|
Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home
General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2
Drivers
Driver Scan
Driver Forum
Software
Automatic Updates
BIOS Updates
My Computing.Net
Solution Center
Free IT eBook
Howtos
Site Search
Message Find
RSS Feeds
Install Guides
Data Recovery
About
Home
|
| |
pos tmp files on c, red x,slow,dll
|
Original Message
|
Name: saiza
Date: March 3, 2008 at 06:55:25 Pacific
Subject: pos tmp files on c, red x,slow,dll
OS: Windows XP SP2
CPU/Ram: pentium[R]4 2.66GHz 512MB
Model/Manufacturer: Dell PPO7L
|
Comment: HI,I have had thousands of POS tmp files on my documents and c drive with a big red X on c drive. Thanks to Jabuck's reply to one of the same query. I have been able to remove th epos file from c drive and teh red X mark. But I have dll error when I start the machine c:\WINDOWS\System32\yjrnjuk.dll. The specified module could not be found. 2) I had a malicious script found error when comboFix was generating logs by my expired norton antivirus. So I presume my machine still has infections. Can you please analyza my combofix and hijackthis logs. Will post when I get the reply 3) When I try to shutdown the machine I get an ENDTASK for RCNTNLWB.EXE
This needs forced endtask for me to proceed. Please help!!!! Thanks in advance
Saiza
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: jabuck
Date: March 3, 2008 at 14:03:36 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)Go to the this link:Disable Realtime Protection Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files. Please download Atribune's VundoFix.exe from the following site to your desktop: Vundofix.exe Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files,
click "yes". Once you click yes, your desktop will go blank as it starts removing
Vundo. When completed, it will prompt that it will reboot your computer,
click "ok". Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: saiza
Date: March 3, 2008 at 14:50:31 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)Thanks for your quick reply jabuck. God Bless!!!
Can you please temm me what to do about the dll error as well... and below are the logsHijackThis Log::
=================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:43 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\System32\DrvMon.exe
C:\WINDOWS\system32\kcntnlwb.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Saleem Sheikh\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {5B4BE51A-EB15-4180-B7EC-4AA657275F2D} - C:\WINDOWS\system32\urqpo.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINDOWS\system32\ljjggff.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{E5-54-4D-D1-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BM7bcd67e2] Rundll32.exe "C:\WINDOWS\system32\yjrnjyuk.dll",s
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kcntnlwb.exe DWram
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKUS\S-1-5-18\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\kcntnlwb.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwnw64d.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads...
O20 - Winlogon Notify: ljjggff - ljjggff.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe --
End of file - 10460 bytes
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ComboFix Logs
=============== ComboFix 08-03-03.4 - Saleem Sheikh 2008-03-02 21:36:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.172 [GMT 0:00]
Running from: C:\Documents and Settings\Saleem Sheikh\Desktop\ComboFix.exe
* Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
. C:\Documents and Settings\Saleem Sheikh\Application Data\PPPATC~1
C:\Documents and Settings\Saleem Sheikh\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Saleem Sheikh\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\StorageProtector
C:\Program Files\WindowsUpdate\wexucyp89104.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Cache\creditcard.bmp
C:\WINDOWS\system32\Cache\msg.bin
C:\WINDOWS\system32\Cache\search find 2.bmp
C:\WINDOWS\system32\Cache\showbtn.bmp
C:\WINDOWS\system32\Cache\showbtn1.bmp
C:\WINDOWS\system32\Cache\showbtn12.bmp
C:\WINDOWS\system32\Cache\web app.bmp
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\SYSTEM32\ndtieceg.ini
C:\WINDOWS\SYSTEM32\opqru.ini
C:\WINDOWS\SYSTEM32\opqru.ini2
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\zxdnt3d.cfg .
