|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#16
|
||||
|
||||
And here is the latest HijackThis log:
Logfile of HijackThis v1.99.1 Scan saved at 10:39:46 PM, on 5/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\McAfee\MPS\mpsevh.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe D:\PROGRA~1\Devices\Utils\OneTouch.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe C:\Program Files\Upromise\Upromise.exe C:\WINDOWS\system32\ctfmon.exe c:\program files\mcafee\msc\mcuimgr.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Upromise\UpromiseUa.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe D:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://address.mail.yahoo.com/yab/us?v=YM R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\eBayTB.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - C:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Web Replay BHO - {8B57DF7C-9BF9-4D52-B94E-37ACE3893F7D} - D:\Program Files\Deskperience\Web Replay\inetie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MaxtorOneTouch] D:\PROGRA~1\Devices\Utils\OneTouch.exe O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm103YYUS O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe |
#17
|
||||
|
||||
And here is the latest HijackThis Log:
Logfile of HijackThis v1.99.1 Scan saved at 10:39:46 PM, on 5/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\McAfee\MPS\mpsevh.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe D:\PROGRA~1\Devices\Utils\OneTouch.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe C:\Program Files\Upromise\Upromise.exe C:\WINDOWS\system32\ctfmon.exe c:\program files\mcafee\msc\mcuimgr.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Upromise\UpromiseUa.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe D:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://address.mail.yahoo.com/yab/us?v=YM R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\eBayTB.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - C:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Web Replay BHO - {8B57DF7C-9BF9-4D52-B94E-37ACE3893F7D} - D:\Program Files\Deskperience\Web Replay\inetie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MaxtorOneTouch] D:\PROGRA~1\Devices\Utils\OneTouch.exe O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm103YYUS O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe |
#18
|
||||
|
||||
I guess you figured out how to disable McAfee Racerx369?
Close Internet Explorer and any open windows and run Hijack This again. Check the below entries and click on Fix Checked. O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm103YYUS O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU) Reboot please. I am going to need to see some files. Open notepad and copy and paste the text in the codebox below into it: Code:
File:: C:\WINDOWS\system32\nwotiabg.ini Suspect:: C:\WINDOWS\system32\MRT.INI C:\WINDOWS\SaveBHOProf.pro ![]() ComboFix will run again. When the fix completes it will create a C:\ComboFix.txt log. Please post that log in your next reply. Also post a new Hijack This log. Additionally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip. Please send this file to anniefriday@xtra.co.nz and include a link to this thread. Title your email "Requested Files". |
#19
|
||||
|
||||
I sent the zipped Submit {Date-Time} file to anniefriday.
Here is the Latest ComboFix Log: ComboFix 08-05-21.3 - Dan Linke 2008-05-23 16:24:16.2 - FAT32x86 Running from: C:\ComboFix.exe Command switches used :: C:\Documents and Settings\Dan Linke\Desktop\CFScript.txt * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\system32\nwotiabg.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\nwotiabg.ini . ((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 ))))))))))))))))))))))))))))))) . 2008-05-22 22:51 . 2008-05-22 22:51 <DIR> d-------- C:\Documents and Settings\Dan Linke\System Scans and Fixes 2008-05-22 22:04 . 2008-05-22 22:04 1,974,863 --a------ C:\ComboFix.exe 2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Malwarebytes 2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-22 17:58 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-22 17:58 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-22 17:57 . 