Unsolved
This post is more than 5 years old
6 Posts
0
1100
November 15th, 2010 08:00
Receiving Host Process for Win32 services Error Messages
Hello:
A little over a week ago, I started getting the error message referenced in the header and redirected searches. I also discovered that Windows firewall is now disabled and I cannot open it from the Security Center found in the Start menu Control Panel. Additionally, America Online (dial-up) is my ISP and I now get messages that changes have been in my Internet Connection. I have completed scans with Trendmicro and would really appreciate any further help you can provide. Here is my logfile:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:38:15 AM, on 11/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E117187-4096-4B70-BC37-60AD161860A8}: NameServer = 93.188.164.247,93.188.160.247
O17 - HKLM\System\CCS\Services\Tcpip\..\{455171D8-FB57-4AEF-BAF6-63ACAE97D9A6}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.247,93.188.160.247
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.247,93.188.160.247
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.247,93.188.160.247
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - https://www.walmartmoneycard.com/OnlineActivation/CMSControls/WALMART/assets/en-US/head_cardactivated_visa_walmart.gif
--
End of file - 10117 bytes
0 events found
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
November 16th, 2010 11:00
I'm kevinf80 and I will be helping with any malware issues you may have with your system.
You have two antivirus programs running, Norton and Microsoft Security Essentials. This is not good, two AV`s will clash and may even negate protection. Your decision, one has to go.
Please proceed as follows :-
Step 1
Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below by selecting each in turn.
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E117187-4096-4B70-BC37-60AD161860A8}: NameServer = 93.188.164.247,93.188.160.247
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.247,93.188.160.247
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.247,93.188.160.247
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.247,93.188.160.247
O24 - Desktop Component 0: (no name) - https://www.walmartmoneycard.com/OnlineActivation/CMSControls/WALMART/assets/en- US/head_cardactivated_visa_walmart.gif
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot
Step 2
Alernative D/L mirror
Alternative D/L mirror
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Step 3
We need to see some additional information about what is happening in your machine.
Please perform the following scan:
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE
Step 4
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
What i`d like in your reply :-
Kevin
johnnybbiggars
6 Posts
0
November 16th, 2010 21:00
Hey Kevin:
Thanks for your help. Here are the logs.
DDS (Ver_10-11-10.01) - NTFSx86
Run by Dorothy at 23:24:05.84 on Tue 11/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.244 [GMT -6:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Dorothy\Local Settings\Temporary Internet Files\Content.IE5\M08MJ1ZK\dds[1].com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: X1IEHook Class: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\X1IEBHO.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Display All Images with Full Quality - "c:\program files\netzero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\netzero\qsacc\appres.dll/227"
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
TCP: {455171D8-FB57-4AEF-BAF6-63ACAE97D9A6} = 205.188.146.145
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
============= SERVICES / DRIVERS ===============
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-14 822424]
=============== Created Last 30 ================
2010-11-17 04:16:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 04:16:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-17 04:16:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-17 04:16:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 06:06:40 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-11-13 04:38:11 388096 ----a-r- c:\docume~1\dorothy\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-13 04:38:10 -------- d-----w- c:\program files\Trend Micro
2010-11-13 04:30:52 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-11-13 02:20:16 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-13 02:20:16 215920 ----a-w- c:\windows\system32\muweb.dll
2010-11-13 02:20:16 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
==================== Find3M ====================
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160812A rev.3.ADH -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8282AEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x82120872; SUB DWORD [EBP-0x4], 0x8212012e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82FDFAB8]
3 CLASSPNP[0xF86B7FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x82DB1EB0]
[0x82EB4030] -> IRP_MJ_CREATE -> 0x8282AEC5
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160812A______________________________3.ADH___#5&2a84b1a5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8282AAEA
user & kernel MBR OK
sectors 312499998 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
============= FINISH: 23:27:29.78 ===============
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
November 17th, 2010 00:00
You haven`t posted the second DDS log (Attach txt), the log from Malwarebytes or the log from Security Checks......
