Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I had a funky virus (b.whataboutadog.com), and Jabuck helped me out. If your out there Jabuck can you lend me a hand again? My taskmanager is always at 60-70% cpu use, and everything is slow.
I tried cleaning out everything, defrag, the usual stuff and nothing helps. I have 55 processes going on and not much really running. I thought maybe that virus had made a comeback? Is it normal for 4-5 iexplorer.exe to be running. And about10 svchost.exe to run at the same time?
Can anyone lend a hand?Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7
Hello knowname, lets take a look.
Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the log it produces.
0 
Hey jabuck, I dont know how you read this stuff but here it is.
here is hijack:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:27 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: NormalRunning processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINNT\SYSTEM32\slserv.exe--
End of file - 8806 bytes
Here is Combofix:
ComboFix 07-10-25.4 - Owner 2007-10-25 21:18:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1471 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Leslie\Desktop\internet.lnk
C:\Program Files\WinBudget.
((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.2007-10-25 21:15 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-14 18:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-14 14:02 155,648 --a------ C:\WINNT\system32\NeroCheck.exe
2007-10-14 14:02 114,688 --a------ C:\WINNT\system32\igfxpers.exe
2007-10-14 14:02 94,208 --a------ C:\WINNT\system32\igfxtray.exe
2007-10-14 14:02 77,824 --a------ C:\WINNT\system32\hkcmd.exe
2007-10-14 09:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 09:44 <DIR> d--h----- C:\WINNT\PIF
2007-10-10 02:39 582,656 --------- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-10-05 12:39 <DIR> d-------- C:\Program Files\iPod
2007-10-04 16:43 143,360 --a------ C:\WINNT\system32\dunzip32.dll
2007-10-04 16:41 171,240 --a------ C:\WINNT\system32\drivers\mfehidk.sys
2007-10-04 16:41 109,608 --a------ C:\WINNT\system32\drivers\Mpfp.sys
2007-10-04 16:41 71,496 --a------ C:\WINNT\system32\drivers\mfeavfk.sys
2007-10-04 16:41 37,480 --a------ C:\WINNT\system32\drivers\mfesmfk.sys
2007-10-04 16:41 34,184 --a------ C:\WINNT\system32\drivers\mfebopk.sys
2007-10-04 16:41 32,008 --a------ C:\WINNT\system32\drivers\mferkdk.sys
2007-10-04 16:40 <DIR> d-------- C:\Program Files\McAfee
2007-10-04 16:37 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-04 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-04 13:45 <DIR> d-------- C:\WINNT\McAfee.com
2007-10-02 19:42 <DIR> d-------- C:\WINNT\system32\bak
2007-10-02 12:16 <DIR> d-------- C:\MY_BIG_FAT_GREEK_WEDDING.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 18:04 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-10-14 23:55 --------- d-----w C:\Program Files\Java
2007-10-14 21:20 --------- d-----w C:\Program Files\QuickTime
2007-10-14 19:02 --------- d-----w C:\Program Files\iTunes
2007-10-05 17:35 --------- d-----w C:\Program Files\Apple Software Update
2007-10-04 21:45 --------- d-----w C:\Program Files\McAfee.com
2007-10-04 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-04 03:47 --------- d-----w C:\Program Files\America's Army
2007-10-04 03:46 --------- d-----w C:\Program Files\America's Army Server Manager
2007-09-28 16:41 4,710 ----a-w C:\Documents and Settings\Leslie\Application Data\wklnhst.dat
2007-08-21 06:15 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINNT\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINNT\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINNT\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINNT\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINNT\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINNT\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINNT\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINNT\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINNT\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINNT\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINNT\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINNT\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINNT\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINNT\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINNT\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINNT\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINNT\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINNT\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINNT\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINNT\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINNT\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINNT\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINNT\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINNT\system32\dllcache\ieakui.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\vbscript.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\dllcache\vbscript.dll
2007-08-13 23:54 33,792 ----a-w C:\WINNT\system32\dllcache\custsat.dll
2007-08-13 23:54 191,488 ----a-w C:\WINNT\system32\dllcache\iepeers.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\msls31.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\dllcache\msls31.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\ieencode.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\dllcache\ieencode.dll
2007-08-13 23:44 69,120 ----a-w C:\WINNT\system32\dllcache\iedw.exe
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\licmgr10.dll
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\dllcache\licmgr10.dll
2007-08-13 23:39 92,672 ----a-w C:\WINNT\system32\dllcache\inseng.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\dllcache\admparse.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\admparse.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\iesetup.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\dllcache\iesetup.dll
2007-08-13 23:38 491,520 ----a-w C:\WINNT\system32\dllcache\jscript.dll
2007-08-13 23:36 44,544 ----a-w C:\WINNT\system32\dllcache\pngfilt.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\imgutil.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\dllcache\imgutil.dll
2007-08-13 23:35 346,624 ----a-w C:\WINNT\system32\dllcache\dxtmsft.dll
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\mshta.exe
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\dllcache\mshta.exe
2007-08-13 23:18 60,416 ----a-w C:\WINNT\system32\dllcache\hmmapi.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\mshtmler.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\dllcache\mshtmler.dll
2007-08-04 22:12 3,078 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\dllcache\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\dllcache\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINNT\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\dllcache\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\dllcache\wups.dll
2005-08-23 23:10 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,688 2003-06-07 11:32:32 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
----a-w 50,688 2003-06-07 11:32:32 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe----a-w 68,856 2007-06-28 01:39:44 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
