 |  |  |  |  |  |  |  |
win32 cutwail removal
Thread Solved |
•
•
Join Date: Jul 2008
Posts: 3,080
Reputation: 
Solved Threads: 175
You didn't give me time to read the HJT log and give the fixes using it. If you would feel better doing the other, as I said, go ahead. If you look at the MBA-M log it shows that it was removed by MBA-M. The instructions given on the page you linked say do a Quick Scan with MBA-M, we have you do a Full Scan. But that said, if you would feel better then do the steps listed on the page, post back with the logs and then I will give you the clean up steps using a new HJT scan log.
Last edited by jholland1964; Aug 13th, 2009 at 2:55 pm.
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation:
Solved Threads: 68
Right, ok I cannot get SFix to work so what are the options ? MBA-M might have removed it but it certainly is still present in the system so I guess it replicated...
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
•
•
Join Date: Jul 2008
Posts: 3,080
Reputation:
Solved Threads: 175
SDFix must be used in Safe Mode only. This may be one reason why you say it won't work. But if you feel it has replicated then, why?
SDFix wouldn't be the tool to use for that anyway. It is not listed on the items which that SDFix will remove on the SDFix Information page.
Instead you should do the following:
Download ComboFix from Here or Here. Save it to the desktop.
Do NOT run the program yet.
First you must do the following:
# Close all open Windows including this one.
# Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. I
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
Once you double-click on the icon you may see a Windows Prompt.
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.
SDFix wouldn't be the tool to use for that anyway. It is not listed on the items which that SDFix will remove on the SDFix Information page.
Instead you should do the following:
Download ComboFix from Here or Here. Save it to the desktop.
Do NOT run the program yet.
First you must do the following:
# Close all open Windows including this one.
# Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. I
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
Once you double-click on the icon you may see a Windows Prompt.
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.
Last edited by jholland1964; Aug 13th, 2009 at 3:11 pm.
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation:
Solved Threads: 68
Ok, thanks very much for all your help. I tried SDFIx only in safe mode, didn't work. I will try ComboFix and post results later. Thanks again. EDIT: I think it must have replicated itself because after MBA-M removed, rebooted, then another reboot I launched security task manager and Braviax was still listed as a running process.
Last edited by majestic0110; Aug 13th, 2009 at 3:48 pm.
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation:
Solved Threads: 68
OK. ComboFix has finished now, rather fast I thought ! Here is the log :
What is the next step ?
•
•
•
•
ComboFix 09-08-10.06 - Phil 13/08/2009 19:47.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1588 [GMT 1:00]
Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090812-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Phil\Application Data\.#
c:\documents and settings\Phil\Application Data\wiaserva.log
c:\documents and settings\Phil\Start Menu\Programs\Startup\ikowin32.exe
c:\windows\kb913800.exe
c:\windows\system32\1.tmp
c:\windows\system32\braviax.exe
c:\windows\system32\tmp.reg
c:\windows\system32\wisdstr.exe
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ntfs.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.