johnnybbiggars
6 Posts
0
November 17th, 2010 09:00
Sorry about that, Kevin. I can't get Malwarebytes to open after downloading. Tried downloading and opening it twice but no results. I'll keep trying unless there is another malware program I can use.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-11-10.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/20/2010 7:21:00 PM
System Uptime: 11/16/2010 10:25:17 PM (1 hours ago)
Motherboard: Dell Computer Corp. | | 0WF887
Processor: Intel(R) Celeron(R) CPU 2.53GHz | Microprocessor | 2527/533mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 109 GiB total, 96.446 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 2.628 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP30: 8/10/2010 8:10:32 AM - Software Distribution Service 3.0
RP31: 8/10/2010 6:41:33 PM - Software Distribution Service 3.0
RP32: 8/12/2010 5:33:55 PM - System Checkpoint
RP33: 8/12/2010 10:48:55 PM - Software Distribution Service 3.0
RP34: 8/13/2010 11:35:11 AM - Software Distribution Service 3.0
RP35: 8/13/2010 8:30:12 PM - Software Distribution Service 3.0
RP36: 8/14/2010 6:02:39 PM - Software Distribution Service 3.0
RP37: 8/14/2010 7:34:38 PM - Software Distribution Service 3.0
RP38: 8/15/2010 11:22:59 AM - Software Distribution Service 3.0
RP39: 8/15/2010 11:49:20 AM - Software Distribution Service 3.0
RP40: 8/15/2010 4:14:34 PM - Software Distribution Service 3.0
RP41: 8/17/2010 1:07:58 AM - Software Distribution Service 3.0
RP42: 8/17/2010 6:46:09 PM - Software Distribution Service 3.0
RP43: 8/18/2010 4:30:36 PM - Software Distribution Service 3.0
RP44: 8/19/2010 8:32:39 PM - Software Distribution Service 3.0
RP45: 8/22/2010 9:47:35 AM - System Checkpoint
RP46: 8/22/2010 11:04:51 AM - Software Distribution Service 3.0
RP47: 8/23/2010 10:35:17 AM - Software Distribution Service 3.0
RP48: 8/23/2010 4:13:58 PM - Software Distribution Service 3.0
RP49: 8/24/2010 3:03:04 PM - Software Distribution Service 3.0
RP50: 8/24/2010 6:31:04 PM - Software Distribution Service 3.0
RP51: 8/25/2010 2:57:17 PM - Software Distribution Service 3.0
RP52: 8/25/2010 4:30:19 PM - Software Distribution Service 3.0
RP53: 8/26/2010 3:40:07 PM - Software Distribution Service 3.0
RP54: 8/26/2010 6:40:05 PM - Software Distribution Service 3.0
RP55: 8/27/2010 11:29:10 AM - Software Distribution Service 3.0
RP56: 8/28/2010 10:26:00 AM - Software Distribution Service 3.0
RP57: 8/28/2010 7:15:43 PM - Software Distribution Service 3.0
RP58: 8/29/2010 3:41:29 PM - Software Distribution Service 3.0
RP59: 8/30/2010 10:33:35 AM - Software Distribution Service 3.0
RP60: 8/30/2010 5:21:46 PM - Software Distribution Service 3.0
RP61: 8/30/2010 5:27:37 PM - Installed Windows Internet Explorer 8.
RP62: 8/30/2010 5:28:43 PM - Software Distribution Service 3.0
RP63: 8/30/2010 6:29:01 PM - Software Distribution Service 3.0
RP64: 8/31/2010 6:34:15 PM - Software Distribution Service 3.0
RP65: 9/1/2010 6:11:14 PM - Removed Adobe Reader 6.0.1
RP66: 9/1/2010 6:11:40 PM - Removed Adobe Acrobat - Reader 6.0.2 Update
RP67: 9/1/2010 6:23:25 PM - Software Distribution Service 3.0
RP68: 9/2/2010 6:14:51 PM - Software Distribution Service 3.0
RP69: 9/3/2010 9:02:40 AM - Software Distribution Service 3.0
RP70: 9/4/2010 4:46:39 PM - Software Distribution Service 3.0
RP71: 9/5/2010 4:49:47 PM - System Checkpoint
RP72: 9/5/2010 10:26:29 PM - Software Distribution Service 3.0
RP73: 9/6/2010 5:17:01 PM - Software Distribution Service 3.0
RP74: 9/7/2010 10:41:50 AM - Software Distribution Service 3.0
RP75: 9/7/2010 10:03:16 PM - Software Distribution Service 3.0
RP76: 9/8/2010 3:15:38 PM - Software Distribution Service 3.0
RP77: 9/9/2010 6:37:28 PM - Software Distribution Service 3.0