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
. 2008-03-02 17:51 . 2008-03-02 20:23 <DIR> d-------- C:\VundoFix Backups
2008-03-02 15:42 . 2008-03-02 15:42 49,168 --a------ C:\WINDOWS\SYSTEM32\kmwnw64q.exe
2008-03-02 11:32 . 2008-03-02 11:33 200,769 --a------ C:\WINDOWS\SYSTEM32\ncntnlwb.exe
2008-03-02 01:50 . 2008-03-02 01:50 49,184 --a------ C:\WINDOWS\SYSTEM32\kmwnw64l.exe
2008-03-02 01:29 . 2008-03-02 01:29 200,772 --a------ C:\WINDOWS\SYSTEM32\kcntnlwb.exe
2008-03-01 23:10 . 2008-03-02 00:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-01 23:10 . 2008-03-01 23:10 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\PC Tools
2008-03-01 23:10 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-01 23:10 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-01 23:10 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-01 23:10 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-01 23:07 . 2008-03-02 15:39 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-03-01 21:21 . 2008-03-02 01:31 261,896 --a------ C:\Documents and Settings\Saleem Sheikh\Application Data\setup_en[1].exe
2008-03-01 13:06 . 2008-03-02 11:33 22 --a------ C:\WINDOWS\pskt.ini
2008-03-01 00:55 . 2008-03-01 00:55 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUK.ico
2008-02-29 23:51 . 2008-02-29 23:51 13,942 --a------ C:\WINDOWS\SYSTEM32\N90-002.ico
2008-02-29 23:50 . 2008-02-29 23:50 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMon
2008-02-29 23:48 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-02-29 23:47 . 2008-02-29 23:47 49,176 --a------ C:\WINDOWS\SYSTEM32\knwnw64s.exe
2008-02-29 23:36 . 2008-03-02 11:01 <DIR> d--hs---- C:\WINDOWS\QUE
2008-02-29 23:36 . 2008-03-01 21:19 <DIR> d-------- C:\Program Files\RABCO
2008-02-29 23:36 . 2008-02-29 23:36 200,766 --a------ C:\WINDOWS\SYSTEM32\tcntolwb.exe
2008-02-29 23:36 . 2008-02-29 23:36 49,163 --a------ C:\WINDOWS\SYSTEM32\rwwnw64d.exe
2008-02-29 23:36 . 2008-02-29 23:36 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-29 23:35 . 2008-02-29 23:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\sx1
2008-02-29 23:35 . 2008-02-29 23:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\pz8
2008-02-29 23:35 . 2008-02-29 23:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\mb4
2008-02-29 23:35 . 2008-03-02 11:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\iDlo01
2008-02-29 23:35 . 2008-03-02 11:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\bt2
2008-02-29 23:35 . 2008-02-29 23:36 <DIR> d-------- C:\Temp\sanR24
2008-02-13 19:13 . 2008-02-29 19:36 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\NCH Swift Sound
2008-02-13 19:13 . 2008-02-13 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound
2008-02-13 19:12 . 2008-02-13 19:12 <DIR> d-------- C:\Program Files\NCH Software
2008-02-13 19:11 . 2008-02-29 19:36 <DIR> d-------- C:\Program Files\NCH Swift Sound .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 21:47 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-03-03 21:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-01 23:04 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-02-11 18:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-29 20:59 200 ----a-w C:\Documents and Settings\Saleem Sheikh\HiScores.dat
2008-01-22 14:40 --------- d-----w C:\Program Files\Google
2007-12-30 08:46 737,280 ----a-w C:\WINDOWS\iun6002.exe
2004-01-05 22:02 32 --sha-w C:\WINDOWS\{347B965F-4432-482C-B603-E0BABBC12087}.dat
2004-01-05 22:02 32 --sha-w C:\WINDOWS\SYSTEM32\{0369CF41-A946-46A6-9522-FBFCFC52F4DF}.dat
. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4BE51A-EB15-4180-B7EC-4AA657275F2D}]
C:\WINDOWS\system32\urqpo.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\System32\DrvMon.exe" [2004-09-10 02:16 53248]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 16:31 68856]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-11-21 02:11 3289088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 23:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 23:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 23:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 22:15 327680]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 20:18 368640]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 07:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 16:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-09-23 17:23 204800]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 16:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 16:11 58392]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 19:12 290816]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-14 16:57 100056]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-23 12:01 282624]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 19:25 1003520]
"BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 14:15 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-25 16:27 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"{E5-54-4D-D1-DW}"="C:\windows\system32\rwwnw64d.exe" [2008-02-29 23:36 49163]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"BM7bcd67e2"="C:\WINDOWS\system32\yjrnjyuk.dll" [ ]
"ExploreUpdSched"="C:\WINDOWS\system32\rcntnlwb.exe" [2008-03-03 21:46 200772] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjggff]
ljjggff.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"= S3 ZSMC0305;SUPER 188 PC CAMERA;C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-03-22 12:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efe54238-9b94-11dc-9ad4-000d56ad71b7}]
\Shell\AutoRun\command - E:\LaunchU3.exe .
