Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi, I have a Dell Inspiron E1705 running Windows XP that has been having a lot of problems recently. To begin, every time I start the computer and open task manager there is a program running called download manager, the only way I can view it is if I right click it in task manager and click maximize, otherwise it's hidden. Next, if I try to access the internet it tells me there is something interrupting the connection (even through a hard line connection). Also, whatever it is continually disables my virus scans auto protect (Symantec). Finally, I can't shutdown my computer because even if I shutdown the download manager iexplore.exe continues to run even when I never went on it in the first place. The computer literally hangs on shutdown (I have left it alone for ~6 hours and it just stays on logging off). I have installed Service pack 3 and everything else is up to date. I have run Spybot Search and Destroy, Super Anti Spyware, Adware, and Symantec scan. None of which found the root of the problem (Spybot S&D found a couple of trojans but got rid of them). I can get a HiJackThis log off the cpu, but currently I am on another computer because as stated the infected machine is unable to go online. If you would like more anything just let me know and I can get it.
Thanks in advance to anyone that helps. :-)
Try to run the following scans, Malwarebytes and Hijack This. You can download malwarebytes to a cd then run it on the infected computer.
Then, Go start > run type cmd and press enter or ok.
type, at the flashing cursor,
ipconfig /flushdns <-- (The space between g and / is needed)Then press Enter, type Exit, press Enter again
Try to get online.
Please download Malwarebytes' Anti-Malware from one of these sites:
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
0 
Ok, that ipconfig worked, I am online with said infected computer. Here is the log of HiJackthis as requested:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:20 PM, on 9/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\DOCUME~1\Alex\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\AOL\1156110795\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\DOCUME~1\Alex\LOCALS~1\Temp\SSUPDATE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\program files\common files\aol\1156110795\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe
C:\Program Files\Grid Network Systems\PowerGrid\PowerGrid.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Program Files\vghd\vghd.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1156110795\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: VirtuaGirl HD.LNK = C:\Program Files\vghd\vghd.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Fantastic Flame Agent.lnk = C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: PowerGrid.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/s...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - http://www.lojackforlaptops.com/ctm...
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/am...
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: mljiife - mljiife.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe--
End of file - 18241 bytes
I ran the malwarebytes as requested, everytime it tried to remove things it locked up so I saved the log file before I had it remove everything so atleast I had a log file. Here is the log:Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 39/21/2008 2:46:51 PM
mbam-log-2008-09-21 (14-46-49).txtScan type: Quick Scan
Objects scanned: 55264
Time elapsed: 1 minute(s), 51 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_CLASSES_ROOT\adzgalore.optimizer (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\adzgalore.optimizer.1 (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\quax.kalpol (Adware.Agent) -> No action taken.
HKEY_CLASSES_ROOT\quax.kalpol.1 (Adware.Agent) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> No action taken.Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
(No malicious items detected)Folders Infected:
(No malicious items detected)Files Infected:
C:\WINDOWS\system32\WhoisCL.exe (Adware.BHO) -> No action taken.
0
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.In your case to run Combofix do the following:
1. Go offline turn off your Norton's antivirus, Scripblocking if Nortons is equiped with it, Windows Defender, Spybot, and any other antispyware that you may have.
Run Malwarebytes as requested being sure to follow the directions in step 6 and save its log.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Malwarebytes log and theCombofix log.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
Ran the scans as requested same problem happened with malware bytes when trying to delete selected, here are the logs:
ComboFix 08-09-20.05 - Alex 2008-09-21 16:43:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1329 [GMT -4:00]
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\CmdLineExt03.dll
C:\WINDOWS\system32\qrqss.ini.