2009-08-13 17:45 . 2009-08-13 17:45 -------- d-----w- c:\windows\system32\LogFiles
2009-08-12 19:12 . 2009-08-12 19:12 619584 -c--a-w- c:\windows\system32\dllcache\ntfs.sys
2009-08-12 17:59 . 2009-08-12 17:59 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-12 14:02 . 2009-08-12 14:02 -------- d-----w- c:\program files\Trend Micro
2009-08-12 11:34 . 2009-08-12 11:34 -------- d-----w- c:\documents and settings\Phil\Application Data\Malwarebytes
2009-08-12 11:34 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 11:34 . 2009-08-12 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 11:34 . 2009-08-12 11:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 11:34 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 11:32 . 2009-08-12 11:33 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-12 11:26 . 2009-08-12 11:26 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_BF69C629A0D9405408006C3D4A3A11E8.dll
2009-08-12 11:26 . 2009-08-12 11:26 302 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E5D9D200AB92D6E3B94CD3D7D6CB37C5.dll
2009-08-12 11:26 . 2009-08-12 11:26 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DC3BF90CC0D3D2F398A9A6D1762F70F3.dll
2009-08-12 11:26 . 2009-08-12 11:26 1251 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D20352A90C039D93DBF6126ECE614057.dll
2009-08-12 11:26 . 2009-08-12 11:26 265 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D169751270508A44CB2FE12E4D938EFD.dll
2009-08-12 11:26 . 2009-08-12 11:26 82 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7A43E36E255EB214E904DFF65C22A7AB.dll
2009-08-12 11:26 . 2009-08-12 11:26 125 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_71008F6089F849C48B8625535896CF23.dll
2009-08-12 11:26 . 2009-08-12 11:26 27 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F4A3A23297B6D117AA8000B0D611004.dll
2009-08-12 11:26 . 2009-08-12 11:26 103 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_342C9E3FE221B6D4CA1C1EEF0CF2C61A.dll
2009-08-12 11:26 . 2009-08-12 11:26 3568 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_26DDC2EC4210AC63483DF9D4FCC5B59D.dll
2009-08-12 11:26 . 2009-08-12 11:26 316 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0D756077321A70C3E844C138CE981581.dll
2009-08-12 11:26 . 2009-08-12 11:26 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DC1503A46F231838AD88BCDDC8E8F7C.dll
2009-08-12 11:14 . 2008-04-13 19:20 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-08-12 10:51 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 14:22 . 2009-08-11 14:22 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Identities
2009-08-10 19:11 . 2009-08-10 19:11 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Help
2009-08-08 23:04 . 2009-03-04 09:31 4202496 ----a-w- c:\windows\system32\drivers\NETw5x32.sys
2009-08-08 23:04 . 2008-06-20 09:33 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-08-08 23:04 . 2008-06-20 09:32 663552 ----a-w- c:\windows\system32\NETw5c32.dll
2009-08-08 18:58 . 2009-08-08 18:58 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-05 15:50 . 2009-06-30 16:40 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-05 15:12 . 2009-08-12 19:50 -------- d-----w- c:\documents and settings\Phil\Application Data\vlc
2009-08-05 11:47 . 2009-08-05 11:47 152576 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-07-29 07:18 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 07:18 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-27 19:44 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-07-27 12:54 . 2009-07-27 12:54 -------- d-----w- c:\documents and settings\Phil\.netbeans-derby
2009-07-27 12:29 . 2009-07-27 12:52 -------- d-----w- c:\documents and settings\Phil\.netbeans
2009-07-27 12:29 . 2009-07-27 12:29 -------- d-----w- c:\documents and settings\Phil\.netbeans-registration
2009-07-27 12:29 . 2009-07-27 12:29 -------- d-----w- c:\program files\Apache Software Foundation
2009-07-27 12:28 . 2009-07-27 21:30 -------- d-----w- c:\program files\sges-v3-prelude
2009-07-27 12:26 . 2009-07-27 12:26 -------- d-----w- C:\Sun
2009-07-27 12:21 . 2009-07-30 16:49 -------- d-----w- c:\program files\NetBeans 6.7