----a-w 68,856 2007-06-28 01:39:44 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe----a-w 257,088 2007-05-26 17:45:54 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 257,088 2007-05-26 17:45:54 C:\Program Files\iTunes\iTunesHelper.exe----a-w 132,496 2007-07-12 09:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 132,496 2007-07-12 09:00:36 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe----a-w 303,104 2005-09-23 00:29:08 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 566,872 2007-01-05 21:21:16 C:\Program Files\McAfee.com\Agent\mcagent.exe----a-w 212,992 2006-01-11 18:05:42 C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe
----a-w 390,744 2007-01-05 21:22:16 C:\Program Files\McAfee.com\Agent\mcupdate.exe----a-w 409,600 2005-05-10 15:41:30 C:\Program Files\SP2 Connection Patcher\bak\SP2ConnPatcher.exe
----a-w 409,600 2005-05-10 15:41:30 C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe----a-w 204,288 2006-10-19 02:05:26 C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe
----a-w 204,288 2006-10-19 02:05:26 C:\Program Files\Windows Media Player\WMPNSCFG.exe----a-w 15,360 2004-08-04 07:56:48 C:\WINNT\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINNT\system32\ctfmon.exe----a-w 77,824 2005-04-05 20:19:18 C:\WINNT\system32\bak\hkcmd.exe
----a-w 77,824 2005-04-05 20:19:18 C:\WINNT\system32\hkcmd.exe----a-w 114,688 2005-04-05 20:23:14 C:\WINNT\system32\bak\igfxpers.exe
----a-w 114,688 2005-04-05 20:23:14 C:\WINNT\system32\igfxpers.exe----a-w 94,208 2005-04-05 20:22:32 C:\WINNT\system32\bak\igfxtray.exe
----a-w 94,208 2005-04-05 20:22:32 C:\WINNT\system32\igfxtray.exe----a-r 155,648 2001-07-09 09:50:42 C:\WINNT\system32\bak\NeroCheck.exe
----a-w 155,648 2001-07-09 09:50:42 C:\WINNT\system32\NeroCheck.exe.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-04-05 15:22]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-04-05 15:19]
"POINTER"="point32.exe" []
"NeroFilterCheck"="C:\WINNT\System32\NeroCheck.exe" [2001-07-09 04:50]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-18 20:31]
"Persistence"="C:\WINNT\system32\igfxpers.exe" [2005-04-05 15:23]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-05-10 10:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 20:39]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exeC:\Documents and Settings\Leslie\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.exe [1996-11-17 01:00:00]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Broadband Networking.lnk - C:\WINNT\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe [2006-12-26 15:13:27][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINNT\pss\Billminder.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINNT\pss\Quicken Startup.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINNT\pss\Office Startup.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]
"C:\Program Files\Gateway\GWCares\GWCares.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINNT\system32\DRIVERS\epusbsto.sys
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-20 03:58:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-22 08:00:01 C:\WINNT\Tasks\McAfee.com Scan for Viruses - My Computer (KNOWNAME-Owner).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-10-15 06:06:31 C:\WINNT\Tasks\McDefragTask.job"
"2007-10-04 21:40:47 C:\WINNT\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 21:23:13
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-10-25 21:25:11
.
--- E O F ---
Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7
0
You are still infected with AWF and another virus. looks lick Combofix got one of them.
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak foldersA text file opens called: files.txt
Click below the line and paste the following list of files to be restored:
"C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
"C:\Program Files\SP2 Connection Patcher\bak\SP2ConnPatcher.exe"
"C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
"C:\WINNT\system32\bak\ctfmon.exe"
"C:\WINNT\system32\bak\hkcmd.exe"
"C:\WINNT\system32\bak\igfxpers.exe"
"C:\WINNT\system32\bak\igfxtray.exe"
"C:\WINNT\system32\bak\NeroCheck.exe"Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folderWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
0
Great thats not what I wanted to hear. But at least you can see them.
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfullyThe current date is: Fri 10/26/2007
The current time is: 7:03:31.07
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\ITUNES\BAK05/26/2007 12:45 PM 257,088 iTunesHelper.exe
1 File(s) 257,088 bytesDirectory of C:\PROGRA~1\SP2CON~1\BAK
05/10/2005 10:41 AM 409,600 SP2ConnPatcher.exe
1 File(s) 409,600 bytesDirectory of C:\PROGRA~1\WINDOW~2\BAK
10/18/2006 09:05 PM 204,288 WMPNSCFG.exe
1 File(s) 204,288 bytesDirectory of C:\WINNT\SYSTEM32\BAK
08/04/2004 02:56 AM 15,360 ctfmon.exe
04/05/2005 03:19 PM 77,824 hkcmd.exe
04/05/2005 03:23 PM 114,688 igfxpers.exe
04/05/2005 03:22 PM 94,208 igfxtray.exe
07/09/2001 04:50 AM 155,648 NeroCheck.exe
5 File(s) 457,728 bytesDirectory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK
06/27/2007 08:39 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytesDirectory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
09/22/2005 07:29 PM 303,104 mcagent.exe
01/11/2006 01:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytesDirectory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK
06/07/2003 06:32 AM 50,688 WkUFind.exe
1 File(s) 50,688 bytesDirectory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~257088 May 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
257088 May 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 5 2007 "C:\WINNT\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe"
116024 Oct 5 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe"
409600 May 10 2005 "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe"
409600 May 10 2005 "C:\Program Files\SP2 Connection Patcher\bak\SP2ConnPatcher.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
15360 Aug 4 2004 "C:\WINNT\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINNT\system32\bak\ctfmon.exe"
118784 Nov 18 2003 "C:\OEMDRVRS\HKCMD.exe"
77824 Apr 5 2005 "C:\WINNT\system32\hkcmd.exe"
77824 Apr 5 2005 "C:\WINNT\system32\bak\hkcmd.exe"
118784 Nov 18 2003 "C:\WINNT\system32\ReinstallBackups\0016\DriverFiles\hkcmd.exe"
114688 Apr 5 2005 "C:\WINNT\system32\igfxpers.exe"
114688 Apr 5 2005 "C:\WINNT\system32\bak\igfxpers.exe"
155648 Nov 18 2003 "C:\OEMDRVRS\IGFXTRAY.exe"
94208 Apr 5 2005 "C:\WINNT\system32\igfxtray.exe"
94208 Apr 5 2005 "C:\WINNT\system32\bak\igfxtray.exe"
155648 Nov 18 2003 "C:\WINNT\system32\ReinstallBackups\0016\DriverFiles\igfxtray.exe"
155648 Jul 9 2001 "C:\WINNT\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINNT\system32\bak\NeroCheck.exe"
52272 Jan 25 2007 "C:\Program Files\Google\googletoolbar4user.exe"
69632 Jan 5 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Jun 27 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
559784 Jan 18 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Jan 25 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jun 27 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
50688 Jun 7 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
50688 Jun 7 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
end of reportGateway P4 2.6GHz
DDR PC2 gig RAM
IE 7
0
One other question, when I fixed my pc with you before, I was using it while I was fixing it, As in I was connected to the net to get back to this site for instruction. I do have access to a laptop, should I disconnect my infected pc to do the work you ask me to do. Also, my virus protection was disabled last time doing all the steps, I did put it back on right away, I just wonder if this has something to do with why I am infected now. I see you tell people to maybe use AVG? I get McAfee for free from comcast. Is there that much difference?