2008-05-22 17:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-05-17 20:18 . 2008-05-17 20:18 <DIR> d-------- C:\Deckard 2008-05-17 03:11 . 2008-05-17 03:11 206 --a------ C:\WINDOWS\system32\MRT.INI 2008-05-13 23:35 . 2008-05-13 23:35 <DIR> d-------- C:\Program Files\Unlocker 2008-05-13 23:35 . 2008-05-13 23:35 <DIR> d-------- C:\Documents and Settings\Marlene Linke\Application Data\Desktopicon 2008-05-12 22:24 . 2008-05-12 22:24 225 --a------ C:\WINDOWS\SaveBHOProf.pro 2008-05-10 02:11 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2008-05-07 23:29 . 2008-05-07 23:29 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Business Logic 2008-05-04 23:34 . 2007-11-08 16:49 495,616 --a------ C:\WINDOWS\system32\p365vip.dll 2008-05-04 23:34 . 2000-10-24 17:12 352,256 --a------ C:\WINDOWS\system32\Activeskin.ocx 2008-05-04 22:47 . 2008-05-04 22:47 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-05-04 22:19 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd 2008-05-04 20:58 . 2008-05-04 20:58 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Deskperience 2008-05-04 12:41 . 2008-05-04 12:41 <DIR> d-------- C:\Documents and Settings\Dan Linke\Trillian 2008-04-29 22:08 . 2008-04-29 22:08 <DIR> d-------- C:\Program Files\Audible . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-04-18 19:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-04-15 14:12 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition 2008-04-15 14:12 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Deskperience 2008-04-14 20:19 --------- d-----w C:\Documents and Settings\Jacqueline Linke\Application Data\Comodo 2008-04-13 17:33 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Comodo 2008-04-13 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo 2008-04-13 17:29 --------- d-----w C:\Program Files\Comodo 2008-04-10 00:22 --------- d-----w C:\Program Files\Adobe Media Player 2008-03-31 21:36 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Move Networks 2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2007-06-01 16:41 110 ----a-w C:\Documents and Settings\All Users\Application Data\Mo****nGameId.bin 2006-11-09 13:23 0 ---ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat 2006-07-13 22:02 320 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat 2006-07-13 22:02 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat 2005-09-04 19:31 1,721 ---ha-w C:\Documents and Settings\Marlene Linke\hpothb07.dat 2004-05-08 19:11 0 ---ha-w C:\Documents and Settings\Marlene Linke\Application Data\hpothb07.dat 2003-04-05 23:10 723 ----a-w C:\Program Files\INSTALL.LOG . ((((((((((((((((((((((((((((( snapshot@2008-05-22_22.35.30.56 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-23 02:28:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-23 19:03:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-23 07:16 68856] "Upromise"="C:\Program Files\Upromise\Upromise.exe" [2007-07-10 15:00 385024] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-03-22 14:49 652528] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-04 22:45 185896] "ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ] "WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [ ] "Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [ ] "nwiz"="nwiz.exe" [2003-05-02 15:19 323584 C:\WINDOWS\system32\nwiz.exe] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 15:19 4640768] "MaxtorOneTouch"="D:\PROGRA~1\Devices\Utils\OneTou ch.exe" [2003-05-21 15:30 45056] "LDM"="C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2005-02-16 16:15 221184] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41 163840] "EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\ 3\E_FATIACA.exe" [2005-02-07 22:00 98304] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [ ] "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 00:15 15872] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "Yahoo! Pager"="C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= sonymjpg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-disabled] "MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21] S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11] S3 MXBULK;DualCam Still, MXBulk3.Sys;C:\WINDOWS\system32\Drivers\MXBulk3.sy s [] S3 MXCap;DSC-06 Video Camera;C:\WINDOWS\system32\DRIVERS\MXCap3.sys [] S4 UWCService;UWCService;C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe [2004-07-08 09:28] *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2004-12-01 19:44:06 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1082316984.