Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I downloaded this torrent (I know I had it coming) , I believe it had a virus, a red window popped that read "antivirus 2008" , so I did not run it and instead did a full scan with Norton and another with "spybot search and destroy", both came up with a couple issues and I clicked the fix button.
After several reboots a big red X is next to mMy computer icon @ desktop. When I open the file my C: drive is nowhere to be found.
I being reading the forums and already downloaded the hijackthis.exe
I need help reading that log, I have no clue at all.
Thanks
It will take a few post to get rid of this Vundo Trojan so hang in there please.
Go to start> control panel> add/remove programs> and uninstall these programs if found:
WinAntivirus 2008 or Antivirus 2008
WinAntivirus 2009 or Antivirus 2009
Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
0 
thank you, here is the log, I checked the programs in the Control Panel and did not find those programs.
Log:
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:50 PM, on 08/08/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Aray\Desktop\New Folder\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\system32\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Antivirus-2008.exe] C:\Program Files\Antivirus 2008\Antivirus-2008.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommo...
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zyl...
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/gam...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: __A - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.exe
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe--
End of file - 15149 bytesIn the computer knowledge rank, I'm an idiot
0
Removal and clean-up will take a few post so hang in there.
Spybot's Teatimer must be shut down a s well as any other real time protection that you may have running.
Go to the this link:
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files and corrupting the removal tools that we will need.
Your java is out of date and has been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 7 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.Please download Malwarebytes' Anti-Malware from one of these sites:
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
10. Post a new Hijack this log please.
0
Here is the log, I already installed Java and deleted the older versions, now just tell me what to do :) thanks for your help:
Malwarebytes' Anti-Malware 1.24
Database version: 1035
Windows 5.1.2600 Service Pack 22:41:24 AM 08/09/08
mbam-log-8-9-2008 (02-41-24).txtScan type: Quick Scan
Objects scanned: 46564
Time elapsed: 17 minute(s), 1 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\antivirus 2008 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__a (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.Folders Infected:
(No malicious items detected)Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aray\Local Settings\Temp\DAP86Premium.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aray\Local Settings\Temp\dssc32.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msupdte.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Vundo) -> Delete on reboot.In the computer knowledge rank, I'm an idiot
0
Please post a new Hijack this log.
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
ok, I did both, so here are the log files for combofix and hijackthis
and thanks again :))ComboFix 08-08-08.07 - Aray 2008-08-09 9:55:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.814 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com\ud.sol
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\_003241_.tmp.dll
C:\WINDOWS\system32\_003242_.tmp.dll
C:\WINDOWS\system32\_003243_.tmp.dll
C:\WINDOWS\system32\_003244_.tmp.dll
C:\WINDOWS\system32\_003251_.tmp.dll
C:\WINDOWS\system32\_003252_.tmp.dll
C:\WINDOWS\system32\_003253_.tmp.dll
C:\WINDOWS\system32\_003254_.tmp.dll
C:\WINDOWS\system32\_003256_.tmp.dll
C:\WINDOWS\system32\_003257_.tmp.dll
C:\WINDOWS\system32\_003260_.tmp.dll
C:\WINDOWS\system32\_003261_.tmp.dll
C:\WINDOWS\system32\_003263_.tmp.dll
C:\WINDOWS\system32\_003264_.tmp.dll
C:\WINDOWS\system32\_003265_.tmp.dll
C:\WINDOWS\system32\_003267_.tmp.dll
C:\WINDOWS\system32\_003268_.tmp.dll
C:\WINDOWS\system32\_003270_.tmp.dll
C:\WINDOWS\system32\_003271_.tmp.dll
C:\WINDOWS\system32\_003275_.tmp.dll
C:\WINDOWS\system32\_003276_.tmp.dll
C:\WINDOWS\system32\_003278_.tmp.dll
C:\WINDOWS\system32\_003281_.tmp.dll
C:\WINDOWS\system32\_003283_.tmp.dll
C:\WINDOWS\system32\_003284_.tmp.dll
C:\WINDOWS\system32\_003285_.tmp.dll
C:\WINDOWS\system32\_003286_.tmp.dll
C:\WINDOWS\system32\_003287_.tmp.dll
C:\WINDOWS\system32\_003290_.tmp.dll
C:\WINDOWS\system32\_003291_.tmp.dll
C:\WINDOWS\system32\_003292_.tmp.dll
C:\WINDOWS\system32\_003293_.tmp.dll
C:\WINDOWS\system32\_003294_.tmp.dll
C:\WINDOWS\system32\_003299_.tmp.dll
C:\WINDOWS\system32\_003301_.tmp.dll
C:\WINDOWS\system32\_003302_.tmp.dll
C:\WINDOWS\system32\msconfig32
C:\WINDOWS\system32\msconfig32\__msnusr_arytito@msn.com
C:\WINDOWS\system32\msconfig32\msscncrtdate.dat.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 02:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:52 . 2008-08-09 01:52 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-09 00:24 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-09 00:24 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-09 00:24 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-09 00:24 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:58 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-08 22:57 . 2008-08-08 22:57 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET36A.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,703,936 --a------ C:\WINDOWS\system32\SET402.tmp
2008-08-08 22:39 . 2008-04-13 20:11 2,843,136 --a------ C:\WINDOWS\system32\SET442.tmp
2008-08-08 22:38 . 2008-04-13 20:11 1,028,096 --------- C:\WINDOWS\system32\SET474.tmp
2008-08-08 22:37 . 2008-04-13 20:11 1,082,368 --a------ C:\WINDOWS\system32\SET4E9.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,267,200 --a------ C:\WINDOWS\system32\SET557.tmp
2008-08-08 22:35 . 2008-04-13 20:11 193,536 --a------ C:\WINDOWS\system32\SET5A0.tmp
2008-08-08 22:35 . 2008-04-13 20:11 143,360 --a------ C:\WINDOWS\system32\SET59C.tmp
2008-08-08 22:35 . 2008-04-13 20:11 125,952 --a------ C:\WINDOWS\system32\SET595.tmp
2008-08-08 22:35 . 2008-04-13 20:11 98,304 --a------ C:\WINDOWS\system32\SET59E.tmp
2008-08-08 22:35 . 2008-04-13 20:12 44,544 --a------ C:\WINDOWS\system32\SET598.tmp
2008-08-08 21:41 . 2008-08-08 23:28 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-12 14:39 . 2008-07-12 14:39 <DIR> d-------- C:\Documents and Settings\Aray\Saved Games
2008-07-12 14:36 . 2008-07-12 14:36 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\iWin
2008-07-12 14:21 . 2008-08-05 12:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 13:48 . 2007-12-17 21:27 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-07-12 13:48 . 2007-12-17 21:27 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-07-12 13:48 . 2007-12-17 21:27 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 14:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-09 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 05:45 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-09 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-12 17:48 --------- d-----w C:\Program Files\Azureus
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 23:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-13 21:34 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-13 21:34 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-13 21:34 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-13 21:34 --------- d-----w C:\Program Files\Symantec
2008-06-13 21:20 --------- d-----w C:\Documents and Settings\Aray\Application Data\Symantec
2008-06-13 21:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 16:56 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-13 14:35 --------- d-----w C:\Documents and Settings\Aray\Application Data\AdobeUM
2008-06-13 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 20:45 --------- d-----w C:\Documents and Settings\Aray\Application Data\TaxCut
2008-06-12 15:27 --------- d-----w C:\Program Files\Common Files\Scanner
2008-06-12 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2005-10-14 00:11 56 --sh--r C:\WINDOWS\system32\ABD0B0C66D.sys
2005-10-14 00:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 11:26 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 07:03 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"BuildBU"="c:\dell\bldbubg.exe" [2005-08-12 22:13 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-19 17:03 180269]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25 634880]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"SprintModemUpdate"="javaw.exe" [2008-06-10 01:21 135168 C:\WINDOWS\system32\javaw.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 10:05 94208]C:\Documents and Settings\Aray\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe [2006-10-26 20:24:54 98632][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Business Attorney\\BA.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\system32\\sessmgr.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"47877:TCP"= 47877:TCP:azureR2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 16:30]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-07-30 20:07]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys [2007-08-16 15:24]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 17:04]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-08-16 15:24]*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DC9D8B83-C748-CEAF-A491-BB3F3900CAC0}]
C:\WINDOWS\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder2008-08-05 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Aray.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
- - - - ORPHANS REMOVED - - - -Notify-dimsntfy - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.comcast.net/
R0 -: HKLM-Main,Window Title = Windows Internet Explorer provided by Comcast
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osdO16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game05.zylom.com/activex/zylomgamesplayer.cab
C:\WINDOWS\Downloaded Program Files\ZylomGamesPlayer.inf
C:\WINDOWS\Downloaded Program Files\zylomgamesplayer.dll
**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 10:09:17
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-08-09 10:29:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-09 14:29:33Pre-Run: 39,992,070,144 bytes free
Post-Run: 40,881,082,368 bytes free280 --- E O F --- 2008-07-24 04:03:13
**********************************************Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:37 AM, on 08/09/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Aray\Desktop\New Folder\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommo...
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zyl...
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/gam...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.exe
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe--
End of file - 13766 bytesIn the computer knowledge rank, I'm an idiot
0
I,m proud to tell you that the big red X next to My computer icon is gone, and the C: file now can be seen inside the folder. Now I want to get rid of all the trash for good so I'll come back for further instructions.
I also tried to install the update Service Pk 3 from microsoft but halfway throught the operation I'm getting an error message that reads: access denied.
T.H.A.N.K Y.O.U S.O M.U.C.H!
In the computer knowledge rank, I'm an idiot
0
Before we continue I need you to check some files for me, the second ones is a folder and may not run but try it please.
Please go to Virus Total and upload the following file for analysis:
C:\WINDOWS\system32\ABD0B0C66D.sys
C:\WINDOWS\system32\CatRoot_bak
Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".
Post the results in your reply.