************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 21:45:37
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\winpfz37.sys 922 bytes
C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes scan completed successfully
hidden files: 2 **************************************************************************
.
r Running Proce
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cscript.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-03-03 22:15:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 22:13:06
.
2008-02-15 08:14:35 --- E O F ---
=============================================
Jabuck, can you please tell me about the other 2 problems mentioned in my original message Saiza
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: jabuck
Date: March 3, 2008 at 15:37:44 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)Spyware sweeper and any other realtime protection must be turned off or the fixes may not work. Some of the problem is a reinfection. Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\SYSTEM32\kmwnw64q.exe
C:\WINDOWS\SYSTEM32\ncntnlwb.exe
C:\WINDOWS\SYSTEM32\kmwnw64l.exe
C:\WINDOWS\SYSTEM32\kcntnlwb.exe
C:\Documents and Settings\Saleem Sheikh\Application Data\setup_en[1].exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\knwnw64s.exe
C:\WINDOWS\SYSTEM32\tcntolwb.exe
C:\WINDOWS\SYSTEM32\rwwnw64d.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\{347B965F-4432-482C-B603-E0BABBC12087}.dat
C:\WINDOWS\SYSTEM32\{0369CF41-A946-46A6-9522-FBFCFC52F4DF}.dat
C:\WINDOWS\system32\urqpo.dll
C:\WINDOWS\system32\yjrnjyuk.dll
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\ljjggff.dll
C:\WINDOWS\ljjggff.dll
C:\WINDOWS\system32\urqpo.dll
Driver::
ljjggff Folder::
C:\VundoFix Backups
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMon
C:\WINDOWS\SYSTEM32\sx1
C:\WINDOWS\SYSTEM32\pz8
C:\WINDOWS\SYSTEM32\mb4
C:\WINDOWS\SYSTEM32\iDlo01
C:\WINDOWS\SYSTEM32\bt2
C:\Temp\sanR24
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4BE51A-EB15-4180-B7EC-4AA657275F2D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{E5-54-4D-D1-DW}"=-
"BM7bcd67e2"=-
"ExploreUpdSched"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjggff] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Post a new Combofix log.
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: saiza
Date: March 4, 2008 at 14:55:01 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)Thanks a lot jabuck for your efforts. Please find below the new combofix log.ComboFix 08-03-03.4 - Saleem Sheikh 2008-03-05 22:41:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT 0:00]
Running from: C:\Documents and Settings\Saleem Sheikh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Saleem Sheikh\Desktop\CFScript.txt
* Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE ::
C:\Documents and Settings\Saleem Sheikh\Application Data\setup_en[1].exe
C:\WINDOWS\{347B965F-4432-482C-B603-E0BABBC12087}.dat
C:\WINDOWS\ljjggff.dll
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\{0369CF41-A946-46A6-9522-FBFCFC52F4DF}.dat
C:\WINDOWS\SYSTEM32\kcntnlwb.exe
C:\WINDOWS\SYSTEM32\kmwnw64l.exe
C:\WINDOWS\SYSTEM32\kmwnw64q.exe
C:\WINDOWS\SYSTEM32\knwnw64s.exe
C:\WINDOWS\system32\ljjggff.dll
C:\WINDOWS\SYSTEM32\ncntnlwb.exe
C:\WINDOWS\SYSTEM32\rwwnw64d.exe
C:\WINDOWS\SYSTEM32\tcntolwb.exe
C:\WINDOWS\system32\urqpo.dll
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\yjrnjyuk.dll
C:\WINDOWS\system32\zxdnt3d.cfg
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
. C:\Autorun.inf
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMon
C:\Documents and Settings\Saleem Sheikh\Application Data\setup_en[1].exe
C:\Documents and Settings\Saleem Sheikh\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Saleem Sheikh\Start Menu\Programs\Startup\DW_Start.lnk
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\dbfobxeu.dllbox.bad
C:\VundoFix Backups\odjfbfid.dll.bad
C:\VundoFix Backups\ssqnmnk.dll.bad
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\bt2
C:\WINDOWS\SYSTEM32\iDlo01
C:\WINDOWS\SYSTEM32\kcntnlwb.exe
C:\WINDOWS\SYSTEM32\kmwnw64l.exe
C:\WINDOWS\SYSTEM32\kmwnw64q.exe
C:\WINDOWS\SYSTEM32\knwnw64s.exe
C:\WINDOWS\SYSTEM32\mb4
C:\WINDOWS\SYSTEM32\mb4\renabcom4.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\SYSTEM32\ncntnlwb.exe