One more thing, I do have a second harddrive in my machine, it is for storage only, it does not have an OS on it, could it get infected from the other harddrive?Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7
0
There sould be no reason to turn off you antivirus. AVG antivirus is the most suggested free av because it does not use so many resources to run, its free, easy to uninstall and doesn't tie itself to everything on the computer.
Only realtime protection should be turned off in most cases as described in the next paragraph.
Temporarily disable any of the following anti-spyware realtime protection programs that you may have Disable Realtime Protection or the fixes will not work. Be sure to turn yout anti-spyware programs back on once the computer is clean.
Using the computer and using the internet should not be a problem in most cases either.
The storage device need to be checked for viruses and spyware, we can do that later.
Option 3:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak foldersA text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:
C:\Program Files\iTunes\bak
C:\Program Files\SP2 Connection Patcher\bak
C:\Program Files\Windows Media Player\bak
C:\WINNT\system32\bak
C:\WINNT\system32\bak
C:\WINNT\system32\bak
C:\WINNT\system32\bak
C:\WINNT\system32\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak foldersWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Next Option 4.
Option 4:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zonesThis removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXITNext,
Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOpen notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
Post a new Combofix log please.
0
Okay did everythng, I just dont understand the very last lines under all the xxxxxxxxx
is there something more to that?
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfullyThe current date is: Fri 10/26/2007
The current time is: 18:08:31.79
bak folders found
~~~~~~~~~~~
Directory of C:\WINNT\SYSTEM32\BAK07/09/2001 04:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytesDirectory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~155648 Jul 9 2001 "C:\WINNT\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINNT\system32\bak\NeroCheck.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
end of reportComboFix 07-10-25.4 - Owner 2007-10-26 18:43:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1508 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.2007-10-25 21:15 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-14 18:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-14 14:02 155,648 --a------ C:\WINNT\system32\NeroCheck.exe
2007-10-14 14:02 114,688 --a------ C:\WINNT\system32\igfxpers.exe
2007-10-14 14:02 94,208 --a------ C:\WINNT\system32\igfxtray.exe
2007-10-14 14:02 77,824 --a------ C:\WINNT\system32\hkcmd.exe
2007-10-14 09:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 09:44 <DIR> d--h----- C:\WINNT\PIF
2007-10-10 02:39 582,656 --------- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-10-05 12:39 <DIR> d-------- C:\Program Files\iPod
2007-10-04 16:43 143,360 --a------ C:\WINNT\system32\dunzip32.dll
2007-10-04 16:41 171,240 --a------ C:\WINNT\system32\drivers\mfehidk.sys
2007-10-04 16:41 109,608 --a------ C:\WINNT\system32\drivers\Mpfp.sys
2007-10-04 16:41 71,496 --a------ C:\WINNT\system32\drivers\mfeavfk.sys
2007-10-04 16:41 37,480 --a------ C:\WINNT\system32\drivers\mfesmfk.sys
2007-10-04 16:41 34,184 --a------ C:\WINNT\system32\drivers\mfebopk.sys
2007-10-04 16:41 32,008 --a------ C:\WINNT\system32\drivers\mferkdk.sys
2007-10-04 16:40 <DIR> d-------- C:\Program Files\McAfee
2007-10-04 16:37 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-04 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-04 13:45 <DIR> d-------- C:\WINNT\McAfee.com
2007-10-02 19:42 <DIR> d-------- C:\WINNT\system32\bak
2007-10-02 12:16 <DIR> d-------- C:\MY_BIG_FAT_GREEK_WEDDING.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 23:05 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-10-26 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-26 22:59 --------- d-----w C:\Program Files\iTunes
2007-10-14 23:55 --------- d-----w C:\Program Files\Java
2007-10-14 21:20 --------- d-----w C:\Program Files\QuickTime
2007-10-05 17:35 --------- d-----w C:\Program Files\Apple Software Update
2007-10-04 21:45 --------- d-----w C:\Program Files\McAfee.com
2007-10-04 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-04 03:47 --------- d-----w C:\Program Files\America's Army
2007-10-04 03:46 --------- d-----w C:\Program Files\America's Army Server Manager
2007-09-28 16:41 4,710 ----a-w C:\Documents and Settings\Leslie\Application Data\wklnhst.dat
2007-08-21 06:15 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINNT\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINNT\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINNT\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINNT\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINNT\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINNT\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINNT\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINNT\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINNT\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINNT\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINNT\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINNT\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINNT\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINNT\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINNT\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINNT\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINNT\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINNT\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINNT\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINNT\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINNT\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINNT\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINNT\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINNT\system32\dllcache\ieakui.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\vbscript.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\dllcache\vbscript.dll
2007-08-13 23:54 33,792 ----a-w C:\WINNT\system32\dllcache\custsat.dll
2007-08-13 23:54 191,488 ----a-w C:\WINNT\system32\dllcache\iepeers.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\msls31.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\dllcache\msls31.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\ieencode.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\dllcache\ieencode.dll
2007-08-13 23:44 69,120 ----a-w C:\WINNT\system32\dllcache\iedw.exe
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\licmgr10.dll
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\dllcache\licmgr10.dll
2007-08-13 23:39 92,672 ----a-w C:\WINNT\system32\dllcache\inseng.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\dllcache\admparse.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\admparse.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\iesetup.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\dllcache\iesetup.dll
2007-08-13 23:38 491,520 ----a-w C:\WINNT\system32\dllcache\jscript.dll
2007-08-13 23:36 44,544 ----a-w C:\WINNT\system32\dllcache\pngfilt.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\imgutil.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\dllcache\imgutil.dll
2007-08-13 23:35 346,624 ----a-w C:\WINNT\system32\dllcache\dxtmsft.dll
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\mshta.exe
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\dllcache\mshta.exe