2009-07-25 23:01 . 2009-07-27 12:32 -------- d-----w- c:\documents and settings\Phil\.nbi
2009-07-24 16:59 . 2009-07-24 16:59 -------- d-----w- c:\program files\Firaxis Games
2009-07-23 19:50 . 2009-07-23 19:54 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Eraser
2009-07-23 17:00 . 2009-07-23 17:00 -------- d-----w- c:\program files\Recuva
2009-07-23 12:56 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-07-23 12:56 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-07-22 16:14 . 2009-07-22 16:14 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Apple
2009-07-21 15:17 . 2009-07-21 15:17 -------- d-----w- c:\documents and settings\Phil\bluej
2009-07-21 15:15 . 2009-07-21 15:15 -------- d-----w- c:\program files\Sun
2009-07-21 14:56 . 2009-07-21 15:10 -------- d-----w- c:\documents and settings\Phil\.SunDownloadManager
2009-07-21 14:55 . 2009-07-21 14:55 -------- d-----w- C:\BlueJ
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-07-16 15:07 . 2009-07-16 15:07 -------- d-----w- c:\program files\CCleaner
2009-07-16 13:37 . 2009-07-16 13:37 -------- d-----w- c:\program files\Sophos
2009-07-15 17:26 . 2009-07-15 17:26 -------- d-----w- C:\Restoration
2009-07-15 15:56 . 2009-07-15 15:56 -------- d-----w- c:\program files\LSoft Technologies
2009-07-15 15:18 . 2009-08-13 12:18 -------- d-----w- c:\program files\iStar
2009-07-14 20:39 . 2009-07-26 14:52 -------- d-----w- c:\documents and settings\Phil\.fontconfig
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 18:54 . 2009-07-11 14:29 -------- d-----w- c:\program files\PeerGuardian2
2009-08-13 18:04 . 2009-05-03 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-13 14:16 . 2009-05-09 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-12 13:31 . 2009-05-04 21:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-12 12:18 . 2009-06-30 18:36 -------- d-----w- c:\program files\Security Task Manager
2009-08-12 00:29 . 2009-05-14 15:00 1 ----a-w- c:\documents and settings\Phil\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-08-11 23:17 . 2009-07-12 16:35 -------- d-----w- c:\program files\Diablo II
2009-08-05 11:47 . 2006-03-17 10:58 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2006-03-17 09:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:15 . 2009-05-07 07:56 6388 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-01 11:15 . 2009-05-15 19:40 -------- d-----w- c:\documents and settings\Phil\Application Data\gtk-2.0
2009-07-29 20:46 . 2009-05-03 18:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-27 19:45 . 2009-07-27 19:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-27 19:44 . 2009-07-27 19:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-25 11:38 . 2006-03-17 12:26 38576 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 04:23 . 2009-05-15 12:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 17:18 . 2006-03-17 11:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-21 15:10 . 2009-05-12 12:58 -------- d-----w- c:\program files\Doom Builder
2009-07-20 12:03 . 2009-05-31 01:04 -------- d-----w- c:\program files\LaunchTool
2009-07-17 19:01 . 2006-03-17 09:19 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:16 . 2009-05-13 14:14 -------- d-----w- c:\program files\Project64 1.6
2009-07-13 14:40 . 2009-07-13 14:27 1004 ----a-w- c:\windows\eReg.dat
2009-07-13 14:34 . 2009-07-13 14:17 -------- d-----w- c:\program files\EA Games
2009-07-13 09:08 . 2006-03-17 09:20 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 22:34 . 2009-07-12 16:45 35165 ----a-w- c:\windows\DIIUnin.dat
2009-07-12 16:45 . 2009-07-12 16:45 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-12 16:45 . 2009-07-12 16:45 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-11 23:05 . 2009-07-11 21:44 -------- d-----w- c:\documents and settings\Phil\Application Data\dvdcss
2009-07-03 17:09 . 2006-03-17 09:20 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 23:29 . 2009-07-02 23:29 -------- d-----w- c:\documents and settings\Phil\Application Data\InterVideo
2009-07-01 17:12 . 2009-07-01 17:12 -------- d-----w- c:\program files\Alwil Software