C:\WINDOWS\SYSTEM32\pz8
C:\WINDOWS\SYSTEM32\pz8\np89104.exe
C:\WINDOWS\SYSTEM32\rwwnw64d.exe
C:\WINDOWS\SYSTEM32\sx1
C:\WINDOWS\SYSTEM32\sx1\ravecom3.exe
C:\WINDOWS\SYSTEM32\tcntolwb.exe
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\zxdnt3d.cfg .
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
. 2008-03-05 22:27 . 2008-03-05 22:27 49,176 --a------ C:\WINDOWS\SYSTEM32\kkwnw64m.exe
2008-03-05 22:02 . 2008-03-05 22:02 200,772 --a------ C:\WINDOWS\SYSTEM32\qcntllwb.exe
2008-03-04 11:38 . 2008-03-04 11:38 1,635 --a------ C:\WINDOWS\SYSTEM32\drbingo.ico
2008-03-03 22:47 . 2008-03-03 22:47 49,175 --a------ C:\WINDOWS\SYSTEM32\kmwnw64o.exe
2008-03-03 21:46 . 2008-03-03 21:46 200,772 --a------ C:\WINDOWS\SYSTEM32\rcntnlwb.exe
2008-03-01 23:10 . 2008-03-05 16:21 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-01 23:10 . 2008-03-01 23:10 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\PC Tools
2008-03-01 23:10 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-01 23:10 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-01 23:10 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-01 23:10 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-01 00:55 . 2008-03-01 00:55 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUK.ico
2008-02-29 23:51 . 2008-02-29 23:51 13,942 --a------ C:\WINDOWS\SYSTEM32\N90-002.ico
2008-02-29 23:48 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-02-29 23:36 . 2008-03-02 11:01 <DIR> d--hs---- C:\WINDOWS\QUE
2008-02-29 23:36 . 2008-03-01 21:19 <DIR> d-------- C:\Program Files\RABCO
2008-02-13 19:13 . 2008-02-29 19:36 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\NCH Swift Sound
2008-02-13 19:13 . 2008-02-13 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound
2008-02-13 19:12 . 2008-02-13 19:12 <DIR> d-------- C:\Program Files\NCH Software
2008-02-13 19:11 . 2008-02-29 19:36 <DIR> d-------- C:\Program Files\NCH Swift Sound .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 22:45 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-03-05 22:30 --------- d-----w C:\Program Files\Symantec
2008-03-05 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-05 22:23 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-03-05 22:18 --------- d-----w C:\Documents and Settings\Saleem Sheikh\Application Data\Lavasoft
2008-03-04 22:55 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-02-11 18:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-29 20:59 200 ----a-w C:\Documents and Settings\Saleem Sheikh\HiScores.dat
2008-01-22 14:40 --------- d-----w C:\Program Files\Google
2007-12-30 08:46 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-25 16:28 499,712 ----a-w C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-12-25 16:28 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\System32\DrvMon.exe" [2004-09-10 02:16 53248]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 16:31 68856]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-11-21 02:11 3289088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 23:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 23:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 23:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 22:15 327680]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 20:18 368640]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 07:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 16:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-09-23 17:23 204800]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 19:12 290816]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-23 12:01 282624]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 19:25 1003520]
"BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 14:15 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-25 16:27 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-10 16:31:09 124912]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-02-26 13:10:33 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"= S3 ZSMC0305;SUPER 188 PC CAMERA;C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-03-22 12:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efe54238-9b94-11dc-9ad4-000d56ad71b7}]
\Shell\AutoRun\command - E:\LaunchU3.exe .