2007-08-13 23:18 60,416 ----a-w C:\WINNT\system32\dllcache\hmmapi.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\mshtmler.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\dllcache\mshtmler.dll
2007-08-04 22:12 3,078 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\dllcache\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\dllcache\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINNT\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\dllcache\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\dllcache\wups.dll
2005-08-23 23:10 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 132,496 2007-07-12 09:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 132,496 2007-07-12 09:00:36 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe----a-r 155,648 2001-07-09 09:50:42 C:\WINNT\system32\bak\NeroCheck.exe
----a-w 155,648 2001-07-09 09:50:42 C:\WINNT\system32\NeroCheck.exe.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-04-05 15:22]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-04-05 15:19]
"POINTER"="point32.exe" []
"NeroFilterCheck"="C:\WINNT\System32\NeroCheck.exe" [2001-07-09 04:50]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-18 20:31]
"Persistence"="C:\WINNT\system32\igfxpers.exe" [2005-04-05 15:23]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2007-01-05 16:22]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2007-01-05 16:21][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-05-10 10:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 20:39]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exeC:\Documents and Settings\Leslie\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.exe [1996-11-17 01:00:00]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Broadband Networking.lnk - C:\WINNT\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe [2006-12-26 15:13:27][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINNT\pss\Billminder.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINNT\pss\Quicken Startup.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINNT\pss\Office Startup.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]
"C:\Program Files\Gateway\GWCares\GWCares.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINNT\system32\DRIVERS\epusbsto.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-20 03:58:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-22 08:00:01 C:\WINNT\Tasks\McAfee.com Scan for Viruses - My Computer (KNOWNAME-Owner).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-10-15 06:06:31 C:\WINNT\Tasks\McDefragTask.job"
"2007-10-04 21:40:47 C:\WINNT\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 18:46:12
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-10-26 18:47:52
C:\ComboFix2.txt ... 2007-10-25 21:25
.
--- E O F ---Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7
0
Update your java. Go to start> control panel> java> update> update now> uncheck/decline any google toolbar options.
Once updated go to control panel> add/remove programs and unistall all the other java versions on the computer except for the jre1.6.0_03 version you just installed. Those older version are one way you could have been infected.Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak foldersA text file opens called: files.txt
Click below the line and paste the following list of files to be restored:
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\WINNT\system32\bak\NeroCheck.exe"
Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folderWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Option 3:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak foldersA text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\WINNT\system32\bak
Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak foldersWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Next Option 4.
Option 4:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zonesThis removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXITNext,
Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.Post a new Combofix log please.
0
Couldnt find the uncheck/decline any google toolbar options,
Also I hope its okay to alert you? Just figured you could see im done? Let me know if its a bother.
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfullyThe current date is: Fri 10/26/2007
The current time is: 21:37:46.68
bak folders found
~~~~~~~~~~~
Directory of C:\WINNT\SYSTEM32\BAK07/09/2001 04:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytesDirectory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~155648 Jul 9 2001 "C:\WINNT\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINNT\system32\bak\NeroCheck.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
end of report
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfullyThe current date is: Fri 10/26/2007
The current time is: 21:41:35.06
bak folders found
~~~~~~~~~~~
Directory of C:\WINNT\SYSTEM32\BAK07/09/2001 04:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~155648 Jul 9 2001 "C:\WINNT\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINNT\system32\bak\NeroCheck.exe"
end of reportComboFix 07-10-25.4 - Owner 2007-10-26 21:47:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1532 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.2007-10-26 21:37 155,648 --a------ C:\WINNT\system32\NeroCheck.exe
2007-10-25 21:15 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-14 18:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-14 14:02 114,688 --a------ C:\WINNT\system32\igfxpers.exe
2007-10-14 14:02 94,208 --a------ C:\WINNT\system32\igfxtray.exe
2007-10-14 14:02 77,824 --a------ C:\WINNT\system32\hkcmd.exe
2007-10-14 09:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 09:44 <DIR> d--h----- C:\WINNT\PIF
2007-10-10 02:39 582,656 --------- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-10-05 12:39 <DIR> d-------- C:\Program Files\iPod
2007-10-04 16:43 143,360 --a------ C:\WINNT\system32\dunzip32.dll
2007-10-04 16:41 171,240 --a------ C:\WINNT\system32\drivers\mfehidk.sys
2007-10-04 16:41 109,608 --a------ C:\WINNT\system32\drivers\Mpfp.sys
2007-10-04 16:41 71,496 --a------ C:\WINNT\system32\drivers\mfeavfk.sys
2007-10-04 16:41 37,480 --a------ C:\WINNT\system32\drivers\mfesmfk.sys
2007-10-04 16:41 34,184 --a------ C:\WINNT\system32\drivers\mfebopk.sys
2007-10-04 16:41 32,008 --a------ C:\WINNT\system32\drivers\mferkdk.sys
2007-10-04 16:40 <DIR> d-------- C:\Program Files\McAfee
2007-10-04 16:37 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-04 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-04 13:45 <DIR> d-------- C:\WINNT\McAfee.com
2007-10-02 19:42 <DIR> d-------- C:\WINNT\system32\bak
2007-10-02 12:16 <DIR> d-------- C:\MY_BIG_FAT_GREEK_WEDDING.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 02:35 --------- d-----w C:\Program Files\Java
2007-10-26 23:56 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-10-26 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-26 22:59 --------- d-----w C:\Program Files\iTunes
2007-10-14 21:20 --------- d-----w C:\Program Files\QuickTime
2007-10-05 17:35 --------- d-----w C:\Program Files\Apple Software Update
2007-10-04 21:45 --------- d-----w C:\Program Files\McAfee.com
2007-10-04 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-04 03:47 --------- d-----w C:\Program Files\America's Army
2007-10-04 03:46 --------- d-----w C:\Program Files\America's Army Server Manager
2007-09-28 16:41 4,710 ----a-w C:\Documents and Settings\Leslie\Application Data\wklnhst.dat