((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))
.2008-09-21 14:38 . 2008-09-21 14:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-21 14:29 . 2008-09-21 14:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-21 14:29 . 2008-09-21 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 14:29 . 2008-09-21 14:29 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Malwarebytes
2008-09-21 14:29 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-21 14:29 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-18 17:08 . 2008-09-18 17:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-18 17:08 . 2008-09-18 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 03:03 . 2008-09-17 03:03 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-09-17 02:57 . 2008-09-17 02:58 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-17 02:48 . 2008-09-17 03:19 <DIR> d-------- C:\SDFix
2008-09-15 19:51 . 2008-09-15 19:52 <DIR> d-------- C:\Program Files\eFax Messenger 4.3
2008-09-15 19:51 . 2008-09-15 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2008-09-15 19:51 . 2008-09-15 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2008-09-15 16:05 . 2008-09-15 19:52 <DIR> d-------- C:\Program Files\CyberDefender
2008-09-15 15:42 . 2008-09-15 15:42 <DIR> d-------- C:\Program Files\InCode Solutions
2008-08-31 01:50 . 2008-08-31 01:50 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Move Networks
2008-08-26 09:57 . 2008-08-26 09:57 <DIR> d--hs---- C:\found.000.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 20:38 47,104 ----a-w C:\WINDOWS\system32\Rpcnet.dll
2008-09-21 20:38 17,408 ----a-w C:\WINDOWS\system32\Rpcnetp.exe
2008-09-21 20:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-21 19:38 --------- d-----w C:\Documents and Settings\Alex\Application Data\McAfee
2008-09-18 21:14 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-09-18 20:39 --------- d-----w C:\Program Files\Dl_cats
2008-09-17 07:11 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.dll
2008-09-17 03:07 --------- d-----w C:\Program Files\LimeWire
2008-09-15 23:57 --------- d-----w C:\Program Files\PokerRoom.com
2008-09-15 23:56 --------- d-----w C:\Documents and Settings\Alex\Application Data\Azureus
2008-09-14 21:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-14 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-09-05 03:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-05 03:02 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-23 03:56 --------- d-----w C:\Program Files\IDoser v4
2008-08-22 20:07 --------- d-----w C:\Program Files\EA Games
2008-08-22 11:05 --------- d-----w C:\Documents and Settings\Alex\Application Data\Audacity
2008-08-21 06:11 --------- d-----w C:\Documents and Settings\Alex\Application Data\AdobeUM
2008-08-20 22:12 --------- d-----w C:\Program Files\MagicISO
2008-08-20 05:00 --------- d-----w C:\Documents and Settings\Alex\Application Data\DAEMON Tools
2008-08-20 04:11 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-18 01:01 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-13 20:35 --------- d-----w C:\Program Files\Apple Software Update
2008-08-13 20:34 --------- d-----w C:\Program Files\iTunes
2008-08-13 20:34 --------- d-----w C:\Program Files\iPod
2008-08-13 20:33 --------- d-----w C:\Program Files\Bonjour
2008-08-13 20:32 --------- d-----w C:\Program Files\QuickTime
2008-08-08 02:21 47,104 ----a-w C:\WINDOWS\system32\rpcnet.exe
2008-08-04 05:09 23 ----a-w C:\Documents and Settings\Alex\jagex_runescape_preferences.dat
2008-07-27 19:51 --------- d-----w C:\Documents and Settings\Alex\Application Data\Thunderbird
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:24 61,224 ----a-w C:\Documents and Settings\Alex\GoToAssistDownloadHelper.exe
2007-04-30 03:24 28,048 -c--a-w C:\Documents and Settings\Alex\Application Data\GDIPFONTCACHEV1.DAT
2006-09-12 13:11 13,195 -c--a-w C:\Documents and Settings\Alex\zguicfgw.dat
2006-09-07 04:17 40 -c--a-w C:\Documents and Settings\Alex\language.dat
2008-02-24 03:42 88 --sh--r C:\WINDOWS\system32\B24EA90115.sys
2008-02-24 03:42 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-22 01:37 1,372,110 --sh--w C:\WINDOWS\system32\qrqss.bak1
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-23 1506544]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-03-15 1033800]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 C:\WINDOWS\MIDIDEF.EXE][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="C:\WINDOWS\UpdReg.exe" [2000-05-11 90112]
"VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 1126400]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HostManager"="C:\Program Files\Common Files\AOL\1156110795\ee\AOLSoftware.exe" [2006-09-25 50736]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 147456]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-24 185896]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 147456]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2006-03-03 C:\WINDOWS\system32\CTMBHA.DLL]C:\Documents and Settings\Alex\Start Menu\Programs\Startup\
VirtuaGirl HD.LNK - C:\Program Files\vghd\vghd.exe [2008-04-30 11773248]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-07 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-01 24576]
eFax 4.3.lnk.disabled [2008-04-11 1665]
Fantastic Flame Agent.lnk - C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe [2006-10-14 25600]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 83360]
PowerGrid.lnk - C:\WINDOWS\Installer\{00002F99-E265-4492-A5E3-770098BCBE1F}\NewShortcut1_C248C566D0EF4982BEADC6129C3D127B.exe [2007-02-07 45056]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.exe [2006-10-10 122880][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-30 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-05-16 07:23 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-20 13:24 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1156110795\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert(tm) II\\RA2\\game.exe"=
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\Common Files\\AOL\\1156110795\\EE\\aolsoftware.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert(tm) II\\RA2\\mph.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grid Network Systems\\PowerGrid\\PowerGrid.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"48874:TCP"= 48874:TCP:Torrent
"48874:UDP"= 48874:UDP:Torrent1
"1445:UDP"= 1445:UDP:Windows Media Format SDK (firefox.exe)
"1444:UDP"= 1444:UDP:Windows Media Format SDK (firefox.exe)R1 c2scsi;c2scsi;C:\WINDOWS\system32\drivers\c2scsi.sys [2006-03-04 241664]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 28216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 GoToAssist;GoToAssist;C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe Start=service [ ]
S3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 13225][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85165ca0-3d43-11db-bc9b-00038a000015}]
\Shell\AutoRun\command - F:\setupSNK.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dda3545b-d121-11db-bda9-00038a000015}]
\Shell\AutoRun\command - E:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -HKCU-Run-Aim6 - (no file)
Notify-mljiife - mljiife.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\o3j3ft9j.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npgopg.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npplaypg.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 16:47:13
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????scanning hidden files ...
C:\WINDOWS\system32\autochk(3).exe:BAK 22528 bytes executable
C:\WINDOWS\system32\autochk(4).exe:BAK 22528 bytes executablescan completed successfully
hidden files: 2**************************************************************************
.
Completion time: 2008-09-21 16:49:07
ComboFix-quarantined-files.txt 2008-09-21 20:48:24Pre-Run: 4,304,814,080 bytes free
Post-Run: 4,463,595,520 bytes free249 --- E O F --- 2008-09-21 18:31:35
Malwarebytes:Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 39/21/2008 5:00:01 PM
mbam-log-2008-09-21 (16-59-58).txtScan type: Quick Scan
Objects scanned: 53679
Time elapsed: 3 minute(s), 29 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_CLASSES_ROOT\quax.kalpol (Adware.Agent) -> No action taken.
HKEY_CLASSES_ROOT\quax.kalpol.1 (Adware.Agent) -> No action taken.Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
(No malicious items detected)Folders Infected:
(No malicious items detected)Files Infected:
C:\WINDOWS\system32\WhoisCL.exe (Adware.BHO) -> No action taken.
0
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\system32\WhoisCL.exe
C:\WINDOWS\system32\qrqss.bak1Registry::
[-HKEY_CLASSES_ROOT\quax.kalpol
[-HKEY_CLASSES_ROOT\quax.kalpol.1]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".Please go to Virus Total and upload the following file for analysis:
C:\WINDOWS\system32\B24EA90115.sys
Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".
Post the results in your reply.
Post a new Combofix log following the directions in response #3..