RP78: 9/9/2010 10:27:51 PM - Software Distribution Service 3.0
RP79: 9/10/2010 11:39:08 PM - Software Distribution Service 3.0
RP80: 9/12/2010 9:31:28 AM - System Checkpoint
RP81: 9/12/2010 12:32:21 PM - Software Distribution Service 3.0
RP82: 9/13/2010 12:52:25 PM - System Checkpoint
RP83: 9/13/2010 6:08:41 PM - Software Distribution Service 3.0
RP84: 9/14/2010 7:17:54 PM - System Checkpoint
RP85: 9/14/2010 10:07:55 PM - Software Distribution Service 3.0
RP86: 9/15/2010 2:37:04 PM - Software Distribution Service 3.0
RP87: 9/15/2010 6:17:05 PM - Software Distribution Service 3.0
RP88: 9/17/2010 6:56:27 PM - Software Distribution Service 3.0
RP89: 9/19/2010 6:28:22 PM - System Checkpoint
RP90: 9/19/2010 10:44:58 PM - Software Distribution Service 3.0
RP91: 9/20/2010 10:26:26 AM - Software Distribution Service 3.0
RP92: 9/20/2010 5:18:48 PM - Software Distribution Service 3.0
RP93: 9/20/2010 5:25:51 PM - Software Distribution Service 3.0
RP94: 9/20/2010 6:19:02 PM - Software Distribution Service 3.0
RP95: 9/21/2010 6:19:48 PM - Software Distribution Service 3.0
RP96: 9/22/2010 6:29:30 PM - Software Distribution Service 3.0
RP97: 9/23/2010 9:56:27 AM - Software Distribution Service 3.0
RP98: 9/24/2010 4:01:13 PM - Software Distribution Service 3.0
RP99: 9/25/2010 9:30:10 AM - Software Distribution Service 3.0
RP100: 9/25/2010 5:36:01 PM - Software Distribution Service 3.0
RP101: 9/26/2010 11:25:04 AM - Software Distribution Service 3.0
RP102: 9/26/2010 4:08:40 PM - Software Distribution Service 3.0
RP103: 9/27/2010 3:48:31 PM - Software Distribution Service 3.0
RP104: 9/27/2010 5:10:32 PM - Software Distribution Service 3.0
RP105: 9/28/2010 4:53:56 PM - Software Distribution Service 3.0
RP106: 9/28/2010 5:04:23 PM - Software Distribution Service 3.0
RP107: 9/29/2010 6:46:52 PM - Software Distribution Service 3.0
RP108: 9/30/2010 10:34:39 AM - Software Distribution Service 3.0
RP109: 10/2/2010 7:56:07 AM - System Checkpoint
RP110: 10/2/2010 7:41:10 PM - Software Distribution Service 3.0
RP111: 10/4/2010 2:38:27 PM - System Checkpoint
RP112: 10/4/2010 2:57:40 PM - Software Distribution Service 3.0
RP113: 10/4/2010 10:56:50 PM - Software Distribution Service 3.0
RP114: 10/5/2010 3:03:21 PM - Software Distribution Service 3.0
RP115: 10/6/2010 1:04:51 AM - Software Distribution Service 3.0
RP116: 10/6/2010 7:03:55 PM - Software Distribution Service 3.0
RP117: 10/7/2010 3:26:57 PM - Software Distribution Service 3.0
RP118: 10/7/2010 5:55:30 PM - Software Distribution Service 3.0
RP119: 10/8/2010 8:03:51 PM - Software Distribution Service 3.0
RP120: 10/10/2010 12:18:47 PM - Software Distribution Service 3.0
RP121: 10/11/2010 12:04:18 AM - Software Distribution Service 3.0
RP122: 10/11/2010 3:56:42 PM - Software Distribution Service 3.0
RP123: 10/11/2010 8:44:44 PM - Software Distribution Service 3.0
RP124: 10/12/2010 11:45:16 AM - Software Distribution Service 3.0
RP125: 10/12/2010 9:43:46 PM - Software Distribution Service 3.0
RP126: 10/13/2010 11:05:39 AM - Software Distribution Service 3.0
RP127: 10/13/2010 8:11:41 PM - Software Distribution Service 3.0
RP128: 10/14/2010 7:39:37 PM - Software Distribution Service 3.0
RP129: 10/15/2010 12:55:19 PM - Software Distribution Service 3.0
RP130: 10/16/2010 6:40:20 PM - Software Distribution Service 3.0
RP131: 10/16/2010 8:27:33 PM - Software Distribution Service 3.0
RP132: 10/16/2010 11:14:20 PM - Software Distribution Service 3.0
RP133: 10/18/2010 1:17:08 AM - Software Distribution Service 3.0
RP134: 10/18/2010 12:07:15 PM - Software Distribution Service 3.0
RP135: 10/18/2010 7:29:11 PM - Software Distribution Service 3.0
RP136: 10/18/2010 9:56:26 PM - Software Distribution Service 3.0