2007-08-21 06:15 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINNT\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINNT\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINNT\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINNT\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINNT\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINNT\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINNT\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINNT\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINNT\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINNT\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINNT\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINNT\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINNT\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINNT\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINNT\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINNT\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINNT\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINNT\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINNT\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINNT\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINNT\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINNT\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINNT\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINNT\system32\dllcache\ieakui.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\vbscript.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\dllcache\vbscript.dll
2007-08-13 23:54 33,792 ----a-w C:\WINNT\system32\dllcache\custsat.dll
2007-08-13 23:54 191,488 ----a-w C:\WINNT\system32\dllcache\iepeers.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\msls31.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\dllcache\msls31.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\ieencode.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\dllcache\ieencode.dll
2007-08-13 23:44 69,120 ----a-w C:\WINNT\system32\dllcache\iedw.exe
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\licmgr10.dll
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\dllcache\licmgr10.dll
2007-08-13 23:39 92,672 ----a-w C:\WINNT\system32\dllcache\inseng.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\dllcache\admparse.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\admparse.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\iesetup.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\dllcache\iesetup.dll
2007-08-13 23:38 491,520 ----a-w C:\WINNT\system32\dllcache\jscript.dll
2007-08-13 23:36 44,544 ----a-w C:\WINNT\system32\dllcache\pngfilt.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\imgutil.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\dllcache\imgutil.dll
2007-08-13 23:35 346,624 ----a-w C:\WINNT\system32\dllcache\dxtmsft.dll
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\mshta.exe
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\dllcache\mshta.exe
2007-08-13 23:18 60,416 ----a-w C:\WINNT\system32\dllcache\hmmapi.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\mshtmler.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\dllcache\mshtmler.dll
2007-08-04 22:12 3,078 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\dllcache\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\dllcache\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINNT\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\dllcache\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\dllcache\wups.dll
2005-08-23 23:10 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 155,648 2001-07-09 09:50:42 C:\WINNT\system32\bak\NeroCheck.exe
----a-w 155,648 2001-07-09 09:50:42 C:\WINNT\system32\NeroCheck.exe.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-04-05 15:22]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-04-05 15:19]
"POINTER"="point32.exe" []
"NeroFilterCheck"="C:\WINNT\System32\NeroCheck.exe" [2001-07-09 04:50]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-18 20:31]
"Persistence"="C:\WINNT\system32\igfxpers.exe" [2005-04-05 15:23]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-05-10 10:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 20:39]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exeC:\Documents and Settings\Leslie\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.exe [1996-11-17 01:00:00]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Broadband Networking.lnk - C:\WINNT\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe [2006-12-26 15:13:27][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINNT\pss\Billminder.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINNT\pss\Quicken Startup.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINNT\pss\Office Startup.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]
"C:\Program Files\Gateway\GWCares\GWCares.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINNT\system32\DRIVERS\epusbsto.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-20 03:58:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-22 08:00:01 C:\WINNT\Tasks\McAfee.com Scan for Viruses - My Computer (KNOWNAME-Owner).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-10-15 06:06:31 C:\WINNT\Tasks\McDefragTask.job"
"2007-10-04 21:40:47 C:\WINNT\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 21:48:34
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-10-26 21:49:30
C:\ComboFix2.txt ... 2007-10-26 18:47
C:\ComboFix3.txt ... 2007-10-25 21:25
.
--- E O F ---Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7
0
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak foldersA text file opens called: files.txt
Click below the line and paste the following list of files to be restored:
"C:\WINNT\system32\bak\NeroCheck.exe"
Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folderWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Option 3:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak foldersA text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:
C:\WINNT\system32\bakNext, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak foldersWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Next Option 4.
Option 4:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zonesThis removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXITNext,
Launch Notepad, and copy/paste everything between the X"s making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.Post a new Combofix log please.
0
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfullyThe current date is: Fri 10/26/2007
The current time is: 23:05:01.92
bak folders found
~~~~~~~~~~~
Directory of C:\WINNT\SYSTEM32\BAK07/09/2001 04:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~155648 Jul 9 2001 "C:\WINNT\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINNT\system32\bak\NeroCheck.exe"
end of report
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfullyThe current date is: Fri 10/26/2007
The current time is: 23:06:08.03
bak folders found
~~~~~~~~~~~
Directory of C:\WINNT\SYSTEM32\BAK07/09/2001 04:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~155648 Jul 9 2001 "C:\WINNT\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINNT\system32\bak\NeroCheck.exe"
end of reportComboFix 07-10-25.4 - Owner 2007-10-26 23:11:07.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1492 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.2007-10-26 23:05 155,648 --a------ C:\WINNT\system32\NeroCheck.exe
2007-10-25 21:15 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-14 18:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-14 14:02 114,688 --a------ C:\WINNT\system32\igfxpers.exe
2007-10-14 14:02 94,208 --a------ C:\WINNT\system32\igfxtray.exe
2007-10-14 14:02 77,824 --a------ C:\WINNT\system32\hkcmd.exe
2007-10-14 09:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 09:44 <DIR> d--h----- C:\WINNT\PIF