0
Ok, did as asked copied and pasted exactly what you said. The file you asked about isn't on my machine, looked everywhere in the System32 folder and found nothing. I don't know where the file went or what it was. Thanks for your help, I still wish I knew what was going on. Here is the log:
ComboFix 08-09-20.05 - Alex 2008-09-21 22:35:53.4 - NTFSx86
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex\Desktop\cfscript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\WhoisCL.exe
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\WhoisCL.exe.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.2008-09-21 14:38 . 2008-09-21 14:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-21 14:29 . 2008-09-21 14:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-21 14:29 . 2008-09-21 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 14:29 . 2008-09-21 14:29 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Malwarebytes
2008-09-21 14:29 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-21 14:29 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-18 17:08 . 2008-09-18 17:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-18 17:08 . 2008-09-18 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 03:03 . 2008-09-17 03:03 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-09-17 02:57 . 2008-09-17 02:58 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-17 02:48 . 2008-09-17 03:19 <DIR> d-------- C:\SDFix
2008-09-15 19:51 . 2008-09-15 19:52 <DIR> d-------- C:\Program Files\eFax Messenger 4.3
2008-09-15 19:51 . 2008-09-15 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2008-09-15 19:51 . 2008-09-15 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2008-09-15 16:05 . 2008-09-15 19:52 <DIR> d-------- C:\Program Files\CyberDefender
2008-09-15 15:42 . 2008-09-15 15:42 <DIR> d-------- C:\Program Files\InCode Solutions
2008-08-31 01:50 . 2008-08-31 01:50 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Move Networks
2008-08-26 09:57 . 2008-08-26 09:57 <DIR> d--hs---- C:\found.000.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 02:46 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-21 19:38 --------- d-----w C:\Documents and Settings\Alex\Application Data\McAfee
2008-09-18 21:14 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-09-18 20:39 --------- d-----w C:\Program Files\Dl_cats
2008-09-17 03:07 --------- d-----w C:\Program Files\LimeWire
2008-09-15 23:57 --------- d-----w C:\Program Files\PokerRoom.com
2008-09-15 23:56 --------- d-----w C:\Documents and Settings\Alex\Application Data\Azureus
2008-09-14 21:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-14 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-09-05 03:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-05 03:02 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-23 03:56 --------- d-----w C:\Program Files\IDoser v4
2008-08-22 20:07 --------- d-----w C:\Program Files\EA Games
2008-08-22 11:05 --------- d-----w C:\Documents and Settings\Alex\Application Data\Audacity
2008-08-21 06:11 --------- d-----w C:\Documents and Settings\Alex\Application Data\AdobeUM
2008-08-20 22:12 --------- d-----w C:\Program Files\MagicISO
2008-08-20 05:00 --------- d-----w C:\Documents and Settings\Alex\Application Data\DAEMON Tools
2008-08-20 04:11 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-18 01:01 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-13 20:35 --------- d-----w C:\Program Files\Apple Software Update
2008-08-13 20:34 --------- d-----w C:\Program Files\iTunes
2008-08-13 20:34 --------- d-----w C:\Program Files\iPod
2008-08-13 20:33 --------- d-----w C:\Program Files\Bonjour
2008-08-13 20:32 --------- d-----w C:\Program Files\QuickTime
2008-08-04 05:09 23 ----a-w C:\Documents and Settings\Alex\jagex_runescape_preferences.dat
2008-07-27 19:51 --------- d-----w C:\Documents and Settings\Alex\Application Data\Thunderbird
2008-06-20 17:24 61,224 ----a-w C:\Documents and Settings\Alex\GoToAssistDownloadHelper.exe
2007-04-30 03:24 28,048 -c--a-w C:\Documents and Settings\Alex\Application Data\GDIPFONTCACHEV1.DAT
2006-09-12 13:11 13,195 -c--a-w C:\Documents and Settings\Alex\zguicfgw.dat
2006-09-07 04:17 40 -c--a-w C:\Documents and Settings\Alex\language.dat
2008-02-24 03:42 88 --sh--r C:\WINDOWS\system32\B24EA90115.sys
2008-02-24 03:42 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((( snapshot@2008-09-21_16.48.07.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-21 20:38:13 47,104 ----a-w C:\WINDOWS\system32\Rpcnet.dll
+ 2008-09-22 02:45:38 47,104 ----a-w C:\WINDOWS\system32\Rpcnet.dll