************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 22:45:55
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
Completion time: 2008-03-05 22:47:43
ComboFix-quarantined-files.txt 2008-03-05 22:46:44
ComboFix2.txt 2008-03-03 22:15:57
.
2008-02-15 08:14:35 --- E O F --- If you can please also let me know what to do about the rundll error that I get when I start the system. Thanks in advance Saiza
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: jabuck
Date: March 4, 2008 at 16:09:32 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)Most likely there are still some files needing to be deleted that try to run on the computer but do not have enough support from the malware causing the rundll error.Download SDFix to your desktop from the following link: SDFix.exe. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt. Post a new Hijack This log please.
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: saiza
Date: March 5, 2008 at 08:50:37 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)
Hi,Report.txt Log
===============
[b]SDFix: Version 1.153 [/b]
Run by Saleem Sheikh on Thu 03/06/2008 at 04:12 PM Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix [b]Checking Services [/b]:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found: C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe - Deleted Removing Temp Files [b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 16:23:33
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]: Sun 3 Apr 2005 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sun 3 Apr 2005 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Mon 24 Sep 2007 97,280 ...H. --- "C:\Documents and Settings\Saleem Sheikh\Desktop\~WRL0002.tmp"
Sun 13 Jan 2008 98,304 ...H. --- "C:\Documents and Settings\Saleem Sheikh\Desktop\~WRL2641.tmp"
Fri 29 Feb 2008 41,723 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197780.exe"
Tue 15 Jan 2008 140,800 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197781.exe"
Wed 25 Feb 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Wed 25 Feb 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Fri 27 Apr 2007 8 A..H. --- "C:\Documents and Settings\Saleem Sheikh\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 27 Apr 2007 8 A..H. --- "C:\Documents and Settings\Saleem Sheikh\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Fri 27 Apr 2007 8 A..H. --- "C:\Documents and Settings\Saleem Sheikh\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Fri 27 Apr 2007 8 A..H. --- "C:\Documents and Settings\Saleem Sheikh\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp" [b]Finished![/b]
====================================================================================================================================
HijackThis Log:
--------------- Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:57 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Documents and Settings\Saleem Sheikh\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKUS\S-1-5-18\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads...
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe --
End of file - 8011 bytes ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Red X on my C Drive has appeared once again :( Thanks in advance. You are very very helpful !!! Saiza
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
Name: saiza
Date: March 6, 2008 at 15:11:02 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)Hi jabuck...Please find below the fresh logs for Combofix ComboFix 08-03-03.4 - Saleem Sheikh 2008-03-07 22:57:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.246 [GMT 0:00]
Running from: C:\Documents and Settings\Saleem Sheikh\Desktop\ComboFix.exe
* Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
. ((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
. 2008-03-06 16:08 . 2008-03-06 16:09 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-06 16:02 . 2008-03-06 16:31 <DIR> d-------- C:\SDFix
2008-03-05 22:27 . 2008-03-05 22:27 49,176 --a------ C:\WINDOWS\SYSTEM32\kkwnw64m.exe
2008-03-05 22:02 . 2008-03-05 22:02 200,772 --a------ C:\WINDOWS\SYSTEM32\qcntllwb.exe
2008-03-04 11:38 . 2008-03-04 11:38 1,635 --a------ C:\WINDOWS\SYSTEM32\drbingo.ico
2008-03-03 22:47 . 2008-03-03 22:47 49,175 --a------ C:\WINDOWS\SYSTEM32\kmwnw64o.exe
2008-03-03 21:46 . 2008-03-03 21:46 200,772 --a------ C:\WINDOWS\SYSTEM32\rcntnlwb.exe
2008-03-01 23:10 . 2008-03-07 11:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-01 23:10 . 2008-03-01 23:10 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\PC Tools