0
the first file:
File ABD0B0C66D.sys received on 08.09.2008 23:05:01 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/35 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.09 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.09 -
Ikarus T3.1.1.34.0 2008.08.09 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.09 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 -
NOD32v2 3342 2008.08.09 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.09 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 -
Additional information
File size: 56 bytes
MD5...: 54790804f216223b95effc9c6cfb0cf9
SHA1..: 048485de0e341a08e1a9ea524ef8ba7a83bf73d0
SHA256: 6d26e4ecd935afcfd1802df56ecb1bdd586970efe693ccc8e6662a22a501787c
SHA512: d5ca756cf8ccc7d03e26e833a4960f533390f4842c084d354e06d7eed206ff38
f3c560ddeedab356011ba8cf4c74e9b5fc33b7d31fcec746f325d62befb37d07
PEiD..: -
PEInfo: -In the computer knowledge rank, I'm an idiot
0
the second folder did not run :(
I'll check back for your reply in a while....thank you
In the computer knowledge rank, I'm an idiot
0
Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present (unless you set this)
Exit Hijack This
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\SET36A.tmp
C:\WINDOWS\system32\SET402.tmp
C:\WINDOWS\system32\SET442.tmp
C:\WINDOWS\system32\SET474.tmp
C:\WINDOWS\system32\SET4E9.tmp
C:\WINDOWS\system32\SET557.tmp
C:\WINDOWS\system32\SET5A0.tmp
C:\WINDOWS\system32\SET59C.tmp
C:\WINDOWS\system32\SET595.tmp
C:\WINDOWS\system32\SET59E.tmp
C:\WINDOWS\system32\SET598.tmp
C:\WINDOWS\system32\ABD0B0C66D.sys
Driver::
__AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
0
All done, here is the log :)))
ComboFix 08-08-08.07 - Aray 2008-08-09 22:14:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.654 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aray\Desktop\CFScript.txt[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\WINDOWS\system32\ABD0B0C66D.sys
C:\WINDOWS\system32\SET36A.tmp
C:\WINDOWS\system32\SET402.tmp
C:\WINDOWS\system32\SET442.tmp
C:\WINDOWS\system32\SET474.tmp
C:\WINDOWS\system32\SET4E9.tmp
C:\WINDOWS\system32\SET557.tmp
C:\WINDOWS\system32\SET595.tmp
C:\WINDOWS\system32\SET598.tmp
C:\WINDOWS\system32\SET59C.tmp
C:\WINDOWS\system32\SET59E.tmp
C:\WINDOWS\system32\SET5A0.tmp
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com\ud.sol
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\_000190_.tmp.dll
C:\WINDOWS\system32\_000201_.tmp.dll
C:\WINDOWS\system32\_000203_.tmp.dll
C:\WINDOWS\system32\_003249_.tmp.dll
C:\WINDOWS\system32\_003250_.tmp.dll
C:\WINDOWS\system32\_003251_.tmp.dll
C:\WINDOWS\system32\_003252_.tmp.dll
C:\WINDOWS\system32\_003259_.tmp.dll
C:\WINDOWS\system32\_003260_.tmp.dll
C:\WINDOWS\system32\_003261_.tmp.dll
C:\WINDOWS\system32\_003262_.tmp.dll
C:\WINDOWS\system32\_003263_.tmp.dll
C:\WINDOWS\system32\_003264_.tmp.dll
C:\WINDOWS\system32\_003265_.tmp.dll
C:\WINDOWS\system32\_003266_.tmp.dll
C:\WINDOWS\system32\_003267_.tmp.dll
C:\WINDOWS\system32\_003268_.tmp.dll
C:\WINDOWS\system32\_003269_.tmp.dll
C:\WINDOWS\system32\_003270_.tmp.dll
C:\WINDOWS\system32\_003271_.tmp.dll
C:\WINDOWS\system32\_003272_.tmp.dll
C:\WINDOWS\system32\_003274_.tmp.dll
C:\WINDOWS\system32\_003277_.tmp.dll
C:\WINDOWS\system32\_003278_.tmp.dll
C:\WINDOWS\system32\_003282_.tmp.dll
C:\WINDOWS\system32\_003283_.tmp.dll
C:\WINDOWS\system32\_003284_.tmp.dll
C:\WINDOWS\system32\_003285_.tmp.dll
C:\WINDOWS\system32\_003286_.tmp.dll
C:\WINDOWS\system32\_003287_.tmp.dll
C:\WINDOWS\system32\_003288_.tmp.dll
C:\WINDOWS\system32\_003290_.tmp.dll
C:\WINDOWS\system32\_003291_.tmp.dll
C:\WINDOWS\system32\_003292_.tmp.dll
C:\WINDOWS\system32\_003293_.tmp.dll
C:\WINDOWS\system32\_003294_.tmp.dll
C:\WINDOWS\system32\_003295_.tmp.dll
C:\WINDOWS\system32\_003296_.tmp.dll
C:\WINDOWS\system32\_003297_.tmp.dll
C:\WINDOWS\system32\_003298_.tmp.dll
C:\WINDOWS\system32\_003299_.tmp.dll
C:\WINDOWS\system32\_003300_.tmp.dll
C:\WINDOWS\system32\_003303_.tmp.dll
C:\WINDOWS\system32\_003304_.tmp.dll
C:\WINDOWS\system32\_003305_.tmp.dll
C:\WINDOWS\system32\_003307_.tmp.dll
C:\WINDOWS\system32\_003308_.tmp.dll
C:\WINDOWS\system32\_003309_.tmp.dll
C:\WINDOWS\system32\_003310_.tmp.dll
C:\WINDOWS\system32\_003311_.tmp.dll
C:\WINDOWS\system32\_003313_.tmp.dll
C:\WINDOWS\system32\_003314_.tmp.dll
C:\WINDOWS\system32\_003316_.tmp.dll
C:\WINDOWS\system32\_003317_.tmp.dll
C:\WINDOWS\system32\_003321_.tmp.dll
C:\WINDOWS\system32\_003322_.tmp.dll
C:\WINDOWS\system32\_003324_.tmp.dll
C:\WINDOWS\system32\_003327_.tmp.dll
C:\WINDOWS\system32\_003329_.tmp.dll
C:\WINDOWS\system32\_003330_.tmp.dll
C:\WINDOWS\system32\_003331_.tmp.dll
C:\WINDOWS\system32\_003332_.tmp.dll
C:\WINDOWS\system32\_003335_.tmp.dll
C:\WINDOWS\system32\_003336_.tmp.dll
C:\WINDOWS\system32\_003337_.tmp.dll
C:\WINDOWS\system32\_003338_.tmp.dll
C:\WINDOWS\system32\_003339_.tmp.dll
C:\WINDOWS\system32\_003344_.tmp.dll
C:\WINDOWS\system32\_003346_.tmp.dll
C:\WINDOWS\system32\_003347_.tmp.dll
C:\WINDOWS\system32\ABD0B0C66D.sys
C:\WINDOWS\system32\SET36A.tmp
C:\WINDOWS\system32\SET402.tmp
C:\WINDOWS\system32\SET442.tmp
C:\WINDOWS\system32\SET474.tmp
C:\WINDOWS\system32\SET4E9.tmp
C:\WINDOWS\system32\SET557.tmp
C:\WINDOWS\system32\SET595.tmp
C:\WINDOWS\system32\SET598.tmp
C:\WINDOWS\system32\SET59C.tmp
C:\WINDOWS\system32\SET59E.tmp
C:\WINDOWS\system32\SET5A0.tmp.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.2008-08-09 20:35 . 2008-08-09 20:35 3,151 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-08-09 19:39 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-09 19:38 . 2007-02-28 05:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-09 12:55 . 2004-08-04 06:00 71,040 --------- C:\WINDOWS\system32\drivers\_003237_.tmp.dll
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 02:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:52 . 2008-08-09 01:52 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:58 . 2004-08-04 06:00 71,040 --------- C:\WINDOWS\system32\drivers\_003227_.tmp.dll
2008-08-08 22:57 . 2008-08-09 19:38 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET2F1.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,703,936 --a------ C:\WINDOWS\system32\SET460.tmp
2008-08-08 22:39 . 2008-04-13 20:11 2,843,136 --a------ C:\WINDOWS\system32\SET4C7.tmp
2008-08-08 22:38 . 2008-04-13 20:11 1,028,096 --a------ C:\WINDOWS\system32\SET520.tmp
2008-08-08 22:37 . 2008-04-13 20:11 1,082,368 --a------ C:\WINDOWS\system32\SET5D4.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,267,200 --a------ C:\WINDOWS\system32\SET642.tmp
2008-08-08 22:35 . 2008-04-13 20:11 193,536 --a------ C:\WINDOWS\system32\SET68B.tmp
2008-08-08 22:35 . 2008-04-13 20:11 193,536 --a------ C:\WINDOWS\system32\SET576.tmp
2008-08-08 22:35 . 2008-04-13 20:11 143,360 --a------ C:\WINDOWS\system32\SET687.tmp
2008-08-08 22:35 . 2008-04-13 20:11 143,360 --a------ C:\WINDOWS\system32\SET570.tmp
2008-08-08 22:35 . 2008-04-13 20:11 125,952 --a------ C:\WINDOWS\system32\SET680.tmp
2008-08-08 22:35 . 2008-04-13 20:11 125,952 --a------ C:\WINDOWS\system32\SET568.tmp
2008-08-08 22:35 . 2008-04-13 20:11 98,304 --a------ C:\WINDOWS\system32\SET689.tmp
2008-08-08 22:35 . 2008-04-13 20:11 98,304 --a------ C:\WINDOWS\system32\SET573.tmp
2008-08-08 22:35 . 2008-04-13 20:12 44,544 --a------ C:\WINDOWS\system32\SET683.tmp
2008-08-08 22:35 . 2008-04-13 20:12 44,544 --a------ C:\WINDOWS\system32\SET56B.tmp
2008-08-08 21:41 . 2008-08-09 20:09 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-12 14:39 . 2008-07-12 14:39 <DIR> d-------- C:\Documents and Settings\Aray\Saved Games
2008-07-12 14:36 . 2008-07-12 14:36 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\iWin
2008-07-12 14:21 . 2008-08-05 12:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 13:48 . 2007-12-17 21:27 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-07-12 13:48 . 2007-12-17 21:27 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-07-12 13:48 . 2007-12-17 21:27 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 02:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-09 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-09 18:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 16:13 --------- d-----w C:\Program Files\Dell Support Center
2008-08-09 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-12 17:48 --------- d-----w C:\Program Files\Azureus
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 23:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-13 21:34 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-13 21:34 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-13 21:34 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-13 21:34 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-13 21:34 --------- d-----w C:\Program Files\Symantec
2008-06-13 21:20 --------- d-----w C:\Documents and Settings\Aray\Application Data\Symantec
2008-06-13 21:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 16:56 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-13 14:35 --------- d-----w C:\Documents and Settings\Aray\Application Data\AdobeUM
2008-06-13 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 20:45 --------- d-----w C:\Documents and Settings\Aray\Application Data\TaxCut
2008-06-12 15:27 --------- d-----w C:\Program Files\Common Files\Scanner
2005-10-14 00:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((( snapshot@2008-08-09_10.28.48.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-10 01:52:05 5,424 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{22B8852C-2591-4680-B45A-2565E0D0CCCE}.bin
+ 2004-08-04 10:00:00 71,040 ------w C:\WINDOWS\system32\drivers\_003227_.tmp.dll
+ 2004-08-04 10:00:00 71,040 ------w C:\WINDOWS\system32\drivers\_003237_.tmp.dll