2007-10-10 02:39 582,656 --------- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-10-05 12:39 <DIR> d-------- C:\Program Files\iPod
2007-10-04 16:43 143,360 --a------ C:\WINNT\system32\dunzip32.dll
2007-10-04 16:41 171,240 --a------ C:\WINNT\system32\drivers\mfehidk.sys
2007-10-04 16:41 109,608 --a------ C:\WINNT\system32\drivers\Mpfp.sys
2007-10-04 16:41 71,496 --a------ C:\WINNT\system32\drivers\mfeavfk.sys
2007-10-04 16:41 37,480 --a------ C:\WINNT\system32\drivers\mfesmfk.sys
2007-10-04 16:41 34,184 --a------ C:\WINNT\system32\drivers\mfebopk.sys
2007-10-04 16:41 32,008 --a------ C:\WINNT\system32\drivers\mferkdk.sys
2007-10-04 16:40 <DIR> d-------- C:\Program Files\McAfee
2007-10-04 16:37 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-04 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-04 13:45 <DIR> d-------- C:\WINNT\McAfee.com
2007-10-02 19:42 <DIR> d-------- C:\WINNT\system32\bak
2007-10-02 12:16 <DIR> d-------- C:\MY_BIG_FAT_GREEK_WEDDING.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 02:35 --------- d-----w C:\Program Files\Java
2007-10-26 23:56 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-10-26 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-26 22:59 --------- d-----w C:\Program Files\iTunes
2007-10-14 21:20 --------- d-----w C:\Program Files\QuickTime
2007-10-05 17:35 --------- d-----w C:\Program Files\Apple Software Update
2007-10-04 21:45 --------- d-----w C:\Program Files\McAfee.com
2007-10-04 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-04 03:47 --------- d-----w C:\Program Files\America's Army
2007-10-04 03:46 --------- d-----w C:\Program Files\America's Army Server Manager
2007-09-28 16:41 4,710 ----a-w C:\Documents and Settings\Leslie\Application Data\wklnhst.dat
2007-08-21 06:15 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINNT\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINNT\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINNT\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINNT\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINNT\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINNT\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINNT\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINNT\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINNT\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINNT\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINNT\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINNT\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINNT\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINNT\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINNT\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINNT\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINNT\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINNT\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINNT\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINNT\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINNT\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINNT\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINNT\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINNT\system32\dllcache\ieakui.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\vbscript.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\dllcache\vbscript.dll
2007-08-13 23:54 33,792 ----a-w C:\WINNT\system32\dllcache\custsat.dll
2007-08-13 23:54 191,488 ----a-w C:\WINNT\system32\dllcache\iepeers.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\msls31.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\dllcache\msls31.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\ieencode.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\dllcache\ieencode.dll
2007-08-13 23:44 69,120 ----a-w C:\WINNT\system32\dllcache\iedw.exe
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\licmgr10.dll
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\dllcache\licmgr10.dll
2007-08-13 23:39 92,672 ----a-w C:\WINNT\system32\dllcache\inseng.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\dllcache\admparse.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\admparse.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\iesetup.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\dllcache\iesetup.dll
2007-08-13 23:38 491,520 ----a-w C:\WINNT\system32\dllcache\jscript.dll
2007-08-13 23:36 44,544 ----a-w C:\WINNT\system32\dllcache\pngfilt.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\imgutil.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\dllcache\imgutil.dll
2007-08-13 23:35 346,624 ----a-w C:\WINNT\system32\dllcache\dxtmsft.dll
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\mshta.exe
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\dllcache\mshta.exe
2007-08-13 23:18 60,416 ----a-w C:\WINNT\system32\dllcache\hmmapi.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\mshtmler.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\dllcache\mshtmler.dll
2007-08-04 22:12 3,078 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\dllcache\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\dllcache\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINNT\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\dllcache\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\dllcache\wups.dll
2005-08-23 23:10 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 155,648 2001-07-09 09:50:42 C:\WINNT\system32\bak\NeroCheck.exe
----a-w 155,648 2001-07-09 09:50:42 C:\WINNT\system32\NeroCheck.exe.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-04-05 15:22]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-04-05 15:19]
"POINTER"="point32.exe" []
"NeroFilterCheck"="C:\WINNT\System32\NeroCheck.exe" [2001-07-09 04:50]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-18 20:31]
"Persistence"="C:\WINNT\system32\igfxpers.exe" [2005-04-05 15:23]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-05-10 10:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 20:39]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exeC:\Documents and Settings\Leslie\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.exe [1996-11-17 01:00:00]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Broadband Networking.lnk - C:\WINNT\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe [2006-12-26 15:13:27][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINNT\pss\Billminder.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINNT\pss\Quicken Startup.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINNT\pss\Office Startup.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]
"C:\Program Files\Gateway\GWCares\GWCares.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINNT\system32\DRIVERS\epusbsto.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 03:58:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-22 08:00:01 C:\WINNT\Tasks\McAfee.com Scan for Viruses - My Computer (KNOWNAME-Owner).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-10-15 06:06:31 C:\WINNT\Tasks\McDefragTask.job"
"2007-10-04 21:40:47 C:\WINNT\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 23:12:18
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-10-26 23:13:13
C:\ComboFix2.txt ... 2007-10-26 21:49
C:\ComboFix3.txt ... 2007-10-26 18:47
.
--- E O F ---
Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7
0
Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
Navigate to and delete this file if found:
C:\WINNT\system32\bak\NeroCheck.exe
Then navigate to and delete this folder if found.
C:\WINNT\system32\bak
If you are unable to delete them boot into safe mode and try to delete them.
To boot into safe mode restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Post a new combofix log.
