda Fort\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini.inuse 0 bytes
scan completed successfully
hidden files: 2
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Micro Innovations\Wireless Laser Mouse\mouse32a.dat
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
.
**************************************************************************
.
Completion time: 2008-09-29 15:05:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-29 20:05:31
Pre-Run: 58,836,668,416 bytes free
Post-Run: 59,153,784,832 bytes free
194 --- E O F --- 2008-09-15 03:38:44
lkfort
58 Posts
0
September 29th, 2008 20:00
l am still getting ad pop ups at random. I have my pop up blocker on.
Linda
bamajim
10.4K Posts
0
September 30th, 2008 12:00
We still have a little work to do. I didn't expect to get it all at once.
1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\SYSTEM32\raygcv.dll
C:\WINDOWS\SYSTEM32\eovqjtoo.dll
C:\WINDOWS\SYSTEM32\yyfhxiuf.dll
C:\WINDOWS\SYSTEM32\pwhsapvb.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90a7364b-7324-416b-9cd5-b8b5ed745bd8}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kejjolnc"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop
Using the Image as a reference, drag CFScript into ComboFix.exe
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
"The world is what you make of it"
lkfort
58 Posts
0
September 30th, 2008 18:00
Sorry about that post. I didn't see the file to save it onto my desktop. I see it now. :-)
Linda
bamajim
10.4K Posts
0
September 30th, 2008 18:00
lkfort
Did you find everything you needed?
"The world is what you make of it"
lkfort
58 Posts
0
September 30th, 2008 18:00
This is what I found this time
ComboFix 08-09-28.05 - Linda Fort 2008-09-30 14:43:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.678 [GMT -5:00]
Running from: C:\Documents and Settings\Linda Fort\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Linda Fort\Cookies\linda_fort@ad.yieldmanager[1].txt
C:\Documents and Settings\Linda Fort\Cookies\linda_fort@azjmp[1].txt
C:\Documents and Settings\Linda Fort\Cookies\linda_fort@trafficmp[2].txt
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.
2008-09-29 06:10 . 2008-09-29 06:10 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-09-28 19:58 . 2008-09-28 19:58 128,000 --a------ C:\WINDOWS\SYSTEM32\raygcv.dll
2008-09-28 19:58 . 2008-09-28 19:58 128,000 --a------ C:\WINDOWS\SYSTEM32\eovqjtoo.dll
2008-09-28 19:58 . 2008-09-28 20:55 105,984 --------- C:\WINDOWS\SYSTEM32\yyfhxiuf.dll
2008-09-28 19:58 . 2008-09-28 20:55 71,168 --------- C:\WINDOWS\SYSTEM32\pwhsapvb.dll
2008-09-28 19:45 . 2008-09-28 19:45
2008-09-28 19:44 . 2008-09-28 19:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-28 19:44 . 2008-09-28 19:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-10 14:01 . 2008-09-10 14:01
2008-08-18 20:43 . 2008-08-18 20:43
2008-08-18 20:43 . 2008-08-18 20:43
2008-08-18 20:43 . 2008-08-18 20:43
2008-08-18 20:13 . 2008-04-13 19:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-08-18 20:13 . 2008-04-13 19:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-08-18 20:13 . 2008-04-13 19:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-08-18 20:13 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-08-18 20:13 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-08-18 20:13 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-08-18 20:11 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-08-13 20:10 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-13 20:09 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 01:17 44,422 ----a-w C:\Documents and Settings\Linda Fort\Application Data\wklnhst.dat
2008-09-01 01:24 59,784 -c--a-w C:\Documents and Settings\Linda Fort\Application Data\GDIPFONTCACHEV1.DAT
2008-08-30 15:35 --------- d-----w C:\Documents and Settings\Linda Fort\Application Data\Image Zone Express