- 2008-08-09 04:52:11 66,662 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-09 17:54:52 66,662 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-09 04:52:11 414,008 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-09 17:54:52 414,008 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2004-08-04 10:00:00 36,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]017\DriverFiles\i386\intelppm.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 11:26 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 07:03 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"BuildBU"="c:\dell\bldbubg.exe" [2005-08-12 22:13 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-19 17:03 180269]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25 634880]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SprintModemUpdate"="javaw.exe" [2008-06-10 01:21 135168 C:\WINDOWS\system32\javaw.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 10:05 94208]C:\Documents and Settings\Aray\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe [2006-10-26 20:24:54 98632][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU][HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Business Attorney\\BA.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"47877:TCP"= 47877:TCP:azureR2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 16:30]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys [2007-08-16 15:24]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 17:04]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-08-16 15:24]*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DC9D8B83-C748-CEAF-A491-BB3F3900CAC0}]
C:\WINDOWS\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder2008-08-05 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Aray.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
- - - - ORPHANS REMOVED - - - -HKCU-Run-DellSupportCenter - C:\Program Files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-DellSupportCenter - C:\Program Files\Dell Support Center\bin\sprtcmd.exe
Notify-__A - (no file)
**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 22:27:13
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-08-09 22:46:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 02:46:12
ComboFix2.txt 2008-08-09 14:29:59Pre-Run: 39,733,268,480 bytes free
Post-Run: 39,887,470,592 bytes free343 --- E O F --- 2008-08-10 01:50:25
In the computer knowledge rank, I'm an idiot
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\drivers\_003237_.tmp.dll
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
C:\WINDOWS\system32\drivers\_003227_.tmp.dll
C:\WINDOWS\system32\SET2F1.tmp
C:\WINDOWS\system32\SET460.tmp
C:\WINDOWS\system32\SET4C7.tmp
C:\WINDOWS\system32\SET520.tmp
C:\WINDOWS\system32\SET5D4.tmp
C:\WINDOWS\system32\SET642.tmp
C:\WINDOWS\system32\SET68B.tmp
C:\WINDOWS\system32\SET576.tmp
C:\WINDOWS\system32\SET687.tmp
C:\WINDOWS\system32\SET570.tmp
C:\WINDOWS\system32\SET680.tmp
C:\WINDOWS\system32\SET568.tmp
C:\WINDOWS\system32\SET689.tmp
C:\WINDOWS\system32\SET573.tmp
C:\WINDOWS\system32\SET683.tmp
C:\WINDOWS\system32\SET56B.tmpXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log and a new Hiajck This llog please.
0
The combofix log file (after I ran the program my computer went blank, blue desktop and I had to shut it down to be able to enter it again, on restart it was ok)
I'll post the hijackthis log file next.
ComboFix 08-08-09.06 - Aray 2008-08-10 12:55:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.785 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aray\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
C:\WINDOWS\system32\drivers\_003227_.tmp.dll
C:\WINDOWS\system32\drivers\_003237_.tmp.dll
C:\WINDOWS\system32\SET2F1.tmp
C:\WINDOWS\system32\SET460.tmp
C:\WINDOWS\system32\SET4C7.tmp
C:\WINDOWS\system32\SET520.tmp
C:\WINDOWS\system32\SET568.tmp
C:\WINDOWS\system32\SET56B.tmp
C:\WINDOWS\system32\SET570.tmp
C:\WINDOWS\system32\SET573.tmp
C:\WINDOWS\system32\SET576.tmp
C:\WINDOWS\system32\SET5D4.tmp
C:\WINDOWS\system32\SET642.tmp
C:\WINDOWS\system32\SET680.tmp
C:\WINDOWS\system32\SET683.tmp
C:\WINDOWS\system32\SET687.tmp
C:\WINDOWS\system32\SET689.tmp
C:\WINDOWS\system32\SET68B.tmp
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINDOWS\system32\drivers\_003227_.tmp.dll
C:\WINDOWS\system32\drivers\_003237_.tmp.dll
C:\WINDOWS\system32\SET2F1.tmp
C:\WINDOWS\system32\SET460.tmp
C:\WINDOWS\system32\SET4C7.tmp
C:\WINDOWS\system32\SET520.tmp
C:\WINDOWS\system32\SET568.tmp
C:\WINDOWS\system32\SET56B.tmp
C:\WINDOWS\system32\SET570.tmp
C:\WINDOWS\system32\SET573.tmp
C:\WINDOWS\system32\SET576.tmp
C:\WINDOWS\system32\SET5D4.tmp
C:\WINDOWS\system32\SET642.tmp
C:\WINDOWS\system32\SET680.tmp
C:\WINDOWS\system32\SET683.tmp
C:\WINDOWS\system32\SET687.tmp
C:\WINDOWS\system32\SET689.tmp
C:\WINDOWS\system32\SET68B.tmp.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.2008-08-09 22:32 . 2008-08-09 22:32 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-09 22:32 . 2008-08-09 22:32 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-08-09 19:39 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-09 19:38 . 2007-02-28 05:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 02:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:52 . 2008-08-09 01:52 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:57 . 2008-08-09 19:38 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET264.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,703,936 --a------ C:\WINDOWS\system32\SET321.tmp
2008-08-08 22:39 . 2008-04-13 20:11 2,843,136 --a------ C:\WINDOWS\system32\SET384.tmp
2008-08-08 22:38 . 2008-04-13 20:11 1,028,096 --a------ C:\WINDOWS\system32\SET3C9.tmp
2008-08-08 22:37 . 2008-04-13 20:11 1,082,368 --a------ C:\WINDOWS\system32\SET489.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,267,200 --a------ C:\WINDOWS\system32\SET514.tmp
2008-08-08 21:41 . 2008-08-09 20:09 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-12 14:39 . 2008-07-12 14:39 <DIR> d-------- C:\Documents and Settings\Aray\Saved Games
2008-07-12 14:36 . 2008-07-12 14:36 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\iWin
2008-07-12 14:21 . 2008-08-05 12:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 13:48 . 2007-12-17 21:27 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-07-12 13:48 . 2007-12-17 21:27 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-07-12 13:48 . 2007-12-17 21:27 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 02:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-09 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-09 18:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 16:13 --------- d-----w C:\Program Files\Dell Support Center
2008-08-09 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-12 17:48 --------- d-----w C:\Program Files\Azureus
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 23:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-13 21:34 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-13 21:34 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-13 21:34 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-13 21:34 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-13 21:34 --------- d-----w C:\Program Files\Symantec
2008-06-13 21:20 --------- d-----w C:\Documents and Settings\Aray\Application Data\Symantec
2008-06-13 21:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 16:56 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-13 14:35 --------- d-----w C:\Documents and Settings\Aray\Application Data\AdobeUM
2008-06-13 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 20:45 --------- d-----w C:\Documents and Settings\Aray\Application Data\TaxCut
2008-06-12 15:27 --------- d-----w C:\Program Files\Common Files\Scanner
2005-10-14 00:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((( snapshot@2008-08-09_10.28.48.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-09 04:52:11 66,662 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-09 17:54:52 66,662 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-09 04:52:11 414,008 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-09 17:54:52 414,008 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2004-08-04 10:00:00 36,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]017\DriverFiles\i386\intelppm.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 11:26 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 07:03 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"BuildBU"="c:\dell\bldbubg.exe" [2005-08-12 22:13 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-19 17:03 180269]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25 634880]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SprintModemUpdate"="javaw.exe" [2008-06-10 01:21 135168 C:\WINDOWS\system32\javaw.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 10:05 94208]C:\Documents and Settings\Aray\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe [2006-10-26 20:24:54 98632][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU][HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Business Attorney\\BA.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"47877:TCP"= 47877:TCP:azureR2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 16:30]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys [2007-08-16 15:24]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 17:04]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-08-16 15:24]*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DC9D8B83-C748-CEAF-A491-BB3F3900CAC0}]
C:\WINDOWS\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder2008-08-05 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Aray.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 12:58:20
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-08-10 13:01:09
ComboFix-quarantined-files.txt 2008-08-10 17:00:50
ComboFix2.txt 2008-08-10 02:46:39
ComboFix3.txt 2008-08-09 14:29:59Pre-Run: 39,850,717,184 bytes free
Post-Run: 39,848,747,008 bytes free255 --- E O F --- 2008-08-10 01:50:25
In the computer knowledge rank, I'm an idiot
0
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:06 PM, on 08/10/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\Aray\Desktop\New Folder\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommo...
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zyl...
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} -
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/gam...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.exe
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe--
End of file - 13683 bytesIn the computer knowledge rank, I'm an idiot
0
There is an invisible file still producing those .tmp files. Lets try some other method of finding them.
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
0
Done and here is the log. Thanks again, really.