2009-07-01 13:43 . 2009-07-01 13:43 -------- dc----w- c:\documents and settings\All Users\Application Data\{8AE45C14-3559-45A6-AF34-03CE304FA276}
2009-07-01 13:20 . 2009-07-01 13:20 -------- d-----w- c:\program files\MSBuild
2009-07-01 13:20 . 2009-07-01 13:20 -------- d-----w- c:\program files\Reference Assemblies
2009-07-01 13:08 . 2009-07-01 13:08 -------- d-----w- c:\documents and settings\Phil\Application Data\Uniblue
2009-07-01 13:06 . 2009-07-01 13:06 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-07-01 13:06 . 2009-07-01 13:06 -------- d-----w- c:\program files\Uniblue
2009-06-30 18:36 . 2009-06-30 18:36 295 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C9D2F2ED2E35EE04289047AD36BC60E0.dll
2009-06-30 18:36 . 2009-06-30 18:36 26 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D139E7FE48CDB174D86B8A3385904547.dll
2009-06-30 18:36 . 2009-06-30 18:36 133 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8C585A7BE4EC0514486C1AC3C31B73F9.dll
2009-06-30 18:36 . 2009-06-30 18:36 258 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0558D69260BC4E84A9B85E30F46B7451.dll
2009-06-28 20:45 . 2009-06-28 20:45 -------- d-----w- c:\program files\Bullfrog
2009-06-28 18:10 . 2009-05-12 17:16 -------- d-----w- c:\program files\id Software
2009-06-28 15:40 . 2009-06-28 15:40 -------- d-----w- c:\documents and settings\Phil\Application Data\Stellarium
2009-06-25 10:11 . 2009-06-25 10:11 -------- d-----w- c:\documents and settings\Phil\Application Data\Echo Software
2009-06-25 10:10 . 2009-06-25 10:10 -------- d-----w- c:\program files\Programmers Notepad
2009-06-25 09:52 . 2009-06-25 09:52 98304 ----a-r- c:\documents and settings\Phil\Application Data\Microsoft\Installer\{DE2F2D9C-53E2-40EE-8209-74DA63CB060E}\python_icon.exe
2009-06-16 14:36 . 2006-03-17 09:20 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-03-17 09:19 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 09:01 . 2009-06-16 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-15 20:24 . 2009-06-15 20:24 -------- d-----w- c:\program files\CDisplay
2009-06-15 18:47 . 2009-06-15 18:47 2989 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-06-15 18:46 . 2009-06-15 18:46 -------- d-----w- c:\documents and settings\Phil\Application Data\AccurateRip
2009-06-15 18:46 . 2009-06-15 18:46 -------- d-----w- c:\program files\Illustrate
2009-06-15 18:44 . 2009-06-15 18:46 515760 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-06-15 16:58 . 2009-06-15 16:58 -------- d-----w- c:\documents and settings\Phil\Application Data\Red Alert 3
2009-06-15 16:58 . 2009-06-15 16:58 -------- d--h--r- c:\documents and settings\Phil\Application Data\SecuROM
2009-06-15 16:58 . 2009-06-15 16:58 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-15 16:57 . 2009-06-15 16:30 -------- d-----w- c:\program files\Electronic Arts
2009-06-15 16:57 . 2009-06-15 16:57 3624 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-15 15:38 . 2009-06-15 15:38 3710 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F6CAE87C37A7E2541843BD2B61C5A586.dll
2009-06-15 15:38 . 2009-06-15 15:38 2429 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_556106D545D648345BC271CE3558BFDB.dll
2009-06-15 15:38 . 2009-06-15 15:38 1260 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_079F5538D106D2447AB9D1D74B2FC4DA.dll
2009-06-14 21:42 . 2009-06-14 21:42 -------- d-----w- c:\program files\Common Files\DirectX
2009-06-12 12:31 . 2006-03-17 09:20 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-03-17 09:20 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 14:49 . 2009-06-11 14:49 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 14:13 . 2006-03-17 09:19 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 09:08 . 2009-06-10 09:08 152576 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 08:19 . 2006-03-17 10:31 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2006-03-17 09:20 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 10:42 . 2009-05-03 20:41 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 10:42 . 2009-05-03 18:05 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2006-03-17 09:20 1291264 ----a-w- c:\windows\system32\quartz.dll
.