RP137: 10/19/2010 4:25:37 PM - Software Distribution Service 3.0
RP138: 10/20/2010 3:19:25 PM - Software Distribution Service 3.0
RP139: 10/21/2010 3:49:36 PM - System Checkpoint
RP140: 10/21/2010 5:29:44 PM - Software Distribution Service 3.0
RP141: 10/21/2010 6:57:48 PM - Software Distribution Service 3.0
RP142: 10/22/2010 11:23:36 AM - Software Distribution Service 3.0
RP143: 10/22/2010 1:32:36 PM - Software Distribution Service 3.0
RP144: 10/23/2010 1:49:08 PM - Software Distribution Service 3.0
RP145: 10/23/2010 3:12:57 PM - Software Distribution Service 3.0
RP146: 10/25/2010 6:41:10 PM - Software Distribution Service 3.0
RP147: 10/26/2010 11:00:36 PM - Software Distribution Service 3.0
RP148: 10/27/2010 7:26:11 AM - Software Distribution Service 3.0
RP149: 10/27/2010 11:03:46 AM - Software Distribution Service 3.0
RP150: 10/27/2010 7:54:29 PM - Software Distribution Service 3.0
RP151: 10/27/2010 10:37:39 PM - Software Distribution Service 3.0
RP152: 10/28/2010 11:45:51 PM - Software Distribution Service 3.0
RP153: 10/29/2010 11:18:58 PM - Software Distribution Service 3.0
RP154: 10/30/2010 9:20:51 AM - Software Distribution Service 3.0
RP155: 10/30/2010 5:43:33 PM - Software Distribution Service 3.0
RP156: 10/30/2010 7:21:49 PM - Software Distribution Service 3.0
RP157: 10/31/2010 5:26:05 PM - Software Distribution Service 3.0
RP158: 10/31/2010 8:23:57 PM - Software Distribution Service 3.0
RP159: 11/1/2010 12:47:09 PM - Software Distribution Service 3.0
RP160: 11/2/2010 12:08:47 AM - Software Distribution Service 3.0
RP161: 11/2/2010 4:55:11 PM - Software Distribution Service 3.0
RP162: 11/3/2010 5:17:54 PM - System Checkpoint
RP163: 11/3/2010 6:19:52 PM - Software Distribution Service 3.0
RP164: 11/4/2010 9:36:54 AM - Software Distribution Service 3.0
RP165: 11/4/2010 11:14:35 PM - Software Distribution Service 3.0
RP166: 11/5/2010 8:10:53 PM - Software Distribution Service 3.0
RP167: 11/5/2010 11:32:21 PM - Software Distribution Service 3.0
RP168: 11/6/2010 1:58:24 PM - Software Distribution Service 3.0
RP169: 11/6/2010 7:02:34 PM - Software Distribution Service 3.0
RP170: 11/7/2010 2:43:00 PM - Software Distribution Service 3.0
RP171: 11/7/2010 3:17:35 PM - Software Distribution Service 3.0
==== Installed Programs ======================
924PLC32
ABBYY FineReader 6.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
Conexant D850 56K V.9x DFVc Modem
Dell CinePlayer
Dell Driver Reset Tool
Dell Photo AIO Printer 924
Dell Support 3.1
Dell System Restore
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
Games, Music, & Photos Launcher
Get High Speed Internet!
Google Desktop
Google Toolbar for Internet Explorer
HiJackThis
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Service Offers Launcher
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Standard 2006
Microsoft Digital Image Standard 2006 Editor
Microsoft Digital Image Standard 2006 Library
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Money 2006
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Streets & Trips 2006
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MSXML 4.0 SP2 (KB973688)
NetWaiting
NetZero
NetZeroInstallers
Norton Ghost 10.0
QuickTime
RealPlayer Basic
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Search Assist
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic Activation Module
Sonic Update Manager
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URL Assistant
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Works Upgrade
==== Event Viewer Messages From Past Week ========
11/12/2010 10:21:15 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the dlcc_device service to connect.