[b]SDFix: Version 1.214 [/b]
Run by Aray on 08/10/08 at 04:30 PMMicrosoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Aray\Desktop\SDFix[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts FileRebooting
[b]Checking Files [/b]:Trojan Files Found:
C:\WINDOWS\SYSTEM32\SIRENA~1.DLL - Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 16:50:26
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\LEXPPS.exe"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Business Attorney\\BA.exe"="C:\\Program Files\\Business Attorney\\BA.EXE:*:Enabled:Business Attorney"
"C:\\WINDOWS\\system32\\javaw.exe"="C:\\WINDOWS\\system32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"="C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe:*:Enabled:TaxCut Business 2007"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"[b]Remaining Files [/b]:
File Backups: - C:\DOCUME~1\Aray\Desktop\SDFix\backups\backups.zip[b]Files with Hidden Attributes [/b]:
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 13 Oct 2005 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 17 Mar 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 21 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 8 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Wed 8 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Fri 17 Mar 2006 4,348 ...H. --- "C:\Documents and Settings\Aray\My Documents\My Music\License Backup\drmv1key.bak"
Sun 3 Jun 2007 20 A..H. --- "C:\Documents and Settings\Aray\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 17 Mar 2006 400 A.SH. --- "C:\Documents and Settings\Aray\My Documents\My Music\License Backup\drmv2key.bak"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Aray\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Aray\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Aray\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Tue 17 Apr 2007 8 A..H. --- "C:\Documents and Settings\Aray\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Thu 3 May 2007 8 A..H. --- "C:\Documents and Settings\Aray\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"[b]Finished![/b]
In the computer knowledge rank, I'm an idiot
0
I've tried several times to copy the combofix log here and the browser goes blank, do you want me to open a new post and try from there???
In the computer knowledge rank, I'm an idiot
0
I don't think that will help.
Go to start> run> type in ComboFix /u (note the space after combofix) then press enter. This will uninstall combofix.
Now download combofix again and post a new log and don't forget to turn off real time protection.
0
omboFix 08-08-10.02 - Aray 2008-08-10 19:13:31.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.775 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.2008-08-10 16:23 . 2008-08-10 16:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-09 22:32 . 2008-08-09 22:32 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-09 22:32 . 2008-08-09 22:32 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-08-09 19:39 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-09 19:38 . 2007-02-28 05:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 02:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:52 . 2008-08-09 01:52 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:57 . 2008-08-09 19:38 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET264.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,703,936 --a------ C:\WINDOWS\system32\SET321.tmp
2008-08-08 22:39 . 2008-04-13 20:11 2,843,136 --a------ C:\WINDOWS\system32\SET384.tmp
2008-08-08 22:38 . 2008-04-13 20:11 1,028,096 --a------ C:\WINDOWS\system32\SET3C9.tmp
2008-08-08 22:37 . 2008-04-13 20:11 1,082,368 --a------ C:\WINDOWS\system32\SET489.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,267,200 --a------ C:\WINDOWS\system32\SET514.tmp
2008-08-08 21:41 . 2008-08-10 13:49 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-12 14:39 . 2008-07-12 14:39 <DIR> d-------- C:\Documents and Settings\Aray\Saved Games
2008-07-12 14:36 . 2008-07-12 14:36 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\iWin
2008-07-12 14:21 . 2008-08-05 12:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 13:48 . 2007-12-17 21:27 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-07-12 13:48 . 2007-12-17 21:27 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-07-12 13:48 . 2007-12-17 21:27 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-10 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-10 18:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-09 16:13 --------- d-----w C:\Program Files\Dell Support Center
2008-08-09 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-12 17:48 --------- d-----w C:\Program Files\Azureus
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 23:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-13 21:34 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-13 21:34 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-13 21:34 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-13 21:34 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-13 21:34 --------- d-----w C:\Program Files\Symantec
2008-06-13 21:20 --------- d-----w C:\Documents and Settings\Aray\Application Data\Symantec
2008-06-13 21:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 16:56 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-13 14:35 --------- d-----w C:\Documents and Settings\Aray\Application Data\AdobeUM
2008-06-13 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 20:45 --------- d-----w C:\Documents and Settings\Aray\Application Data\TaxCut
2008-06-12 15:27 --------- d-----w C:\Program Files\Common Files\Scanner
2005-10-14 00:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 11:26 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 07:03 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"BuildBU"="c:\dell\bldbubg.exe" [2005-08-12 22:13 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-19 17:03 180269]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25 634880]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SprintModemUpdate"="javaw.exe" [2008-06-10 01:21 135168 C:\WINDOWS\system32\javaw.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 10:05 94208]C:\Documents and Settings\Aray\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe [2007-08-24 04:45:42 101784][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Business Attorney\\BA.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"47877:TCP"= 47877:TCP:azureR2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 16:30]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys [2007-08-16 15:24]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 17:04]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-08-16 15:24]*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DC9D8B83-C748-CEAF-A491-BB3F3900CAC0}]
C:\WINDOWS\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder2008-08-05 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Aray.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
- - - - ORPHANS REMOVED - - - -Notify-dimsntfy - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.comcast.net/
R0 -: HKLM-Main,Window Title = Windows Internet Explorer provided by Comcast
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osdO16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game05.zylom.com/activex/zylomgamesplayer.cab
C:\WINDOWS\Downloaded Program Files\ZylomGamesPlayer.inf
C:\WINDOWS\Downloaded Program Files\zylomgamesplayer.dllO16 -: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 19:15:26
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-08-10 19:17:54
ComboFix-quarantined-files.txt 2008-08-10 23:17:41
ComboFix2.txt 2008-08-10 22:04:04Pre-Run: 44,306,747,392 bytes free
Post-Run: 44,318,810,112 bytes free232 --- E O F --- 2008-08-10 18:12:23
In the computer knowledge rank, I'm an idiot
0
Please download the OTMoveIt2 by OldTimer and save it to your desktop.
1. Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
2. Copy the lines in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
C:\WINDOWS\system32\SET264.tmp
C:\WINDOWS\system32\SET321.tmp
C:\WINDOWS\system32\SET384.tmp
C:\WINDOWS\system32\SET3C9.tmp
C:\WINDOWS\system32\SET489.tmp
C:\WINDOWS\system32\SET514.tmp
4. Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
5. Click the red Moveit! button.
6. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
6. Close OTMoveIt2Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next reply and also post new Combofix log please.
0
combofix log will be in my next post**thanks**
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP moved successfully.
C:\WINDOWS\system32\SET264.tmp moved successfully.
C:\WINDOWS\system32\SET321.tmp moved successfully.
C:\WINDOWS\system32\SET384.tmp moved successfully.
C:\WINDOWS\system32\SET3C9.tmp moved successfully.
C:\WINDOWS\system32\SET489.tmp moved successfully.
C:\WINDOWS\system32\SET514.tmp moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08112008_000415In the computer knowledge rank, I'm an idiot
0
ComboFix 08-08-10.02 - Aray 2008-08-11 0:12:09.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.2008-08-11 00:04 . 2008-08-11 00:04 <DIR> d-------- C:\_OTMoveIt
2008-08-10 16:23 . 2008-08-10 16:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-09 22:32 . 2008-08-09 22:32 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-09 22:32 . 2008-08-09 22:32 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-08-09 19:39 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-09 19:38 . 2007-02-28 05:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 02:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:57 . 2008-08-09 19:38 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 1,499,136 --a------ C:\WINDOWS\system32\SET36B.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,287,168 --a------ C:\WINDOWS\system32\SET409.tmp
2008-08-08 22:39 . 2008-04-13 20:12 1,104,896 --a------ C:\WINDOWS\system32\SET493.tmp
2008-08-08 22:38 . 2008-04-13 20:11 586,240 --a------ C:\WINDOWS\system32\SET519.tmp
2008-08-08 22:37 . 2008-04-13 20:12 1,033,728 --a------ C:\WINDOWS\SET6B5.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,025,024 --a------ C:\WINDOWS\system32\SET66B.tmp
2008-08-08 21:41 . 2008-08-10 13:49 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-12 14:39 . 2008-07-12 14:39 <DIR> d-------- C:\Documents and Settings\Aray\Saved Games
2008-07-12 14:36 . 2008-07-12 14:36 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\iWin
2008-07-12 14:21 . 2008-08-05 12:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 13:48 . 2007-12-17 21:27 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-07-12 13:48 . 2007-12-17 21:27 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-07-12 13:48 . 2007-12-17 21:27 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-11 00:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-10 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 16:13 --------- d-----w C:\Program Files\Dell Support Center
2008-08-09 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-12 17:48 --------- d-----w C:\Program Files\Azureus
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 23:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-13 21:34 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-13 21:34 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-13 21:34 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-13 21:34 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-13 21:34 --------- d-----w C:\Program Files\Symantec
2008-06-13 21:20 --------- d-----w C:\Documents and Settings\Aray\Application Data\Symantec
2008-06-13 21:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 16:56 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-13 14:35 --------- d-----w C:\Documents and Settings\Aray\Application Data\AdobeUM
2008-06-13 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 20:45 --------- d-----w C:\Documents and Settings\Aray\Application Data\TaxCut
2008-06-12 15:27 --------- d-----w C:\Program Files\Common Files\Scanner
2005-10-14 00:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 11:26 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 07:03 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"BuildBU"="c:\dell\bldbubg.exe" [2005-08-12 22:13 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-19 17:03 180269]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25 634880]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SprintModemUpdate"="javaw.exe" [2008-06-10 01:21 135168 C:\WINDOWS\system32\javaw.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 10:05 94208]C:\Documents and Settings\Aray\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe [2007-08-24 04:45:42 101784][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Business Attorney\\BA.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"47877:TCP"= 47877:TCP:azureR2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 16:30]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys [2007-08-16 15:24]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 17:04]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-08-16 15:24]*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DC9D8B83-C748-CEAF-A491-BB3F3900CAC0}]
C:\WINDOWS\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder2008-08-05 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Aray.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.comcast.net/
R0 -: HKLM-Main,Window Title = Windows Internet Explorer provided by Comcast
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osdO16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game05.zylom.com/activex/zylomgamesplayer.cab
C:\WINDOWS\Downloaded Program Files\ZylomGamesPlayer.inf
C:\WINDOWS\Downloaded Program Files\zylomgamesplayer.dllO16 -: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 00:13:45
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-08-11 0:16:10
ComboFix-quarantined-files.txt 2008-08-11 04:16:04
ComboFix2.txt 2008-08-10 23:17:55
ComboFix3.txt 2008-08-10 22:04:04Pre-Run: 44,272,054,272 bytes free
Post-Run: 44,315,873,280 bytes free230 --- E O F --- 2008-08-10 18:12:23
In the computer knowledge rank, I'm an idiot
0
I was hoping for better results.