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I "2008-05-01 05:00:04 C:\WINDOWS\Tasks\McQcTask.job" - c:\program files\mcafee\mqc\QcConsol.exe "2008-05-15 05:00:04 C:\WINDOWS\Tasks\McDefragTask.job" - c:\program files\mcafee\mqc\QcConsol.exe' "2008-05-23 20:30:04 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B0612B8D-0155-4E80-95C3-97CF6E5AE1ED}.job" - C:\WINDOWS\system32\msfeedssync.exe . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-23 16:29:53 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\U WCService] "ImagePath"="C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe /startedbyscm:3573F0EA-40E2714E-UWCService" . Completion time: 2008-05-23 16:32:03 ComboFix-quarantined-files.txt 2008-05-23 20:31:56 ComboFix2.txt 2008-05-23 02:36:46 Pre-Run: 1,854,128,128 bytes free Post-Run: 1,856,540,672 bytes free 159 --- E O F --- 2008-05-17 07:12:30 |
#20
|
||||
|
||||
....and here is the accompanying HijackThis Log:
Logfile of HijackThis v1.99.1 Scan saved at 5:06:51 PM, on 5/23/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe D:\PROGRA~1\Devices\Utils\OneTouch.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe C:\Program Files\Upromise\Upromise.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\McAfee\MPS\mpsevh.exe C:\Program Files\Upromise\UpromiseUa.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\System32\taskmgr.exe D:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://address.mail.yahoo.com/yab/us?v=YM R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\eBayTB.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - C:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Web Replay BHO - {8B57DF7C-9BF9-4D52-B94E-37ACE3893F7D} - D:\Program Files\Deskperience\Web Replay\inetie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MaxtorOneTouch] D:\PROGRA~1\Devices\Utils\OneTouch.exe O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe .....Thanks so much for spending so much time with my issues. I really appreciate it. Dan |
#21
|
||||
|
||||
FYI - When ComboFix gen'ed the zipped Submit file, it prompted me to send a copy to Bleeping Computer (http://www.bleepingcomputer.com/), to be analyzed by some admin there.
The exact event was: Message Box titled: Submit Files for Further Analysis Message: ComboFix needs to submit Malware files for further analysis. Please ensure that you're connected to the internet before clicking OK. Click Box: OK Just wanted to ensure you knew about this and to ensure it was not part of the Malware infestation. Thanks. |
#22
|
||||
|
||||
Yes that's ok and I did get the files. One was fine, the other was generated by the malware so we will get rid of it. It may be a randomly named file but if I notice it again elsewhere, I will forward it to the ComboFix developer.
Open notepad and copy and paste the text in the codebox below into it. Save the file as CFScript.txt and drop it on ComboFix like you did before. Code:
File:: C:\WINDOWS\SaveBHOProf.pro Your Hijack This log is fine now and once you have run ComboFix, I'm hoping that your operating system will be clean. Just to be sure that nothing else is lurking, go here and download ATF cleaner (do not download the Recommended Download on the mirror site). Use it to remove all Temp Files, Cookies and Temp Internet Files, Java Cache and any others that you would like to remove. If you also use Opera or Firefox, also click on the cleaning options for each browser. Next, disable your antivirus program. To do this, rightclick on the Icon in the Notification area (lower righthand corner of your screen) and choose Quit, Exit, Close or whatever option is offered. Now go here and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit > Select All then copy the log and paste it back here. Let me know if you still have any problems please. |
#23
|
||||
|
||||
FYI - I try to use Mozilla Firefox exclusively. Other family members utilize IE and recently downloaded IE 7, which I advised them not to do, as I was wary of it.