2008-03-01 23:10 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-01 23:10 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-01 23:10 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-01 23:10 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-01 00:55 . 2008-03-01 00:55 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUK.ico
2008-02-29 23:51 . 2008-02-29 23:51 13,942 --a------ C:\WINDOWS\SYSTEM32\N90-002.ico
2008-02-29 23:48 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-02-29 23:36 . 2008-03-02 11:01 <DIR> d--hs---- C:\WINDOWS\QUE
2008-02-29 23:36 . 2008-03-01 21:19 <DIR> d-------- C:\Program Files\RABCO
2008-02-13 19:13 . 2008-02-29 19:36 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\NCH Swift Sound
2008-02-13 19:13 . 2008-02-13 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound
2008-02-13 19:12 . 2008-02-13 19:12 <DIR> d-------- C:\Program Files\NCH Software
2008-02-13 19:11 . 2008-02-29 19:36 <DIR> d-------- C:\Program Files\NCH Swift Sound .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 23:00 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-03-07 16:26 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-03-05 22:30 --------- d-----w C:\Program Files\Symantec
2008-03-05 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-05 22:23 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-03-05 22:18 --------- d-----w C:\Documents and Settings\Saleem Sheikh\Application Data\Lavasoft
2008-02-11 18:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-29 20:59 200 ----a-w C:\Documents and Settings\Saleem Sheikh\HiScores.dat
2008-01-22 14:40 --------- d-----w C:\Program Files\Google
2007-12-30 08:46 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-25 16:28 499,712 ----a-w C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-12-25 16:28 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\System32\DrvMon.exe" [2004-09-10 02:16 53248]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 16:31 68856]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-11-21 02:11 3289088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 23:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 23:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 23:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 22:15 327680]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 20:18 368640]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 07:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 16:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-09-23 17:23 204800]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 19:12 290816]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-23 12:01 282624]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 19:25 1003520]
"BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 14:15 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-25 16:27 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-10 16:31:09 124912]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-02-26 13:10:33 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"= R3 ZSMC0305;SUPER 188 PC CAMERA;C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-03-22 12:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efe54238-9b94-11dc-9ad4-000d56ad71b7}]
\Shell\AutoRun\command - E:\LaunchU3.exe .
************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 23:01:17
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@?????????????? scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
Completion time: 2008-03-07 23:03:05
ComboFix-quarantined-files.txt 2008-03-07 23:02:12
ComboFix2.txt 2008-03-05 22:47:44
ComboFix3.txt 2008-03-03 22:15:57
.
2008-02-15 08:14:35 --- E O F ---
Can you please let me know why CCleaner and Kaspersky Online Scanner is being suggested in other related queries.
Saiza
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: jabuck
Date: March 6, 2008 at 16:58:35 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)We normally remove all visable signs of malware before running those two tools.Make sure you have Spyware Sweeper disabled. Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\SYSTEM32\kkwnw64m.exe
C:\WINDOWS\SYSTEM32\qcntllwb.exe
C:\WINDOWS\SYSTEM32\drbingo.ico
C:\WINDOWS\SYSTEM32\kmwnw64o.exe
C:\WINDOWS\SYSTEM32\rcntnlwb.exe
Folder::
C:\Program Files\RABCO
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". You certainly have a baddie, but unfortunately you posted a Hijack This log without being requested to (against forum rules) so this post will get deleted by the moderator. Once it is deleted post again and stae onlt the problem, no logs please. Download CCleaner from the following link: http://filehippo.com/download_ccleaner/ After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items. Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply. Post a new Combofix log and Hijack This log please..