This is a long in-depth scan please post all of it even if you have to do so in two post.
Please download WinPFind3U.exe to your desktop from the following link:
1. Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
1. In the Processes group click All
2. In the Win32 Services group click ALL
3. In the Driver Services group click All
4. In the Registry group click All
5. In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
6. In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
7. In the File String Search group select Non Microsoft
8. In the Additional scans sections please press select All and uncheck non-microsoft only
2. Now click the Run Scan button on the toolbar.
3. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
4. When the scan is complete Notepad will open with the report file loaded in it.
5. Save that notepad file the copy/paste it into your next reply.
0
the browser couldn't open the WinPFind3U.exe, it seems as if the link has expired or does not longer exists,
I feel bad already for bothering you so much, I appreciate your help very much,
thanksIn the computer knowledge rank, I'm an idiot
0
My mistake, had not updated my database, this should be easier to use. And you are not bothering me in the least. You do have the newest variant of Vundo I have seen though so hang in there.
Please download OTScanIt from the following link:
1. Close any open browsers.
2. Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
3. Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
4. Check the box that says Scan All User Accounts
5. Under Drivers select the radio button for All
6. Check the Radio buttons for Files/Folders 7. Created Within 90 Days and Files/Folders Modified Within 90 Days
8. Under Additional Scans check the following:
a. Reg - BotCheck
b. Reg - Disabled MS Config Items
c. Reg - File Associations
d. Reg - Security Settings
e. Reg - Software Policy Settings
f. Reg - Uninstall List
g. File - Additional Folder Scans
h. Evnt - EventViewer Errors/Warnings (last 7 days)
9. Now click the Run Scan button on the toolbar.
10. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
11. When the scan is complete Notepad will open with the report file loaded in it automatically.
12. Save that Notepad file. Click the Format menu and make sure that Word wrap is not checked. If it is then click on it to uncheck it.
13. Please post the results.
0
the browser did not let me post the log, I tried to split the results but it didn't work either, please let me know if is ok for me to e-mail you the txt. file or if there is another way to get this log to you.
thanks :)
In the computer knowledge rank, I'm an idiot
0
I sent you a private message, to view it go to the top of this page, on the left side click "My Computing .Net"
0
ComboFix 08-08-10.02 - Aray 2008-08-13 21:14:34.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.792 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com\ud.sol
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.2008-08-11 00:04 . 2008-08-11 00:04 <DIR> d-------- C:\_OTMoveIt
2008-08-10 16:23 . 2008-08-10 16:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-09 22:32 . 2008-08-09 22:32 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-09 22:32 . 2008-08-09 22:32 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-08-09 19:39 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-09 19:38 . 2007-02-28 05:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 02:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:57 . 2008-08-09 19:38 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 1,499,136 --a------ C:\WINDOWS\system32\SET36B.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,287,168 --a------ C:\WINDOWS\system32\SET409.tmp
2008-08-08 22:39 . 2008-04-13 20:12 1,104,896 --a------ C:\WINDOWS\system32\SET493.tmp
2008-08-08 22:38 . 2008-04-13 20:11 586,240 --a------ C:\WINDOWS\system32\SET519.tmp
2008-08-08 22:37 . 2008-04-13 20:12 1,033,728 --a------ C:\WINDOWS\SET6B5.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,025,024 --a------ C:\WINDOWS\system32\SET66B.tmp
2008-08-08 21:41 . 2008-08-10 13:49 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-13 23:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-10 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 16:13 --------- d-----w C:\Program Files\Dell Support Center
2008-08-09 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-05 16:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-12 18:36 --------- d-----w C:\Documents and Settings\Aray\Application Data\iWin
2008-07-12 17:48 --------- d-----w C:\Program Files\Azureus
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 21:34 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 16:56 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2005-10-14 00:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 11:26 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 07:03 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"BuildBU"="c:\dell\bldbubg.exe" [2005-08-12 22:13 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-19 17:03 180269]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25 634880]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SprintModemUpdate"="javaw.exe" [2008-06-10 01:21 135168 C:\WINDOWS\system32\javaw.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 10:05 94208]C:\Documents and Settings\Aray\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe [2007-08-24 04:45:42 101784][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Business Attorney\\BA.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"47877:TCP"= 47877:TCP:azureR2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 16:30]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys [2007-08-16 15:24]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 17:04]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-08-16 15:24]*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - ERASERUTILDRV10820[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DC9D8B83-C748-CEAF-A491-BB3F3900CAC0}]
C:\WINDOWS\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder2008-08-12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Aray.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.comcast.net/
R0 -: HKLM-Main,Window Title = Windows Internet Explorer provided by Comcast
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osdO16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game05.zylom.com/activex/zylomgamesplayer.cab
C:\WINDOWS\Downloaded Program Files\ZylomGamesPlayer.inf
C:\WINDOWS\Downloaded Program Files\zylomgamesplayer.dllO16 -: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 21:18:57
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-08-13 21:21:29
ComboFix-quarantined-files.txt 2008-08-14 01:21:16
ComboFix2.txt 2008-08-11 04:16:11
ComboFix3.txt 2008-08-10 23:17:55
ComboFix4.txt 2008-08-10 22:04:04Pre-Run: 44,096,679,936 bytes free
Post-Run: 44,143,792,128 bytes free213 --- E O F --- 2008-08-10 18:12:23
In the computer knowledge rank, I'm an idiot
0
Things are looking better, read the two paragraphs below the X's before you start as you may need to reboot (most likely) right after the fix has run .
Start OTScanIt. Copy/Paste the information between the X's below into the pane where it says "Paste fix here" and then click the Run Fix button.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[Kill Explorer]
[Unregister Dlls]
[Files/Folders - Created Within 90 days]
NY -> 685 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
NY -> E80F62FF5D3C4A1984099721F2928206.TMP -> %SystemRoot%\E80F62FF5D3C4A1984099721F2928206.TMP
[Files/Folders - Created Within 90 days]
NY -> 685 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
[Empty Temp Folders]
[Start Explorer]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXThe fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
We will review the information when it comes back in.Next run a new scan from OTScanIt and send it the same way you did before, then post one more Combofix log.
0
Explorer killed successfully
[Files/Folders - Created Within 90 days]
File C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP not found!
[Files/Folders - Created Within 90 days]