2008-08-19 17:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 23:12 295,936 ------w C:\WINDOWS\SYSTEM32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 15:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2001-07-26 22:58 47 -c--a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 18:46 8,116 -c--a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 17:39 53,248 -c--a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 22:36 114,688 -c--a-w C:\Program Files\lxarscan.dll
2001-04-23 20:22 1,437 -c--a-w C:\Program Files\gtx73.ini
2001-02-22 15:54 768 -c--a-w C:\Program Files\x73_lut.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90a7364b-7324-416b-9cd5-b8b5ed745bd8}]
2008-09-28 19:58 128000 --a------ C:\WINDOWS\system32\raygcv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kejjolnc"="C:\Program Files\Common Files\?ystem\wuauclt.exe" [?]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2007-04-12 321040]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 68856]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u"
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-02 77824]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"FLMOFFICE4DMOUSE"="C:\Program Files\Micro Innovations\Wireless Laser Mouse\moffice.exe" [2006-12-17 806912]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-12 3429904]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
C:\Documents and Settings\Linda Fort\Start Menu\Programs\Startup\
Screen Saver Control.lnk - C:\WINDOWS\FSScrCtl.exe [2007-05-02 249344]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=raygcv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Micro Innovations\\Wireless Laser Mouse\\uninst00.exe"=
"C:\\Program Files\\MP3-Xtreme\\Shareaza.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:MP3-Xtreme TCP port 6346
"6346:UDP"= 6346:UDP:MP3-Xtreme UDP port 6346
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
O8 -: &Search -
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
O9 -: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html -
O9 -: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe -
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 14:48:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\raygcv.dll
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\raygcv.dll
.
Completion time: 2008-09-30 14:50:48
ComboFix-quarantined-files.txt 2008-09-30 19:50:01
ComboFix2.txt 2008-09-29 20:05:39
Pre-Run: 59,097,702,400 bytes free
Post-Run: 59,115,810,816 bytes free
175 --- E O F --- 2008-09-15 03:38:44
Linda
who doesn't understand any of this ......
lkfort
58 Posts
0
September 30th, 2008 18:00
I have never used notepad. I copy and pasted but how do I save?
thanks,
Linda
bamajim
10.4K Posts
0
September 30th, 2008 19:00
That didn't work. Lets do it this way
You can find Notepad a couple of ways
1. Click Start ->> All Programs ->> Accessories ->> Notepad
2. Click Start ->> Run ->> type in Notepad.exe->> O.K.
3. Once notepad opens then paste what is below into notepad
File::
C:\WINDOWS\SYSTEM32\raygcv.dll
C:\WINDOWS\SYSTEM32\eovqjtoo.dll
C:\WINDOWS\SYSTEM32\yyfhxiuf.dll
C:\WINDOWS\SYSTEM32\pwhsapvb.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90a7364b-7324-416b-9cd5-b8b5ed745bd8}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kejjolnc"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Once it's pasted you should see it in the Notepad.
Then with Notepad still open at the top Select File ->> Save As
In the left pane of the Save As window ->> Click Desktop
In the File name box type in CFScript Then Select the Save Button.
It should now appear on your Desktop. Then place your mouse over the CFScript file ->> Left click and drag it into the Combofix Icon and drop it.
Combofix should then start on its own.
When it's finished post the new Combofix log
"The world is what you make of it"
lkfort
58 Posts
0
September 30th, 2008 20:00
I put it in notepad and labeled it. I dragged it over to Combofix and this is what I got
ComboFix 08-09-30.01 - Linda Fort 2008-09-30 16:12:52.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.670 [GMT -5:00]
Running from: C:\Documents and Settings\Linda Fort\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Linda Fort\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.