0
ComboFix 07-10-25.4 - Owner 2007-10-27 8:34:42.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1597 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.2007-10-26 23:05 155,648 --a------ C:\WINNT\system32\NeroCheck.exe
2007-10-25 21:15 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-14 18:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-14 14:02 114,688 --a------ C:\WINNT\system32\igfxpers.exe
2007-10-14 14:02 94,208 --a------ C:\WINNT\system32\igfxtray.exe
2007-10-14 14:02 77,824 --a------ C:\WINNT\system32\hkcmd.exe
2007-10-14 09:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 09:44 <DIR> d--h----- C:\WINNT\PIF
2007-10-10 02:39 582,656 --------- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-10-05 12:39 <DIR> d-------- C:\Program Files\iPod
2007-10-04 16:43 143,360 --a------ C:\WINNT\system32\dunzip32.dll
2007-10-04 16:41 171,240 --a------ C:\WINNT\system32\drivers\mfehidk.sys
2007-10-04 16:41 109,608 --a------ C:\WINNT\system32\drivers\Mpfp.sys
2007-10-04 16:41 71,496 --a------ C:\WINNT\system32\drivers\mfeavfk.sys
2007-10-04 16:41 37,480 --a------ C:\WINNT\system32\drivers\mfesmfk.sys
2007-10-04 16:41 34,184 --a------ C:\WINNT\system32\drivers\mfebopk.sys
2007-10-04 16:41 32,008 --a------ C:\WINNT\system32\drivers\mferkdk.sys
2007-10-04 16:40 <DIR> d-------- C:\Program Files\McAfee
2007-10-04 16:37 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-04 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-04 13:45 <DIR> d-------- C:\WINNT\McAfee.com
2007-10-02 12:16 <DIR> d-------- C:\MY_BIG_FAT_GREEK_WEDDING.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 13:32 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-10-27 02:35 --------- d-----w C:\Program Files\Java
2007-10-26 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-26 22:59 --------- d-----w C:\Program Files\iTunes
2007-10-14 21:20 --------- d-----w C:\Program Files\QuickTime
2007-10-05 17:35 --------- d-----w C:\Program Files\Apple Software Update
2007-10-04 21:45 --------- d-----w C:\Program Files\McAfee.com
2007-10-04 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-04 03:47 --------- d-----w C:\Program Files\America's Army
2007-10-04 03:46 --------- d-----w C:\Program Files\America's Army Server Manager
2007-09-28 16:41 4,710 ----a-w C:\Documents and Settings\Leslie\Application Data\wklnhst.dat
2007-08-21 06:15 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINNT\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINNT\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINNT\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINNT\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINNT\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINNT\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINNT\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINNT\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINNT\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINNT\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINNT\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINNT\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINNT\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINNT\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINNT\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINNT\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINNT\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINNT\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINNT\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINNT\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINNT\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINNT\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINNT\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINNT\system32\dllcache\ieakui.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\vbscript.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\dllcache\vbscript.dll
2007-08-13 23:54 33,792 ----a-w C:\WINNT\system32\dllcache\custsat.dll
2007-08-13 23:54 191,488 ----a-w C:\WINNT\system32\dllcache\iepeers.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\msls31.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\dllcache\msls31.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\ieencode.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\dllcache\ieencode.dll
2007-08-13 23:44 69,120 ----a-w C:\WINNT\system32\dllcache\iedw.exe
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\licmgr10.dll
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\dllcache\licmgr10.dll
2007-08-13 23:39 92,672 ----a-w C:\WINNT\system32\dllcache\inseng.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\dllcache\admparse.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\admparse.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\iesetup.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\dllcache\iesetup.dll
2007-08-13 23:38 491,520 ----a-w C:\WINNT\system32\dllcache\jscript.dll
2007-08-13 23:36 44,544 ----a-w C:\WINNT\system32\dllcache\pngfilt.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\imgutil.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\dllcache\imgutil.dll
2007-08-13 23:35 346,624 ----a-w C:\WINNT\system32\dllcache\dxtmsft.dll
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\mshta.exe
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\dllcache\mshta.exe
2007-08-13 23:18 60,416 ----a-w C:\WINNT\system32\dllcache\hmmapi.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\mshtmler.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\dllcache\mshtmler.dll
2007-08-04 22:12 3,078 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\dllcache\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\dllcache\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINNT\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\dllcache\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\dllcache\wups.dll
2005-08-23 23:10 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-04-05 15:22]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-04-05 15:19]
"POINTER"="point32.exe" []
"NeroFilterCheck"="C:\WINNT\System32\NeroCheck.exe" [2001-07-09 04:50]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-18 20:31]
"Persistence"="C:\WINNT\system32\igfxpers.exe" [2005-04-05 15:23]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-05-10 10:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 20:39]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exeC:\Documents and Settings\Leslie\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.exe [1996-11-17 01:00:00]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Broadband Networking.lnk - C:\WINNT\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe [2006-12-26 15:13:27][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINNT\pss\Billminder.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINNT\pss\Quicken Startup.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINNT\pss\Office Startup.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]
"C:\Program Files\Gateway\GWCares\GWCares.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINNT\system32\DRIVERS\epusbsto.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 03:58:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-22 08:00:01 C:\WINNT\Tasks\McAfee.com Scan for Viruses - My Computer (KNOWNAME-Owner).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-10-15 06:06:31 C:\WINNT\Tasks\McDefragTask.job"
"2007-10-04 21:40:47 C:\WINNT\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 08:37:15
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-10-27 8:38:22
C:\ComboFix2.txt ... 2007-10-26 23:13
C:\ComboFix3.txt ... 2007-10-26 21:49
.
--- E O F ---
Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7
0
This is a seperate problem than whataboutadog. Go to Start -> Control Panel -> Add/Remove Programs and uninstall the following (if listed):
New.Net
NewDotNetIf it is not listed, follow these instructions:
From a computer that has Internet access, click on the following link:
http://www.new.net/support/uninstall6_90.exe
Download and save uninstall6_90.exe to the desktop.
Go to the desktop and double-click on uninstall6_90.exe
Click on the OK button.
After removal, you may be prompted to reboot. Please reboot even if not prompted.
Go to start> control panel> add/remove programs and uninstall theese programs if found if found:DAEMON Tools WhenU SearchBar
Desktop Toolbar [WhenUSearch]
WhenU CrunchGames Bar
WhenU Save
WhenU SaveNow
WhenUSave
WhenUSearch
WhenUSearch Desktop Toolbar
WhenUSearch Toolbar
WhenUShop
(Anything else with the word "WhenU" in them)Post a new Combofix log.
0
I didnt have any of those things in my add/remove before or after that program was run.