11/12/2010 10:21:15 AM, error: Service Control Manager [7000] - The dlcc_device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/12/2010 10:21:15 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service dlcc_device with arguments "" in order to run the server: {323CE21C-A448-40AA-BA74-7FCF1E441069}
11/11/2010 5:52:52 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
11/11/2010 11:46:30 PM, error: Microsoft Antimalware [2001] -
11/10/2010 9:07:43 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
11/10/2010 9:05:18 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/10/2010 9:05:18 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
==== End Of File ===========================
Here is the Checkup log:
Results of screen317's Security Check version 0.99.6
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java 2 Runtime Environment, SE v1.4.2_03
Adobe Flash Player
Adobe Reader 7.0
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
America Online 9.0 waol.exe
America Online 9.0 shellmon.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
November 17th, 2010 11:00
Obviously the infection is stopping Malwarebytes from running, lets try a different approach. As follows please:
Re-boot PC, continuously tap F8 key until you see the Windows Advanced Menu Screen. From the available options select "Safe mode with Networking" then proceed as follows:
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
Combofix
Don`t forget Combofix must be saved to your desktop. <--Very important
Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
*EXTRA NOTES*
If Combofix re-boots your PC be on hand to force back into Safe mode again or we will not get a log. Post the CF log in next reply.
Kevin
johnnybbiggars
6 Posts
0
November 17th, 2010 12:00
Hey again, Kevin:
The problem worsens! I have dialup and cannot connect in Safe Mode, apparently due to the infection. I can connect in normal mode after multiple attempts. Can I run ComboFix in normal mode even though it won't generate a log? Thanks for your patience.
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
November 17th, 2010 16:00
Yep we can try CF in normal mode, you will get a log if it runs. When running in safemode and Combofix re-boots your PC it would go to normal mode, then you dont get a log. You have to be there to force back to safe mode. This is not applicable when you run in normal mode.
OK try as follows :-
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
Combofix
Don`t forget Combofix must be saved to your desktop. <--Very important
Because of the infection we need to rename Combofix to Gotcha.exe before you save to the Desktop as below.
Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
*EXTRA NOTES*
Post the log in your reply, if it fails to run we have other options....
Kevin
johnnybbiggars
6 Posts
0
November 18th, 2010 10:00
Wassup, Kevin:
You are a friggin genius! I ran CF and my computer is back to normal. I cannot thank you enough! Here's the CF log:
ComboFix 10-11-17.04 - Dorothy 11/18/2010 12:22:17.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.316 [GMT -6:00]
Running from: c:\documents and settings\Dorothy\Desktop\Gotcha.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\DRIVERS\rasacd.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
.
2010-11-17 04:16 . 2010-11-17 06:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 06:06 . 2010-11-13 06:06 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-11-13 04:38 . 2010-11-13 04:38 388096 ----a-r- c:\documents and settings\Dorothy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-13 04:38 . 2010-11-13 04:38 -------- d-----w- c:\program files\Trend Micro
2010-11-13 04:30 . 2010-11-13 04:30 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-11-13 02:20 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-13 02:20 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-11-12 21:39 . 2010-11-12 21:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-11-12 16:52 . 2010-11-12 16:52 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-11-12 16:21 . 2010-11-12 16:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-11-07 21:31 . 2010-11-11 22:28 -------- d-----w- c:\program files\Windows Live Safety Center
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 17:51 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 17:51 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-10 17:50 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-10 17:51 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-10 17:51 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2006-07-14 18:48 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-07-30 18:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-10 17:50 617472 ----a-w- c:\windows\system32\comctl32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-14 169984]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-14 98304]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-14 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 12:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\System32\GEARSec.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\windows\system32\dlcccoms.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-11-18 12:32:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-18 18:32
Pre-Run: 103,392,759,808 bytes free
Post-Run: 103,536,893,952 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - D0C73E7D40CE4EFCF60D37C905211FA2
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
November 18th, 2010 13:00
Proceed as follows :-
Step 1
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in betwen the dotted lines below into it:
---------------------------------------------------------------------------------------------------------------------
KillAll::
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[/code]
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Step 2
See if you can now update Malwarebytes and carry out a quick scan, here are the instructions again:
Alernative D/L mirror
Alternative D/L mirror
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Step 3
Run ESET Online Scan
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.
Also be aware this scan can take several hours to complete depending on the size of your
system.
What i`d like in your reply :-
Kevin
johnnybbiggars
6 Posts
0
November 19th, 2010 06:00
Hey Kevin:
While completing Step 1 as you instructed in your last reply, my computer froze. It froze after CF finished the scan and tried to reboot the machine. It's now stuck at the Windows XP page. What do we do now? I'm sending this message on a public library computer in my hometown so it may be a little while before I get your reply and respond.
kevinf80_1d0ac6
2 Intern
•
1.1K Posts
0
November 19th, 2010 13:00
Hiya Johnny,
If your system has froze you have no option but to hold in the power button and shut it down. Leave your computer off for 5mins then re-boot. You may find that Combofix will complete and produce a log.
If CF does not complete or produce a log leave PC idle for 5mins then re-boot again. Leave CF and complete the other steps and post applicable logs.
Kevin