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\WT6EO28E\BZBDACAQGRNJOCAPENGPVCAW3H0POCAJUZTB2CAM42USTCA23QUMNCA3JI8MTCAB33UZUCA6T1NQDCA1IEAHWCAZZLNOYCAZ0MXPYCAGPT2QQCAFNRUQFCAKQAB5FCAI4AA8CCACO4WHOCAQEJ8W5CAHCHCHICAA8Z4URCAUFVI93.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\WT6EO28E\U6ZFRCAA3TO0CCAS9P1DDCA52ISPECANYJ91BCA0RJ972CAT3RCTMCAS0Q00UCAL5SOX4CA3E8EJ7CARV5NXECA2IYQ6KCANP2NNZCAMKDCOZCA6MMVZPCA1ZHF1TCANUXDMBCAOKM7S1CA3TB2S9CANIE04FCA7KX52RCA1H7U0D.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\LTBUEJ6S\5IR79CAVKU93KCA900QQCCA1Q3LWBCAJ5D9GHCARA9WHECAKPS0AKCAPVPO2ACAAXTQEZCAPGY7UYCANKBVXJCAZUAQ65CA4489O5CAZ8ZZ6OCAYWR1X5CA0HLFUMCACZLBTQCA3M5PCKCAKVJJQGCAY8PRT1CATMXSY8CA10T0RL.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\LTBUEJ6S\COGGPCA7PUTKKCAAIH8ZYCAW1VQZCCA1J447PCA3WUYFRCAKLEBGOCACBYXGFCAMPJTHLCAIFFS9DCANF6Z8RCA2RX8UKCA8NK8K8CAJIER9ACA99LXFBCAXHNO6NCAUL2SGYCAE9HBO0CAQH8BTOCATRRAE8CA09792ACAD949FG.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\LTBUEJ6S\FA7MPCAUH3T2XCAI1R72GCA69HQX2CAOY2Z0CCAPP077NCA76HLN3CASPJOLQCA3FKWPLCAP2MQABCAU3063ZCA2RYL36CARGG110CADSFLUFCA00JZUZCAPTGUG3CAPS697FCA53X0SYCA7FQYMECAQ025SGCAL5SWOOCAQGM5PW.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\LTBUEJ6S\JE5NGCAKG1DBNCA0EQ2YDCA7BHSYWCASL5T7UCA13HF61CAINHQG6CAEIOEO8CAB6DJKECA95HB77CA417SSGCA3HCX1ECAGAE63ICA1M0XOKCAG9H7VBCAEYJVWECAC4HUAKCAHWISWRCAPSP1KICAHDHGACCAQ3PQBDCA0P3VZY.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\LTBUEJ6S\QVKIJCAQVXZ60CALP2ODMCAO29RGSCAZ60U2JCAW20QLPCAAILUAICAP2QG8ZCAYN0KAHCAVCKF70CA3WXE1LCA4ULTGGCARNIKJXCABF23M0CAK34Z70CA9HLZJ8CA6YSW2ZCAC8VJ2JCA6MO8XBCAA3B3HZCA8E3Q7TCA8CZFUQ.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\HO5EMELR\D7I9YCA4QG6XGCAYCZPBXCAJPMI5VCAWYXC3HCAV4B6C6CA2N58WQCANY83SACAA90X3UCAA2FXHZCA2DOWJ6CAR13ZKOCAAA8P6RCAZIVGFDCA948SAJCAY2CN48CA7F8WO2CAIOTIZPCA8KS4NMCAXN7VACCASBJE2QCA179TCI.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\HO5EMELR\GS9ZNCAJM950PCAHLXSMZCAXFAUHDCAIE64EZCASKEY14CA6QHLMUCAWYUJJPCAFJXTZSCA1UGIKYCAT3Q9V4CAZEOINGCAN0E4GDCAYEJHT4CAAHENIDCAEWNTNQCAF09NAGCALVU4OPCAJ46ADVCAD5VWF9CASJ8OTQCA3CI02O.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\HO5EMELR\XT00ECAOW245BCALHFI82CASCP4VLCABZF0WQCAK5CYDJCAY3TJUICAAEKBMFCAGV75T1CAA574M0CAH1BHO0CA25N509CASOSS9OCA22S2INCAOEXY30CALO6K0ZCA2S8SDXCA9NZL6SCA5Z0J7JCAEOF36MCA3K1EACCADBZ932.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\FSIETKIP\33BB1CAD49OZ4CAHRFDSCCAG9G2COCA00KL3ACA8K1QYUCAAN3HTHCAE5WU1GCABALRMSCAC6FYMOCAO1P8S4CANLPMY1CAXQJ9EYCASQBZR8CADG7G6RCARK7OAFCASVFDVACAYBKXC1CA1EZT4OCA0Q4I2ICA7J23JFCAI03KFR.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\FSIETKIP\CUHPPCALIX2X4CAREZYL9CAIP21BYCA7MLRSHCAFBBH0DCAL6MQBRCAFUC1T6CAPTA130CA2CK2Y4CADXQ38ICA69YXHQCA8JZTZ6CAX8AFKFCA8D974PCA1JZTBMCA9VVFPSCA5VU0VPCAK5TUARCA3EFPGKCAT077HOCAKWQEKR.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\FSIETKIP\IG1OFCAANPABWCA1O1AYYCAKDJPHTCA1156CVCA5QDVGDCASTKGF5CAZM4SY3CAC8PEC7CAKYRCEYCAOTVC5ECA2YF5X3CAF4VIC1CAFJNKE1CAN1RHVMCAGKAUXHCAYMY4AJCAKGQZRWCAKPXVDRCA8XO726CAJAK1VGCA44PADN.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\9SAW847W\BY6ZSCA820YVPCAOHV3R6CABIDI0KCAYVY44XCAGGL723CAD38OOGCAVTJF2MCAJIQ0AJCA3DSRQWCAHLFOO3CAB0Z46QCAG3OABWCAJX9M42CAKBN36BCA9S0QOFCA7P9XXBCAVOD5FPCATD6AAVCA49ABMSCADZRUJTCARNYKN4.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\9SAW847W\FSXVVCA4BH49GCA798P8TCAJFB0ZLCAGQ2IBMCAFE823RCAW7104PCAJ0IDK0CAQ027HECAORD21ZCAJ7IO2ICAEQIASCCAIHI4EFCAC47GCXCANYPJI8CAVT9QYMCA1QYRLDCAIV6EBNCA9SY58DCAXLFW60CAQ5PD3BCANI4PP9.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\9SAW847W\IJBQ9CA9OEG89CA9TYJRICAYYJ7PQCA0AAH0ECACV33M0CAJ0HUR6CA89HY5QCA88996CCA3M9U0FCA0V8CSQCAX3NPJRCAB24FO3CAB0GCM9CALXFEDCCAJN8U1HCAD50FBFCAVOVG5YCAWL0BV0CAHFRF53CA72YM7QCAYPVEJY.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\4USC3AYN\02WQUCA21TQM7CARW7RMYCAE88DBDCAGIQ0GUCAK3LCSICAYWIJ8ACACJ3099CA16K2D9CA4LKGPHCA1YV9LVCA107GYRCA5420H2CAECY8NECAW90ERICARBHJ2FCAJPHYO0CA02U1I3CADBVXIVCA6WTZBGCAZQW8XUCAKG6NXJ.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\4USC3AYN\MEQSVCAKI1YQ9CAISDJQCCA1VLA1BCA1WCFN1CAILZI1XCAV4RBJTCA1Y7GUXCAT2BG7SCATD5B8LCAWNAZ4ECATT7PBXCAH5WK6MCA6O825HCAKPM9JICA02UK8JCAWQ6HXMCA42TXFLCA9JPNHPCAL96U9ICAJJYU3PCACT22CM.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\4USC3AYN\ORX12CA2DW2WSCAX3SLRACA4H4WCICA6B2IRTCAMI54X2CA8CRHD2CAG5GR6YCAIUA011CA014ODDCALTPKNHCA0PMJ12CAFEIG3GCAFGVQ6WCAN9Z5Y1CA60ZSOJCALIRJFVCAZB75H6CAOFEMVJCAIUPDX9CA0M4TJNCA1IG5CM.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\03DPSL41\10LFGCA00WTV7CA5002FMCAQUJMQOCA2L0KT5CA93LRN9CAT72X3GCABVNK0NCARXHHKICADC95F1CA3FU1JZCABGQER3CAF485JPCA5CKBMDCADPBRVYCACZN00KCACI14Y1CA4S0I8JCATAOHTDCAYLBN9FCAYJLYXVCAFMY9HJ.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\03DPSL41\7529118;rid=27546997;rv=2;×tamp=1218683116093;eid1=2;ecn1=0;etm1=10;eid2=12;ecn2=1;etm2=9;eid3=11;ecn3=1;etm3=0;eid4=14;ecn4=1;etm4=0;eid5=18;ecn5=1;etm5=0;&_dc_ck=try[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\03DPSL41\DEZHTCACGG1RMCAGBYG4ZCAOJN4MSCAOEEVTGCA05R103CAO90BD2CAM741CBCAS1HIQRCAVKDTMRCACT9JH8CA8J9ERECA0R8SDDCAK3C2ZJCALY0WQ9CA28A6V9CAL4HEXFCA19411SCAJLUYXMCA6XSZ3ECAX6HFLLCAPPTGR2.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Aray\Local Settings\temp\Cookies\index.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JET2611.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08132008_233139Files moved on Reboot...
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\WT6EO28E\BZBDACAQGRNJOCAPENGPVCAW3H0POCAJUZTB2CAM42USTCA23QUMNCA3JI8MTCAB33UZUCA6T1NQDCA1IEAHWCAZZLNOYCAZ0MXPYCAGPT2QQCAFNRUQFCAKQAB5FCAI4AA8CCACO4WHOCAQEJ8W5CAHCHCHICAA8Z4URCAUFVI93.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\WT6EO28E\U6ZFRCAA3TO0CCAS9P1DDCA52ISPECANYJ91BCA0RJ972CAT3RCTMCAS0Q00UCAL5SOX4CA3E8EJ7CARV5NXECA2IYQ6KCANP2NNZCAMKDCOZCA6MMVZPCA1ZHF1TCANUXDMBCAOKM7S1CA3TB2S9CANIE04FCA7KX52RCA1H7U0D.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\LTBUEJ6S\5IR79CAVKU93KCA900QQCCA1Q3LWBCAJ5D9GHCARA9WHECAKPS0AKCAPVPO2ACAAXTQEZCAPGY7UYCANKBVXJCAZUAQ65CA4489O5CAZ8ZZ6OCAYWR1X5CA0HLFUMCACZLBTQCA3M5PCKCAKVJJQGCAY8PRT1CATMXSY8CA10T0RL.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\LTBUEJ6S\COGGPCA7PUTKKCAAIH8ZYCAW1VQZCCA1J447PCA3WUYFRCAKLEBGOCACBYXGFCAMPJTHLCAIFFS9DCANF6Z8RCA2RX8UKCA8NK8K8CAJIER9ACA99LXFBCAXHNO6NCAUL2SGYCAE9HBO0CAQH8BTOCATRRAE8CA09792ACAD949FG.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\LTBUEJ6S\FA7MPCAUH3T2XCAI1R72GCA69HQX2CAOY2Z0CCAPP077NCA76HLN3CASPJOLQCA3FKWPLCAP2MQABCAU3063ZCA2RYL36CARGG110CADSFLUFCA00JZUZCAPTGUG3CAPS697FCA53X0SYCA7FQYMECAQ025SGCAL5SWOOCAQGM5PW.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\LTBUEJ6S\JE5NGCAKG1DBNCA0EQ2YDCA7BHSYWCASL5T7UCA13HF61CAINHQG6CAEIOEO8CAB6DJKECA95HB77CA417SSGCA3HCX1ECAGAE63ICA1M0XOKCAG9H7VBCAEYJVWECAC4HUAKCAHWISWRCAPSP1KICAHDHGACCAQ3PQBDCA0P3VZY.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\LTBUEJ6S\QVKIJCAQVXZ60CALP2ODMCAO29RGSCAZ60U2JCAW20QLPCAAILUAICAP2QG8ZCAYN0KAHCAVCKF70CA3WXE1LCA4ULTGGCARNIKJXCABF23M0CAK34Z70CA9HLZJ8CA6YSW2ZCAC8VJ2JCA6MO8XBCAA3B3HZCA8E3Q7TCA8CZFUQ.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\HO5EMELR\D7I9YCA4QG6XGCAYCZPBXCAJPMI5VCAWYXC3HCAV4B6C6CA2N58WQCANY83SACAA90X3UCAA2FXHZCA2DOWJ6CAR13ZKOCAAA8P6RCAZIVGFDCA948SAJCAY2CN48CA7F8WO2CAIOTIZPCA8KS4NMCAXN7VACCASBJE2QCA179TCI.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\HO5EMELR\GS9ZNCAJM950PCAHLXSMZCAXFAUHDCAIE64EZCASKEY14CA6QHLMUCAWYUJJPCAFJXTZSCA1UGIKYCAT3Q9V4CAZEOINGCAN0E4GDCAYEJHT4CAAHENIDCAEWNTNQCAF09NAGCALVU4OPCAJ46ADVCAD5VWF9CASJ8OTQCA3CI02O.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\HO5EMELR\XT00ECAOW245BCALHFI82CASCP4VLCABZF0WQCAK5CYDJCAY3TJUICAAEKBMFCAGV75T1CAA574M0CAH1BHO0CA25N509CASOSS9OCA22S2INCAOEXY30CALO6K0ZCA2S8SDXCA9NZL6SCA5Z0J7JCAEOF36MCA3K1EACCADBZ932.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\FSIETKIP\33BB1CAD49OZ4CAHRFDSCCAG9G2COCA00KL3ACA8K1QYUCAAN3HTHCAE5WU1GCABALRMSCAC6FYMOCAO1P8S4CANLPMY1CAXQJ9EYCASQBZR8CADG7G6RCARK7OAFCASVFDVACAYBKXC1CA1EZT4OCA0Q4I2ICA7J23JFCAI03KFR.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\FSIETKIP\CUHPPCALIX2X4CAREZYL9CAIP21BYCA7MLRSHCAFBBH0DCAL6MQBRCAFUC1T6CAPTA130CA2CK2Y4CADXQ38ICA69YXHQCA8JZTZ6CAX8AFKFCA8D974PCA1JZTBMCA9VVFPSCA5VU0VPCAK5TUARCA3EFPGKCAT077HOCAKWQEKR.