- 2008-09-21 20:38:15 17,408 ----a-w C:\WINDOWS\system32\Rpcnetp.exe
+ 2008-09-22 02:45:41 17,408 ----a-w C:\WINDOWS\system32\Rpcnetp.exe
+ 2008-09-22 02:45:45 16,384 --sha-w C:\WINDOWS\temp\Cookies\index.dat
+ 2008-09-22 02:45:45 16,384 --sha-w C:\WINDOWS\temp\History\History.IE5\index.dat
+ 2008-09-22 02:45:38 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_3d0.dat
+ 2008-09-22 02:45:45 32,768 --sha-w C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-03-15 1033800]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 C:\WINDOWS\MIDIDEF.EXE][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="C:\WINDOWS\UpdReg.exe" [2000-05-11 90112]
"VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 1126400]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HostManager"="C:\Program Files\Common Files\AOL\1156110795\ee\AOLSoftware.exe" [2006-09-25 50736]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 147456]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-24 185896]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 147456]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2006-03-03 C:\WINDOWS\system32\CTMBHA.DLL]C:\Documents and Settings\Alex\Start Menu\Programs\Startup\
VirtuaGirl HD.LNK - C:\Program Files\vghd\vghd.exe [2008-04-30 11773248]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-07 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-01 24576]
eFax 4.3.lnk.disabled [2008-04-11 1665]
Fantastic Flame Agent.lnk - C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe [2006-10-14 25600]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 83360]
PowerGrid.lnk - C:\WINDOWS\Installer\{00002F99-E265-4492-A5E3-770098BCBE1F}\NewShortcut1_C248C566D0EF4982BEADC6129C3D127B.exe [2007-02-07 45056]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.exe [2006-10-10 122880][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-30 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-05-16 07:23 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-20 13:24 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1156110795\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert(tm) II\\RA2\\game.exe"=
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\Common Files\\AOL\\1156110795\\EE\\aolsoftware.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert(tm) II\\RA2\\mph.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grid Network Systems\\PowerGrid\\PowerGrid.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"48874:TCP"= 48874:TCP:Torrent
"48874:UDP"= 48874:UDP:Torrent1
"1445:UDP"= 1445:UDP:Windows Media Format SDK (firefox.exe)
"1444:UDP"= 1444:UDP:Windows Media Format SDK (firefox.exe)R1 c2scsi;c2scsi;C:\WINDOWS\system32\drivers\c2scsi.sys [2006-03-04 241664]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 28216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 GoToAssist;GoToAssist;C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe Start=service [ ]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-10 38528]
S3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 13225][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85165ca0-3d43-11db-bc9b-00038a000015}]
\Shell\AutoRun\command - F:\setupSNK.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dda3545b-d121-11db-bda9-00038a000015}]
\Shell\AutoRun\command - E:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 22:46:08
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\autochk(3).exe:BAK 22528 bytes executable
C:\WINDOWS\system32\autochk(4).exe:BAK 22528 bytes executablescan completed successfully
hidden files: 2**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTSVCCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dwwin.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Alex\LOCALS~1\temp\clclean.0001
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe
C:\Program Files\Grid Network Systems\PowerGrid\PowerGrid.exe
C:\Program Files\Common Files\AOL\1156110795\EE\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-21 22:54:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-22 02:54:28
ComboFix2.txt 2008-09-22 02:30:08
ComboFix3.txt 2008-09-21 20:49:08Pre-Run: 4,393,041,920 bytes free
Post-Run: 4,363,386,880 bytes free263 --- E O F --- 2008-09-21 18:31:35
0
Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.Now look again for:
C:\WINDOWS\system32\B24EA90115.sys
0
Didn't find anything. I have 4 autochk.exe files is that odd? I also have 8 svchost.exe running processes. 5 of which are for system. Just trying to help with some additional oddities that I am discovering.