ComboFix 07-10-25.4 - Owner 2007-10-27 18:20:42.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1603 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\Virus removal tools\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.2007-10-26 23:05 155,648 --a------ C:\WINNT\system32\NeroCheck.exe
2007-10-25 21:15 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-14 18:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-14 14:02 114,688 --a------ C:\WINNT\system32\igfxpers.exe
2007-10-14 14:02 94,208 --a------ C:\WINNT\system32\igfxtray.exe
2007-10-14 14:02 77,824 --a------ C:\WINNT\system32\hkcmd.exe
2007-10-14 09:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 09:44 <DIR> d--h----- C:\WINNT\PIF
2007-10-10 02:39 582,656 --------- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-10-05 12:39 <DIR> d-------- C:\Program Files\iPod
2007-10-04 16:43 143,360 --a------ C:\WINNT\system32\dunzip32.dll
2007-10-04 16:41 171,240 --a------ C:\WINNT\system32\drivers\mfehidk.sys
2007-10-04 16:41 109,608 --a------ C:\WINNT\system32\drivers\Mpfp.sys
2007-10-04 16:41 71,496 --a------ C:\WINNT\system32\drivers\mfeavfk.sys
2007-10-04 16:41 37,480 --a------ C:\WINNT\system32\drivers\mfesmfk.sys
2007-10-04 16:41 34,184 --a------ C:\WINNT\system32\drivers\mfebopk.sys
2007-10-04 16:41 32,008 --a------ C:\WINNT\system32\drivers\mferkdk.sys
2007-10-04 16:40 <DIR> d-------- C:\Program Files\McAfee
2007-10-04 16:37 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-04 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-04 13:45 <DIR> d-------- C:\WINNT\McAfee.com.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 23:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-27 23:18 --------- d-----w C:\Program Files\Gateway
2007-10-27 23:14 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-10-27 02:35 --------- d-----w C:\Program Files\Java
2007-10-26 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-26 22:59 --------- d-----w C:\Program Files\iTunes
2007-10-14 21:20 --------- d-----w C:\Program Files\QuickTime
2007-10-05 17:35 --------- d-----w C:\Program Files\Apple Software Update
2007-10-04 21:45 --------- d-----w C:\Program Files\McAfee.com
2007-10-04 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-09-28 16:41 4,710 ----a-w C:\Documents and Settings\Leslie\Application Data\wklnhst.dat
2007-08-21 06:15 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINNT\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINNT\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINNT\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINNT\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINNT\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINNT\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINNT\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINNT\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINNT\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINNT\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINNT\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINNT\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINNT\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINNT\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINNT\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINNT\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINNT\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINNT\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINNT\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINNT\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINNT\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINNT\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINNT\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINNT\system32\dllcache\ieakui.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\vbscript.dll
2007-08-13 23:54 413,696 ----a-w C:\WINNT\system32\dllcache\vbscript.dll
2007-08-13 23:54 33,792 ----a-w C:\WINNT\system32\dllcache\custsat.dll
2007-08-13 23:54 191,488 ----a-w C:\WINNT\system32\dllcache\iepeers.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\msls31.dll
2007-08-13 23:54 156,160 ----a-w C:\WINNT\system32\dllcache\msls31.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\ieencode.dll
2007-08-13 23:45 78,336 ----a-w C:\WINNT\system32\dllcache\ieencode.dll
2007-08-13 23:44 69,120 ----a-w C:\WINNT\system32\dllcache\iedw.exe
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\licmgr10.dll
2007-08-13 23:44 40,960 ----a-w C:\WINNT\system32\dllcache\licmgr10.dll
2007-08-13 23:39 92,672 ----a-w C:\WINNT\system32\dllcache\inseng.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\dllcache\admparse.dll
2007-08-13 23:39 71,680 ----a-w C:\WINNT\system32\admparse.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\iesetup.dll
2007-08-13 23:39 55,296 ----a-w C:\WINNT\system32\dllcache\iesetup.dll
2007-08-13 23:38 491,520 ----a-w C:\WINNT\system32\dllcache\jscript.dll
2007-08-13 23:36 44,544 ----a-w C:\WINNT\system32\dllcache\pngfilt.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\imgutil.dll
2007-08-13 23:36 36,352 ----a-w C:\WINNT\system32\dllcache\imgutil.dll
2007-08-13 23:35 346,624 ----a-w C:\WINNT\system32\dllcache\dxtmsft.dll
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\mshta.exe
2007-08-13 23:32 45,568 ----a-w C:\WINNT\system32\dllcache\mshta.exe
2007-08-13 23:18 60,416 ----a-w C:\WINNT\system32\dllcache\hmmapi.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\mshtmler.dll
2007-08-13 23:01 48,128 ----a-w C:\WINNT\system32\dllcache\mshtmler.dll
2007-08-04 22:12 3,078 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\dllcache\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\dllcache\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINNT\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\dllcache\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\dllcache\wups.dll
2005-08-23 23:10 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-04-05 15:22]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-04-05 15:19]
"POINTER"="point32.exe" []
"NeroFilterCheck"="C:\WINNT\System32\NeroCheck.exe" [2001-07-09 04:50]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-18 20:31]
"Persistence"="C:\WINNT\system32\igfxpers.exe" [2005-04-05 15:23]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-05-10 10:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 20:39]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exeC:\Documents and Settings\Leslie\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.exe [1996-11-17 01:00:00]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Broadband Networking.lnk - C:\WINNT\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe [2006-12-26 15:13:27][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINNT\pss\Billminder.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINNT\pss\Quicken Startup.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINNT\pss\Office Startup.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]
"C:\Program Files\Gateway\GWCares\GWCares.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINNT\system32\DRIVERS\epusbsto.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 03:58:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-22 08:00:01 C:\WINNT\Tasks\McAfee.com Scan for Viruses - My Computer (KNOWNAME-Owner).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-10-15 06:06:31 C:\WINNT\Tasks\McDefragTask.job"
"2007-10-04 21:40:47 C:\WINNT\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 18:23:07
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-10-27 18:24:12
C:\ComboFix2.txt ... 2007-10-27 08:38
C:\ComboFix3.txt ... 2007-10-26 23:13
.
--- E O F ---
Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7
0
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXGo to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe modeEmpty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.How is the computer operating now?
0
Well Jabuck,
It seems a lot better then when I first asked for your help. I looked on the task manager, and only see one iexplorer.exe now. And everything seems to be poppin the way it should. I hope this did the trick.
Do you work for computing.net, or are you just one helluva guy? (or gal I guess I dont know)Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