2008-09-29 06:10 . 2008-09-29 06:10 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-09-28 19:58 . 2008-09-28 19:58 128,000 --a------ C:\WINDOWS\SYSTEM32\raygcv.dll
2008-09-28 19:58 . 2008-09-28 19:58 128,000 --a------ C:\WINDOWS\SYSTEM32\eovqjtoo.dll
2008-09-28 19:58 . 2008-09-28 20:55 105,984 --------- C:\WINDOWS\SYSTEM32\yyfhxiuf.dll
2008-09-28 19:58 . 2008-09-28 20:55 71,168 --------- C:\WINDOWS\SYSTEM32\pwhsapvb.dll
2008-09-28 19:45 . 2008-09-28 19:45
2008-09-28 19:44 . 2008-09-28 19:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-28 19:44 . 2008-09-28 19:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-10 14:01 . 2008-09-10 14:01
2008-08-18 20:43 . 2008-08-18 20:43
2008-08-18 20:43 . 2008-08-18 20:43
2008-08-18 20:43 . 2008-08-18 20:43
2008-08-18 20:13 . 2008-04-13 19:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-08-18 20:13 . 2008-04-13 19:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-08-18 20:13 . 2008-04-13 19:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-08-18 20:13 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-08-18 20:13 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-08-18 20:13 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-08-18 20:11 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-08-13 20:10 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-13 20:09 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 01:17 44,422 ----a-w C:\Documents and Settings\Linda Fort\Application Data\wklnhst.dat
2008-09-01 01:24 59,784 -c--a-w C:\Documents and Settings\Linda Fort\Application Data\GDIPFONTCACHEV1.DAT
2008-08-30 15:35 --------- d-----w C:\Documents and Settings\Linda Fort\Application Data\Image Zone Express
2008-08-19 17:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 23:12 295,936 ------w C:\WINDOWS\SYSTEM32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 15:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2001-07-26 22:58 47 -c--a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 18:46 8,116 -c--a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 17:39 53,248 -c--a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 22:36 114,688 -c--a-w C:\Program Files\lxarscan.dll
2001-04-23 20:22 1,437 -c--a-w C:\Program Files\gtx73.ini
2001-02-22 15:54 768 -c--a-w C:\Program Files\x73_lut.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2007-04-12 321040]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 68856]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u"
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-02 77824]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"FLMOFFICE4DMOUSE"="C:\Program Files\Micro Innovations\Wireless Laser Mouse\moffice.exe" [2006-12-17 806912]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-12 3429904]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
C:\Documents and Settings\Linda Fort\Start Menu\Programs\Startup\
Screen Saver Control.lnk - C:\WINDOWS\FSScrCtl.exe [2007-05-02 249344]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Micro Innovations\\Wireless Laser Mouse\\uninst00.exe"=
"C:\\Program Files\\MP3-Xtreme\\Shareaza.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:MP3-Xtreme TCP port 6346
"6346:UDP"= 6346:UDP:MP3-Xtreme UDP port 6346
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 16:16:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\raygcv.dll
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\raygcv.dll
.
Completion time: 2008-09-30 16:17:40
ComboFix-quarantined-files.txt 2008-09-30 21:17:26
ComboFix2.txt 2008-09-30 19:50:49
ComboFix3.txt 2008-09-29 20:05:39
Pre-Run: 58,716,762,112 bytes free
Post-Run: 58,703,458,304 bytes free
153 --- E O F --- 2008-09-15 03:38:44
Linda
bamajim
10.4K Posts
0
October 1st, 2008 13:00
Still, no go. Something is not working correctly with the script file. Let's do it manually
1. Using Windows Explorer
Locate and Delete the following files (To Delete the file Rt Click ->> Delete)
C:\WINDOWS\SYSTEM32\eovqjtoo.dll
C:\WINDOWS\SYSTEM32\yyfhxiuf.dll
C:\WINDOWS\SYSTEM32\pwhsapvb.dll
2. Close Windows Explorer ->> Reboot your PC ->> Rerun Combofix and post a fresh Combofix log
"The world is what you make of it"
lkfort
58 Posts
0
October 1st, 2008 17:00
thank you. I am going away for the rest of the week. I will do all this on Monday when I get home.
Linda
lkfort
58 Posts
0
October 6th, 2008 23:00
I do not know how to do what you are asking. If I go to start I do not see anything that says explore. I tried doing a search and it didn't find any of the files you listed.
What should I do? When my Trend ran this morning, as it does every morning, it found 2 trojans that it quarentined.
thank you,
Linda
bamajim
10.4K Posts
0
October 7th, 2008 14:00
Hold your mouse over the Start button ->> Right click the start button->> Select Explore. Then continue the instructions from there.
"The world is what you make of it"
lkfort
58 Posts
0
October 7th, 2008 18:00
I figured out how to find all the files as you told me to but none of the 4 you want me to delete were there.
Now what should I do?
This morning during the daily scan my computer found 5 trojans.
Linda