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\FSIETKIP\IG1OFCAANPABWCA1O1AYYCAKDJPHTCA1156CVCA5QDVGDCASTKGF5CAZM4SY3CAC8PEC7CAKYRCEYCAOTVC5ECA2YF5X3CAF4VIC1CAFJNKE1CAN1RHVMCAGKAUXHCAYMY4AJCAKGQZRWCAKPXVDRCA8XO726CAJAK1VGCA44PADN.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\9SAW847W\BY6ZSCA820YVPCAOHV3R6CABIDI0KCAYVY44XCAGGL723CAD38OOGCAVTJF2MCAJIQ0AJCA3DSRQWCAHLFOO3CAB0Z46QCAG3OABWCAJX9M42CAKBN36BCA9S0QOFCA7P9XXBCAVOD5FPCATD6AAVCA49ABMSCADZRUJTCARNYKN4.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\9SAW847W\FSXVVCA4BH49GCA798P8TCAJFB0ZLCAGQ2IBMCAFE823RCAW7104PCAJ0IDK0CAQ027HECAORD21ZCAJ7IO2ICAEQIASCCAIHI4EFCAC47GCXCANYPJI8CAVT9QYMCA1QYRLDCAIV6EBNCA9SY58DCAXLFW60CAQ5PD3BCANI4PP9.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\9SAW847W\IJBQ9CA9OEG89CA9TYJRICAYYJ7PQCA0AAH0ECACV33M0CAJ0HUR6CA89HY5QCA88996CCA3M9U0FCA0V8CSQCAX3NPJRCAB24FO3CAB0GCM9CALXFEDCCAJN8U1HCAD50FBFCAVOVG5YCAWL0BV0CAHFRF53CA72YM7QCAYPVEJY.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\4USC3AYN\02WQUCA21TQM7CARW7RMYCAE88DBDCAGIQ0GUCAK3LCSICAYWIJ8ACACJ3099CA16K2D9CA4LKGPHCA1YV9LVCA107GYRCA5420H2CAECY8NECAW90ERICARBHJ2FCAJPHYO0CA02U1I3CADBVXIVCA6WTZBGCAZQW8XUCAKG6NXJ.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\4USC3AYN\MEQSVCAKI1YQ9CAISDJQCCA1VLA1BCA1WCFN1CAILZI1XCAV4RBJTCA1Y7GUXCAT2BG7SCATD5B8LCAWNAZ4ECATT7PBXCAH5WK6MCA6O825HCAKPM9JICA02UK8JCAWQ6HXMCA42TXFLCA9JPNHPCAL96U9ICAJJYU3PCACT22CM.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\4USC3AYN\ORX12CA2DW2WSCAX3SLRACA4H4WCICA6B2IRTCAMI54X2CA8CRHD2CAG5GR6YCAIUA011CA014ODDCALTPKNHCA0PMJ12CAFEIG3GCAFGVQ6WCAN9Z5Y1CA60ZSOJCALIRJFVCAZB75H6CAOFEMVJCAIUPDX9CA0M4TJNCA1IG5CM.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\03DPSL41\10LFGCA00WTV7CA5002FMCAQUJMQOCA2L0KT5CA93LRN9CAT72X3GCABVNK0NCARXHHKICADC95F1CA3FU1JZCABGQER3CAF485JPCA5CKBMDCADPBRVYCACZN00KCACI14Y1CA4S0I8JCATAOHTDCAYLBN9FCAYJLYXVCAFMY9HJ.htm not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\03DPSL41\7529118;rid=27546997;rv=2;×tamp=1218683116093;eid1=2;ecn1=0;etm1=10;eid2=12;ecn2=1;etm2=9;eid3=11;ecn3=1;etm3=0;eid4=14;ecn4=1;etm4=0;eid5=18;ecn5=1;etm5=0;&_dc_ck=try[1].gif not found!
File C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\03DPSL41\DEZHTCACGG1RMCAGBYG4ZCAOJN4MSCAOEEVTGCA05R103CAO90BD2CAM741CBCAS1HIQRCAVKDTMRCACT9JH8CA8J9ERECA0R8SDDCAK3C2ZJCALY0WQ9CA28A6V9CAL4HEXFCA19411SCAJLUYXMCA6XSZ3ECAX6HFLLCAPPTGR2.htm not found!
C:\Documents and Settings\Aray\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\Aray\Local Settings\temp\History\History.IE5\index.dat moved successfully.
C:\Documents and Settings\Aray\Local Settings\temp\Cookies\index.dat moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\JET2611.tmp moved successfully.In the computer knowledge rank, I'm an idiot
0
ComboFix 08-08-13.02 - Aray 2008-08-13 23:55:39.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.796 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com\ud.sol
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.2008-08-11 00:04 . 2008-08-11 00:04 <DIR> d-------- C:\_OTMoveIt
2008-08-10 16:23 . 2008-08-10 16:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-09 22:32 . 2008-08-09 22:32 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-09 22:32 . 2008-08-09 22:32 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-08-09 19:39 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-09 19:38 . 2007-02-28 05:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 02:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:57 . 2008-08-09 19:38 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 1,499,136 --a------ C:\WINDOWS\system32\SET36B.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,287,168 --a------ C:\WINDOWS\system32\SET409.tmp
2008-08-08 22:39 . 2008-04-13 20:12 1,104,896 --a------ C:\WINDOWS\system32\SET493.tmp
2008-08-08 22:38 . 2008-04-13 20:11 586,240 --a------ C:\WINDOWS\system32\SET519.tmp
2008-08-08 22:37 . 2008-04-13 20:12 1,033,728 --a------ C:\WINDOWS\SET6B5.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,025,024 --a------ C:\WINDOWS\system32\SET66B.tmp
2008-08-08 21:41 . 2008-08-10 13:49 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-13 23:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-10 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 16:13 --------- d-----w C:\Program Files\Dell Support Center
2008-08-09 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-05 16:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-12 18:36 --------- d-----w C:\Documents and Settings\Aray\Application Data\iWin
2008-07-12 17:48 --------- d-----w C:\Program Files\Azureus
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 21:34 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 16:56 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2005-10-14 00:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 11:26 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 07:03 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"BuildBU"="c:\dell\bldbubg.exe" [2005-08-12 22:13 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-19 17:03 180269]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25 634880]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SprintModemUpdate"="javaw.exe" [2008-06-10 01:21 135168 C:\WINDOWS\system32\javaw.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 10:05 94208]C:\Documents and Settings\Aray\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe [2007-08-24 04:45:42 101784][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Business Attorney\\BA.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"47877:TCP"= 47877:TCP:azureR2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 16:30]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys [2007-08-16 15:24]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 17:04]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-08-16 15:24]*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DC9D8B83-C748-CEAF-A491-BB3F3900CAC0}]
C:\WINDOWS\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder2008-08-12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Aray.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.comcast.net/
R0 -: HKLM-Main,Window Title = Windows Internet Explorer provided by Comcast
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osdO16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game05.zylom.com/activex/zylomgamesplayer.cab
C:\WINDOWS\Downloaded Program Files\ZylomGamesPlayer.inf
C:\WINDOWS\Downloaded Program Files\zylomgamesplayer.dllO16 -: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
O16 -: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 00:00:50
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-08-14 0:03:32
ComboFix-quarantined-files.txt 2008-08-14 04:03:00
ComboFix2.txt 2008-08-14 01:21:30
ComboFix3.txt 2008-08-11 04:16:11
ComboFix4.txt 2008-08-10 23:17:55
ComboFix5.txt 2008-08-14 03:54:10Pre-Run: 44,253,282,304 bytes free
Post-Run: 44,304,703,488 bytes free213 --- E O F --- 2008-08-10 18:12:23
In the computer knowledge rank, I'm an idiot
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::File::
C:\WINDOWS\system32\SET36B.tmp
C:\WINDOWS\system32\SET409.tmp
C:\WINDOWS\system32\SET493.tmp
C:\WINDOWS\system32\SET519.tmp
C:\WINDOWS\SET6B5.tmp
C:\WINDOWS\system32\SET66B.tmpFolder::
C:\Documents and Settings\Aray\Application Data\iWin
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
0
FILE:: at the top of the page, what about the KILLALL:: because when I copy/paste killall is at the top of the txt file
In the computer knowledge rank, I'm an idiot
0
I did as you told me and after combofix finished and restarted the pc I've got two error messages that these files couldn't be found:
c:\\windows\system32\ixfgdowa.dll
c:\\windows\system32\urldhbic.dllnow I tried to post the combofix log here and as it has happened before was unable to do so.........
What should I do next??Txs a lot!
In the computer knowledge rank, I'm an idiot
0
Looks like the baddie got wounded.
Again go to start> run> type in combofix /u (note the space after combofix)> then press enter. This will uninstall combofix.
Download combofix again.
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMPFolder::
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log please.