------- Sigcheck -------
[7] 2004-08-10 13:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-16 7557120]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-03-15 1769472]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-02-16 1519616]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-17 61952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DOOM Collector's Edition\\prboom-2.5.0-win32\\prboom-2.5.0-win32\\prboom_server.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\Diablo II\\Diablo II.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_14\\jre\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_14\\bin\\java.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [01/07/2009 18:12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [01/07/2009 18:12 20560]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [17/03/2006 13:04 7040]
S4 SecureLockWare_EncryptFilterDriver;SecureLockWare Encryption Filter driver;c:\windows\system32\DRIVERS\ENCRFIL.SYS --> c:\windows\system32\DRIVERS\ENCRFIL.SYS [?]
S4 SecureLockWare_EncryptFilterDriver2;SecureLockWare Encryption Filter driver Ver.2;c:\windows\system32\DRIVERS\SLWFIL.SYS --> c:\windows\system32\DRIVERS\SLWFIL.SYS [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\nhirqmwn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 19:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-736535237-3451093729-2193730098-1005\Software\SecuROM\License information*]
"datasecu"=hex:78,6d,b1,42,29,9e,a5,fe,2f,6b,f2,6a,bc,0e,e3,2d,58,c7,dd,9c,b8,
da,93,35,2c,33,f3,bd,8a,17,d8,72,d1,ae,95,50,f0,c4,b8,a8,ed,59,ce,79,60,48,\
"rkeysecu"=hex:7a,3b,2b,b7,2b,f5,d7,62,5e,01,02,2f,46,97,95,b7
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1188)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\COMMON~1\X10\Common\X10nets.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-13 19:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 18:57
Pre-Run: 26,369,249,280 bytes free
Post-Run: 26,243,436,544 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
351 --- E O F --- 2009-08-12 16:48
Last edited by majestic0110; Aug 13th, 2009 at 4:09 pm.
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
•
•
Join Date: Jul 2008
Posts: 3,080
Reputation:
Solved Threads: 175
Run a new HJT scan and post the log.
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation:
Solved Threads: 68
HJT log :
•
•
•
•
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13:53, on 13/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase1140.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--
End of file - 6905 bytes
Last edited by majestic0110; Aug 13th, 2009 at 4:15 pm.
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
•
•
Join Date: Jul 2008
Posts: 3,080
Reputation:
Solved Threads: 175
Update MBA-M and give us one more Full Scan with it.
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation:
Solved Threads: 68
OK will do, I might have to post the results over the weekend though as I have to go out now. I really do appreciate your help, you're the best! It looks a lot cleaner to me now after ComboFix actually. But I might be wrong...
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
•
•
Join Date: Jul 2008
Posts: 3,080
Reputation:
Solved Threads: 175
Don't use the computer then until everything is deemed fully clean. Be sure it is not on or connected to the internet until you have completed the steps. We want to be sure all is gone.
Last edited by jholland1964; Aug 13th, 2009 at 5:03 pm.
 |
Similar Threads
- w32\alemod.e.dll removal - help! (Viruses, Spyware and other Nasties)
- About:blank problem (Viruses, Spyware and other Nasties)
- Cool Web Search hijack (Viruses, Spyware and other Nasties)
- |imp| Need help with cleaning all these crawling trojans and wormies... (Viruses, Spyware and other Nasties)
- Aurora / Norton Renewal Date (Viruses, Spyware and other Nasties)
- My HJT log. Ready for help!! (Viruses, Spyware and other Nasties)
- isrvs..please help (Viruses, Spyware and other Nasties)
- hijacked computer (Viruses, Spyware and other Nasties)
- edmond.exe & ceres.dll and other nasty stuff (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Please have a look at this HijackThis Log
- Next Thread: Browser redirect issue
Views: 4255 | Replies: 36
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
adobe adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets china combofix commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia email europe exam facebook fake fancheckvirus gaming gumblar hijack internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news norton obama panel parents pc phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus rootkit scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume vulnerability warning windows worm zero-day