Here is the new CF log: ComboFix 08-05-21.3 - Dan Linke 2008-05-24 8:39:48.3 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.82 [GMT -4:00] Running from: C:\ComboFix.exe Command switches used :: C:\Documents and Settings\Dan Linke\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\SaveBHOProf.pro . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\SaveBHOProf.pro . ((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 ))))))))))))))))))))))))))))))) . 2008-05-22 22:51 . 2008-05-22 22:51 <DIR> d-------- C:\Documents and Settings\Dan Linke\System Scans and Fixes 2008-05-22 22:04 . 2008-05-22 22:04 1,974,863 --a------ C:\ComboFix.exe 2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Malwarebytes 2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-22 17:58 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-22 17:58 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-22 17:57 . 2008-05-22 17:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-05-17 20:18 . 2008-05-17 20:18 <DIR> d-------- C:\Deckard 2008-05-17 03:11 . 2008-05-17 03:11 206 --a------ C:\WINDOWS\system32\MRT.INI 2008-05-13 23:35 . 2008-05-13 23:35 <DIR> d-------- C:\Program Files\Unlocker 2008-05-13 23:35 . 2008-05-13 23:35 <DIR> d-------- C:\Documents and Settings\Marlene Linke\Application Data\Desktopicon 2008-05-10 02:11 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2008-05-07 23:29 . 2008-05-07 23:29 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Business Logic 2008-05-04 23:34 . 2007-11-08 16:49 495,616 --a------ C:\WINDOWS\system32\p365vip.dll 2008-05-04 23:34 . 2000-10-24 17:12 352,256 --a------ C:\WINDOWS\system32\Activeskin.ocx 2008-05-04 22:47 . 2008-05-04 22:47 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-05-04 22:19 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd 2008-05-04 20:58 . 2008-05-04 20:58 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Deskperience 2008-05-04 12:41 . 2008-05-04 12:41 <DIR> d-------- C:\Documents and Settings\Dan Linke\Trillian 2008-04-29 22:08 . 2008-04-29 22:08 <DIR> d-------- C:\Program Files\Audible . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-04-18 19:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-04-15 14:12 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition 2008-04-15 14:12 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Deskperience 2008-04-14 20:19 --------- d-----w C:\Documents and Settings\Jacqueline Linke\Application Data\Comodo 2008-04-13 17:33 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Comodo 2008-04-13 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo 2008-04-13 17:29 --------- d-----w C:\Program Files\Comodo 2008-04-10 00:22 --------- d-----w C:\Program Files\Adobe Media Player 2008-03-31 21:36 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Move Networks 2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2007-06-01 16:41 110 ----a-w C:\Documents and Settings\All Users\Application Data\Mo****nGameId.bin 2006-11-09 13:23 0 ---ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat 2006-07-13 22:02 320 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat 2006-07-13 22:02 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat 2005-09-04 19:31 1,721 ---ha-w C:\Documents and Settings\Marlene Linke\hpothb07.dat 2004-05-08 19:11 0 ---ha-w C:\Documents and Settings\Marlene Linke\Application Data\hpothb07.dat 2003-04-05 23:10 723 ----a-w C:\Program Files\INSTALL.LOG . ((((((((((((((((((((((((((((( snapshot@2008-05-22_22.35.30.56 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-23 02:28:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-23 19:03:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-23 07:16 68856] "Upromise"="C:\Program Files\Upromise\Upromise.exe" [2007-07-10 15:00 385024] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-03-22 14:49 652528] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-04 22:45 185896] "ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ] "WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [ ] "Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [ ] "nwiz"="nwiz.exe" [2003-05-02 15:19 323584 C:\WINDOWS\system32\nwiz.exe] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 15:19 4640768] "MaxtorOneTouch"="D:\PROGRA~1\Devices\Utils\OneTou ch.exe" [2003-05-21 15:30 45056] "LDM"="C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2005-02-16 16:15 221184] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41 163840] "EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\ 3\E_FATIACA.exe" [2005-02-07 22:00 98304] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [ ] "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 00:15 15872] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "Yahoo! Pager"="C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= sonymjpg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-disabled] "MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21] S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11] S3 MXBULK;DualCam Still, MXBulk3.Sys;C:\WINDOWS\system32\Drivers\MXBulk3.sy s [] S3 MXCap;DSC-06 Video Camera;C:\WINDOWS\system32\DRIVERS\MXCap3.sys [] S4 UWCService;UWCService;C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe [2004-07-08 09:28] *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2004-12-01 19:44:06 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1082316984.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I "2008-05-01 05:00:04 C:\WINDOWS\Tasks\McQcTask.job" - c:\program files\mcafee\mqc\QcConsol.exe "2008-05-15 05:00:04 C:\WINDOWS\Tasks\McDefragTask.job" - c:\program files\mcafee\mqc\QcConsol.exe' "2008-05-24 12:40:06 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B0612B8D-0155-4E80-95C3-97CF6E5AE1ED}.job" - C:\WINDOWS\system32\msfeedssync.exe . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-24 08:43:47 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\U WCService] "ImagePath"="C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe /startedbyscm:3573F0EA-40E2714E-UWCService" . Completion time: 2008-05-24 8:45:06 ComboFix-quarantined-files.txt 2008-05-24 12:45:02 ComboFix3.txt 2008-05-23 02:36:46 ComboFix2.txt 2008-05-23 20:32:06 Pre-Run: 1,830,821,888 bytes free Post-Run: 1,816,977,408 bytes free 160 --- E O F --- 2008-05-17 07:12:30 |
#24
|
||||
|
||||
The ComboFix log is fine so I just need to see the results of your online scan now. Dont forget to tell me if you still have any problems.