0
jabuck, before I post the log let me share this with you, the last couple times that I've open this webpage, my antivirus software notify me of an attack from gmodules.com
do you think is a serious threath?thanks again...... :)
In the computer knowledge rank, I'm an idiot
0
I'm sure gmodules.com = google but I will raise a flag, thank you.
Please post your combofix log.
0
ComboFix 08-08-18.01 - Aray 2008-08-18 20:25:07.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.810 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aray\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Aray\cookies\aray@2o7[1].txt
C:\Documents and Settings\Aray\cookies\aray@ads.pointroll[2].txt
C:\Documents and Settings\Aray\cookies\aray@ads.revsci[1].txt
C:\Documents and Settings\Aray\cookies\aray@amazon[2].txt
C:\Documents and Settings\Aray\cookies\aray@dell[1].txt
C:\Documents and Settings\Aray\cookies\aray@insightexpressai[1].txt
C:\Documents and Settings\Aray\cookies\aray@live[1].txt
C:\Documents and Settings\Aray\cookies\aray@revsci[2].txt
C:\Documents and Settings\Aray\cookies\aray@track.bestbuy[1].txt
C:\Documents and Settings\Aray\cookies\aray@trafficmp[2].txt
C:\Documents and Settings\Aray\cookies\aray@walmart[2].txt
C:\Documents and Settings\Aray\UserData
C:\Documents and Settings\Aray\UserData\[u]0[/u]V030LQP\oWindowsUpdate[1].xml
C:\Documents and Settings\Aray\UserData\[u]0[/u]V030LQP\WebvooLong[1].xml
C:\Documents and Settings\Aray\UserData\8BQF8LKT\dmtstore[1].xml
C:\Documents and Settings\Aray\UserData\8BQF8LKT\oWindowsUpdate[1].xml
C:\Documents and Settings\Aray\UserData\8BQF8LKT\YL[1].xml
C:\Documents and Settings\Aray\UserData\8NUR2RIP\k[1].xml
C:\Documents and Settings\Aray\UserData\8NUR2RIP\oXMLStore[1].xml
C:\Documents and Settings\Aray\UserData\8NUR2RIP\userDataXmlIsland[1].xml
C:\Documents and Settings\Aray\UserData\ARK52Z0D\oasUserData[1].xml
C:\Documents and Settings\Aray\UserData\ARK52Z0D\oXMLStore[1].xml
C:\Documents and Settings\Aray\UserData\index.dat.
((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.2008-08-17 20:14 . 2008-08-17 20:14 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-17 12:47 . 2008-08-17 12:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-17 12:41 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\[u]0[/u]02940_.tmp
2008-08-17 11:11 . 2008-08-17 11:13 331,805,736 --a------ C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2008-08-14 22:14 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 20:54 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 19:15 . 2008-04-14 00:54 2,145,280 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-10 16:23 . 2008-08-10 16:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-09 22:32 . 2008-08-14 21:29 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-09 22:32 . 2008-08-14 21:29 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-08-09 19:39 . 2004-08-04 06:00 71,040 --a------ C:\WINDOWS\system32\drivers\_003245_.tmp.dll
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-17 12:51 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-17 12:51 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-17 12:51 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-17 12:51 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:57 . 2008-08-17 12:36 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET52A.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,703,936 --a------ C:\WINDOWS\system32\SET613.tmp
2008-08-08 22:39 . 2008-04-13 20:11 2,843,136 --a------ C:\WINDOWS\system32\SET66A.tmp
2008-08-08 22:38 . 2008-04-13 20:11 1,028,096 --a------ C:\WINDOWS\system32\SET6A5.tmp
2008-08-08 22:37 . 2008-04-13 20:11 1,082,368 --a------ C:\WINDOWS\system32\SET71A.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,267,200 --a------ C:\WINDOWS\system32\SET788.tmp
2008-08-08 22:35 . 2008-04-13 20:11 193,536 --a------ C:\WINDOWS\system32\SET7D1.tmp
2008-08-08 22:35 . 2008-04-13 20:11 143,360 --a------ C:\WINDOWS\system32\SET7CD.tmp
2008-08-08 22:35 . 2008-04-13 20:11 125,952 --a------ C:\WINDOWS\system32\SET7C6.tmp
2008-08-08 22:35 . 2008-04-13 20:11 98,304 --a------ C:\WINDOWS\system32\SET7CF.tmp
2008-08-08 22:35 . 2008-04-13 20:12 44,544 --a------ C:\WINDOWS\system32\SET7C9.tmp
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 00:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-18 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-17 22:08 --------- d-----w C:\Program Files\MSN Messenger
2008-08-15 04:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-15 01:08 --------- d-----w C:\Program Files\Novatel Wireless
2008-08-15 01:04 --------- d-----w C:\Program Files\Azureus
2008-08-09 16:13 --------- d-----w C:\Program Files\Dell Support Center
2008-08-09 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-05 16:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 16:56 691,545 ----a-w C:\WINDOWS\unins000.exe
2005-10-14 00:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 11:26 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 07:03 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"BuildBU"="c:\dell\bldbubg.exe" [2005-08-12 22:13 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-19 17:03 180269]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25 634880]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SprintModemUpdate"="javaw.exe" [2008-06-10 01:21 135168 C:\WINDOWS\system32\javaw.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 10:05 94208]C:\Documents and Settings\Aray\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe [2007-08-24 04:45:42 101784][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=oowvhv.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Business Attorney\\BA.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"47877:TCP"= 47877:TCP:azureR2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c294b4ae-6c7e-11dd-9778-00132076ba9a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL iexplore http://www.mgae.com/keylauncher/?co...*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DC9D8B83-C748-CEAF-A491-BB3F3900CAC0}]
C:\WINDOWS\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder2008-08-19 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Aray.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 20:34:06
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-08-18 20:55:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-19 00:54:37
ComboFix2.txt 2008-08-17 03:27:06Pre-Run: 46,793,551,872 bytes free
Post-Run: 46,895,620,096 bytes free215 --- E O F --- 2008-08-18 11:12:58
In the computer knowledge rank, I'm an idiot
0
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\[u]0[/u]02940_.tmp
C:\WINDOWS\system32\drivers\_003245_.tmp.dll
C:\WINDOWS\system32\SET52A.tmp
C:\WINDOWS\system32\SET613.tmp
C:\WINDOWS\system32\SET66A.tmp
C:\WINDOWS\system32\SET6A5.tmp
C:\WINDOWS\system32\SET71A.tmp
C:\WINDOWS\system32\SET788.tmp
C:\WINDOWS\system32\SET7D1.tmp
C:\WINDOWS\system32\SET7CD.tmp
C:\WINDOWS\system32\SET7C6.tmp
C:\WINDOWS\system32\SET7CF.tmp
C:\WINDOWS\system32\SET7C9.tmpDriver::
oowvhv
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
Run an online scan with Kaspersky from the following link:
Kaspersky Online ScannerNote: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
0
This is not the way to remove this Trojan...
This trojan also unpacks a ton of fake spyware and security alerts. You may even get a message across your screen alerting you to spyware being on your system and to install programs to remove it, etc.
If you want to remove this without reformat and without loosing your personal files, logon to my site.IT Technical Specialist
0
IT Tech Spec, we can use all the help we can get. So instead of putting your two cents in how about putting a hundred percent in a help resolve the problem on this site.
0
ok, jabuck, sorry I didn't reply sooner, but this has gotten worse and I unintalled my Norton and Installed a trendmicro antivirus hoping to get better results, I tried to clean the machine a little but it didn't work either
now I'm getting this pop up messages trying to take me to an antivirus 2009 site, and redirecting my browser, its just crazy
so what i did was run hijackthis again and here is the log
PS_IT Tech Spec, if you can help please do so here, as you can see we have been working hard to fix the problem, thank you guys!Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:02 PM, on 08/21/08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aray\Desktop\New Folder\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [143e43a8] rundll32.exe "C:\WINDOWS\system32\vgjprcyd.dll",b
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [BM170d7034] Rundll32.exe "C:\WINDOWS\system32\cnclbgvw.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommo...
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_ins...
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: bfwvrr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe--
End of file - 12001 bytesIn the computer knowledge rank, I'm an idiot
0
There is more than one part to the fix, so do this first.
Please download SmitFraudFix from this link:
Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
0
SmitFraudFix v2.339
Scan done at 23:26:00.65, 08/21/08
Run from C:\Documents and Settings\Aray\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\WINDOWS\system32\cmd.exe»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Aray
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Aray\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\aray\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="bfwvrr.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» RK»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.87.74.162
DNS Server Search Order: 68.87.68.162
DNS Server Search Order: 68.87.73.242HKLM\SYSTEM\CCS\Services\Tcpip\..\{A4247084-D30C-4F59-BB96-7F1C04B8F349}: DhcpNameServer=68.87.74.162 68.87.68.162 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A4247084-D30C-4F59-BB96-7F1C04B8F349}: DhcpNameServer=68.87.74.162 68.87.68.162 68.87.73.242
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A4247084-D30C-4F59-BB96-7F1C04B8F349}: DhcpNameServer=68.87.74.162 68.87.68.162 68.87.73.242
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.74.162 68.87.68.162 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.74.162 68.87.68.162 68.87.73.242
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.74.162 68.87.68.162 68.87.73.242
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» EndIn the computer knowledge rank, I'm an idiot
0
Open SmitfraudFix, and choose Option 4 to check for updates and download any updates. Then exit SmitfraudFix.
Now, reboot your computer in Safe Mode by doing the following :
Restart your computer.
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txtPlease download HostsXpert from the following link:
Extract the HostsXpert.zip by doing the following:Right-click HostsXpert.zip and select extract all – Follow the wizard and extract it to your DesktopClick Finish. Double-click the HostsXpert folder and then double-click HostsXpert.exe. Click “ Restore MS Hosts File” and press OK.Exit the program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.
Post a new Hijack This log please.
0
I encountered this problem before. This site helps me a lot. If you are getting a red x mark on local C. Check this site: http://tinyurl.com/5mub5o
Also for for xp 2008 pop up removal, check this out: http://tinyurl.com/58kxze
Hope this will help you out as well.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