File B24EA90115.sys received on 09.22.2008 05:16:55 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/36 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.9.19.2 2008.09.22 -
AntiVir 7.8.1.34 2008.09.21 -
Authentium 5.1.0.4 2008.09.21 -
Avast 4.8.1195.0 2008.09.22 -
AVG 8.0.0.161 2008.09.21 -
BitDefender 7.2 2008.09.22 -
CAT-QuickHeal 9.50 2008.09.20 -
ClamAV 0.93.1 2008.09.22 -
DrWeb 4.44.0.09170 2008.09.21 -
eSafe 7.0.17.0 2008.09.21 -
eTrust-Vet 31.6.6098 2008.09.21 -
Ewido 4.0 2008.09.21 -
F-Prot 4.4.4.56 2008.09.21 -
F-Secure 8.0.14332.0 2008.09.22 -
Fortinet 3.113.0.0 2008.09.21 -
GData 19 2008.09.22 -
Ikarus T3.1.1.34.0 2008.09.22 -
K7AntiVirus 7.10.466 2008.09.20 -
Kaspersky 7.0.0.125 2008.09.22 -
McAfee 5388 2008.09.19 -
Microsoft 1.3903 2008.09.22 -
NOD32v2 3458 2008.09.21 -
Norman 5.80.02 2008.09.19 -
Panda 9.0.0.4 2008.09.21 -
PCTools 4.4.2.0 2008.09.21 -
Prevx1 V2 2008.09.22 -
Rising 20.62.62.00 2008.09.21 -
Sophos 4.33.0 2008.09.22 -
Sunbelt 3.1.1653.1 2008.09.20 -
Symantec 10 2008.09.22 -
TheHacker 6.3.0.9.090 2008.09.20 -
TrendMicro 8.700.0.1004 2008.09.20 -
VBA32 3.12.8.5 2008.09.22 -
ViRobot 2008.9.22.1386 2008.09.22 -
VirusBuster 4.5.11.0 2008.09.21 -
Webwasher-Gateway 6.6.2 2008.09.22 -
Additional information
File size: 88 bytes
MD5...: aeb9ebf704bed30037ec59264ac8451a
SHA1..: 6b2e889f1f07a27b63237c4e93d99c8ae3c1f4c8
SHA256: 4f515a9ee004f377165a3860c4bfc584e58038cc33001ad26ee6d345b60c7619
SHA512: 5cc998961c58fdf0fdb0300419a5fa12669f36b79dc7d2e17eff48e7e7419f5f
b5f8845e9a744261c89c66caff77b479774f18b2d1ee554af329e73116d395fa
PEiD..: -
TrID..: File type identification
MS Flight Simulator Aircraft Performance Info (100.0%)
PEInfo: -
0
Nothing to odd, lets do some clean-up and see if the online scan files anything.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Run an online scan with Kaspersky from the following link:
Kaspersky Online ScannerNote: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
0
Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.
You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: File operation failure]
Apparently whatever I have has screwed with Internet Explorer and all else except Firefox. I did the ipconfig /flushdns and nothing happened. In fact, nothing can update but for some reason I can use firefox no problem. I tried to do a Trend online scan and it found two things but when I tried to get rid of them firefox just hung for 10 minutes. I can scan offline, if you have any free download scans I could run. Normally if I have to update I could do it manually with those.
By the way I think I got rid of the download manager thing, it looks like it was connected to some Virtua girl program no idea what that is. As soon as I got rid of that program the DM went away and I haven't seen it since. Also, my windows media player is acting up I can't play movies on websites and any movies I play that I have already downloaded onto the computer play but the play button is grayed out and if I touch anything windows media player crashes.
Again, just reporting on all oddities and updates I can as soon as possible. (The Windows media player thing was happening since the first post it's not new I just totally forgot about it).
0
Run the following tool and see if you can use IE or update again.
Download Dial-a fix to your desktop.
Place a check in these boxes:
1. Empty temp folder
2. Fix windows installer
3. Fix windows update
4. Fix ssl/Https/Cryptscv
5. All 6 boxes under Registration CenterPress Go.
Wait a few minutes then exit the program.
0
KAspersky froze while scanning outlook.psi. I am thinking that blowing away the system is the only option. It's not hardware related because when in safe mode it shuts down without a problem. Any other thoughts?
0
Lest reset the Domains:
Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXThen, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.Next, go to start> control panel> system> general> is the product ID listed (a random number etc. xxxxx-xxx-xxxxxxx-xxxxx or similar) do not post the number just let me know if it exist.
0
Sorry for the delay, I will have the answer up tomorrow morning. I was away from the computer for a while because of work. Just wanted to let you know that I am still here.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