Report Offensive Follow Up For Removal
|
|
Response Number 10
|
Name: saiza
Date: March 7, 2008 at 18:13:27 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)Sorry, I did not realise that I posted the logs without request.Kapersky Log:
=============
---------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 1:57:52 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/03/2008
Kaspersky Anti-Virus database records: 611526
--------------------- Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true Scan Target - My Computer:
C:\
D:\ Scan Statistics:
Total number of scanned objects: 64391
Number of viruses found: 21
Number of infected objects: 71
Number of suspicious objects: 0
Duration of the scan process: 01:33:21 Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Aventail\LogFiles\odxsp.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\History\History.IE5\MSHist012008030920080310\index.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Temp\~DF29DC.tmp Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\ntuser.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\QooBox\Quarantine\C\Documents and Settings\Saleem Sheikh\Application Data\setup_en[1].exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.ec skipped
C:\QooBox\Quarantine\C\Program Files\RABCO\RABCO.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.h skipped
C:\QooBox\Quarantine\C\Program Files\WindowsUpdate\wexucyp89104.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\VundoFix Backups\odjfbfid.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ssqnmnk.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.tmp.vir Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kcntnlwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kkwnw64m.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kmwnw64l.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kmwnw64o.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kmwnw64q.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\knwnw64s.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mb4\renabcom4.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ncntnlwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pz8\np89104.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pz8\np89104.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qcntllwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rcntnlwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sx1\ravecom3.exe.vir Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tcntolwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\SDFix\backups\backups.zip/backups/UGA6P_0001_N122M0611NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0202028.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0202030.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0202037.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0202038.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0204041.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0204042.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204077.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204078.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204079.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204085.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204139.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ce skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204141.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1005\A0204172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1005\A0204173.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204817.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204818.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204818.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204819.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204823.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ec skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204825.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204826.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204827.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204828.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204829.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204830.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204831.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204895.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\A0206090.dll Infected: not-a-virus:AdWare.Win32.Rabio.h skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\A0206092.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\A0206093.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\A0206094.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\A0206095.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\change.log Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP998\A0193747.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0193762.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0194776.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0195752.exe Infected: not-a-virus:Downloader.Win32.WinFixer.cv skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0195776.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0196769.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197769.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197774.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197775.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197777.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197780.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197780.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197781.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197782.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197792.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. ____________________________________________________________________________________________________________________________________ COmboFix Logs:
============== ComboFix 08-03-03.4 - Saleem Sheikh 2008-03-08 23:47:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.292 [GMT 0:00]
Running from: C:\Documents and Settings\Saleem Sheikh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Saleem Sheikh\Desktop\CFScript.txt
* Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE ::
C:\WINDOWS\SYSTEM32\drbingo.ico
C:\WINDOWS\SYSTEM32\kkwnw64m.exe
C:\WINDOWS\SYSTEM32\kmwnw64o.exe
C:\WINDOWS\SYSTEM32\qcntllwb.exe
C:\WINDOWS\SYSTEM32\rcntnlwb.exe
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
. C:\Program Files\RABCO
C:\Program Files\RABCO\RABCO.dll
C:\WINDOWS\SYSTEM32\drbingo.ico
C:\WINDOWS\SYSTEM32\kkwnw64m.exe
C:\WINDOWS\SYSTEM32\kmwnw64o.exe
C:\WINDOWS\SYSTEM32\qcntllwb.exe
C:\WINDOWS\SYSTEM32\rcntnlwb.exe .