|
#25
|
||||
|
||||
![]()
Here is the BitDefender scan log:
BitDefender Online Scanner Scan report generated at: Sat, May 24, 2008 - 10:33:31 Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\; Statistics Time 01:15:36 Files 175490 Folders 7528 Boot Sectors 3 Archives 7421 Packed Files 9756 Results Identified Viruses 8 Infected Files 10 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 10 Engines Info Virus Definitions 1230929 Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36) Scan plugins 16 Archive plugins 42 Unpack plugins 7 E-mail plugins 6 System plugins 5 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0016Infected with: Dropped:Application.Peopleonpage.Aproposmedia.D C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0016 Disinfection failed C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0016 Deleted C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe Update failed C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0017 Detected with: Adware.Gator.AD C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0017 Deleted C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe Update failed C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0018 Detected with: Adware.Newdotnet.A C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0018 Deleted C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe Update failed C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)=>Save.exe Infected with: Trojan.Adware.Whenu.A C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)=>Save.exe Deleted C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r) Update failed C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)=>SaveUninst.exe Detected with: Application.Whenu.AJ C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)=>SaveUninst.exe Disinfection failed C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)=>SaveUninst.exe Deleted C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r) Update failed C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx 2r) Detected with: Adware.Whenu.Savenow.U C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx 2r) Deleted C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035 Update failed C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0036 Detected with: Adware.Newdotnet.A C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0036 Deleted C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe Update failed C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie2.zip=>JavaRun.exe Infected with: Trojan.Ebates.A C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie2.zip=>JavaRun.exe Deleted C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie2.zip Updated C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie6.zip=>JavaRun.exe Infected with: Trojan.Ebates.A C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie6.zip=>JavaRun.exe Deleted C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie6.zip Updated C:\QooBox\Quarantine\C\WINDOWS\system32\lUDJRXbc.i ni.vir Infected with: Trojan.Vundo.DVS C:\QooBox\Quarantine\C\WINDOWS\system32\lUDJRXbc.i ni.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\system32\lUDJRXbc.i ni.vir Deleted |
#26
|
||||
|
||||
Some of my (latest added) Desktop icons seemed to be repositioning themselves. ????
Firefox encountered some error and closed itself. Only problems so far. |
#27
|
||||
|
||||
Quote:
Quote:
![]() |
#28
|
||||
|
||||
Thank you for all your guidance and patience.
|
#29
|
||||
|
||||
You are very welcome Dan.
![]() |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
browser is hijacked & malwarebytes and Hijackthis & super anti spyware won't work | GretaLovejoy | Malware Removal | 27 | October 28th, 2009 01:32 PM |
Hijacked Browser - HijackThis Fix didn't work | Racerx369 | Internet / Browsers | 1 | May 13th, 2008 08:26 PM |
Need help with Hijackthis.logfile; browser has been hijacked | sjjsmom35 | Malware Removal | 19 | November 20th, 2005 10:21 PM |
Please check HiJackThis log! Browser was hijacked! | Sherryk30 | Malware Removal | 5 | December 22nd, 2004 09:45 AM |
IE hijacked, Adaware & Spybot didn't help! | iamintrouble | Malware Removal | 8 | August 15th, 2004 04:26 AM |
All times are GMT +1. The time now is 11:05 PM.