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
. 2008-03-06 16:08 . 2008-03-06 16:09 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-06 16:02 . 2008-03-06 16:31 <DIR> d-------- C:\SDFix
2008-03-01 23:10 . 2008-03-07 11:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-01 23:10 . 2008-03-01 23:10 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\PC Tools
2008-03-01 23:10 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-01 23:10 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-01 23:10 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-01 23:10 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-01 00:55 . 2008-03-01 00:55 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUK.ico
2008-02-29 23:51 . 2008-02-29 23:51 13,942 --a------ C:\WINDOWS\SYSTEM32\N90-002.ico
2008-02-29 23:48 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-02-29 23:36 . 2008-03-02 11:01 <DIR> d--hs---- C:\WINDOWS\QUE
2008-02-13 19:13 . 2008-02-29 19:36 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\NCH Swift Sound
2008-02-13 19:13 . 2008-02-13 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound
2008-02-13 19:12 . 2008-02-13 19:12 <DIR> d-------- C:\Program Files\NCH Software
2008-02-13 19:11 . 2008-02-29 19:36 <DIR> d-------- C:\Program Files\NCH Swift Sound .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 23:36 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-03-08 17:26 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-03-05 22:30 --------- d-----w C:\Program Files\Symantec
2008-03-05 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-05 22:23 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-03-05 22:18 --------- d-----w C:\Documents and Settings\Saleem Sheikh\Application Data\Lavasoft
2008-02-11 18:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-29 20:59 200 ----a-w C:\Documents and Settings\Saleem Sheikh\HiScores.dat
2008-01-22 14:40 --------- d-----w C:\Program Files\Google
2007-12-30 08:46 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-25 16:28 499,712 ----a-w C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-12-25 16:28 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\System32\DrvMon.exe" [2004-09-10 02:16 53248]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 16:31 68856]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-11-21 02:11 3289088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 23:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 23:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 23:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 22:15 327680]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 07:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 16:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-09-23 17:23 204800]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 19:12 290816]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-23 12:01 282624]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 19:25 1003520]
"BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 14:15 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-25 16:27 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-10 16:31:09 124912]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-02-26 13:10:33 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"= S3 ZSMC0305;SUPER 188 PC CAMERA;C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-03-22 12:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efe54238-9b94-11dc-9ad4-000d56ad71b7}]
\Shell\AutoRun\command - E:\LaunchU3.exe .
************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 23:51:16
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@?????????????? scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
Completion time: 2008-03-08 23:52:52
ComboFix-quarantined-files.txt 2008-03-08 23:52:01
ComboFix2.txt 2008-03-07 23:03:06
ComboFix3.txt 2008-03-05 22:47:44
ComboFix4.txt 2008-03-03 22:15:57
.
2008-02-15 08:14:35 --- E O F --- ____________________________________________________________________________________________________________________________________ HijackThis Logs
=============== Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:41 AM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Saleem Sheikh\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKUS\S-1-5-18\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads...
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe --
End of file - 7805 bytes
Sorry looks like my computer is taking too much of your time and efforts. Thanks a million!!!
Saiza
Report Offensive Follow Up For Removal
|
|
Response Number 11
|
Name: jabuck
Date: March 7, 2008 at 20:34:34 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)Much better, your computer appears to be clean. A little cleanup left to do. Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Run CCleaner again. Go to start> run> type in combofix /u (there must be a space after combofix) the press ok. That will remove combofix. Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Click on the JDK 6 Update 5 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jdk-6u5-windows-i586-p.exe
to install the newest version.
Report Offensive Follow Up For Removal
|
|
Response Number 12
|
Name: saiza
Date: March 8, 2008 at 15:07:15 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)thanks a lot jabuck!!! I have done all the steps mentioned above.I have 2 questions...if u can please help me in those 1) When I ran Kaspersky online scanner, there were around 25 virus and 71 infections. Are they not harmful? How do I remove them??? 2) When I am using yahoo messenger,there are some junk links that appear on IM screens as messages. Below is one such incident. Mohd ismail: Trình di?n xi?c "r?n tóc gáy" http://gaigoitanbinh.xlphp.net/
Mohd ismail: Trình di?n xi?c "r?n tóc gáy" http://gaigoitanbinh.xlphp.net/ Can you please let me know how do I remove them and why do they appear? Is it any kind of a Virus infection? 3) I have only spydoctor freeware on my machine? Do you have any suggestion of freeware software that can effectively protect my machine. Thanks a million for all the help. My computer's performance has also improved tremendously. Thanks once again Saiza
Report Offensive Follow Up For Removal
|
|
Response Number 13
|
Name: jabuck
Date: March 8, 2008 at 16:12:29 Pacific
Subject: pos tmp files on c, red x,slow,dll
|
Reply: (edit)Download Registry Search to your desktop and doubleclick it> click regsearch.exe> click run> click run again. Copy/paste:SSCVIIHOST.exe
in the top line and click "Ok". Takes a minute to run then notepad will be opened with text in it (the file will be saved in the program's folder as well). Post this text.
Report Offensive Follow Up For Removal
| |
