 |  |  |  |  |  |  |  |
Trouble with a virus? Have hijackthis log.
 |
Yes, that is what I am doing. When I get all of the AVG processes out of there, I run Combofix. When it starts running, it comes up with a warning saying that AVG is running. I go back into task manager, and the processes for AVG are back. I'm confused.
•
•
Join Date: Jul 2008
Posts: 3,078
Reputation: 
Solved Threads: 174
These are the processes you should be stopping;
MsMpEng.exe
avgrsx.exe
avgemc.exe
avgtray.exe
When combofix gives this warning are you then stopping it or does it stop itself?
MsMpEng.exe
avgrsx.exe
avgemc.exe
avgtray.exe
When combofix gives this warning are you then stopping it or does it stop itself?
I end those processes, but they keep popping back up. Not sure what I am doing wrong. When Combofix gives the warning. I just exit out of it since AVG is still somehow running. I close the box where it will run, and then the box with the warning.
•
•
Join Date: Jul 2008
Posts: 3,078
Reputation:
Solved Threads: 174
Are you stopping and then rebooting or stopping and then running combofix? You shouldn't reboot but go straight to combofix
OK. I finally got it to work. Here is the log.
ComboFix 09-01-05.05 - Cass Mortenson 2009-01-06 23:24:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.224 [GMT -6:00]
Running from: c:\documents and settings\Cass Mortenson\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\bszip.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.
2009-01-06 23:00 . 2004-08-04 00:56 116,224 --a------ c:\windows\SYSTEM32\DLLCACHE\xrxwiadr.dll
2009-01-06 23:00 . 2001-08-17 22:37 99,865 --a------ c:\windows\SYSTEM32\DLLCACHE\xlog.exe
2009-01-06 23:00 . 2004-08-04 04:00 28,288 --a------ c:\windows\SYSTEM32\DLLCACHE\xjis.nls
2009-01-06 23:00 . 2001-08-17 22:37 27,648 --a------ c:\windows\SYSTEM32\DLLCACHE\xrxftplt.exe
2009-01-06 23:00 . 2001-08-17 22:36 23,040 --a------ c:\windows\SYSTEM32\DLLCACHE\xrxwbtmp.dll
2009-01-06 23:00 . 2001-08-17 22:36 17,408 --a------ c:\windows\SYSTEM32\DLLCACHE\xrxscnui.dll
2009-01-06 23:00 . 2001-08-17 22:37 4,608 --a------ c:\windows\SYSTEM32\DLLCACHE\xrxflnch.exe
2009-01-06 22:58 . 2001-08-17 13:28 765,884 --a------ c:\windows\SYSTEM32\DLLCACHE\usrti.sys
2009-01-06 22:57 . 2001-08-17 13:28 794,654 --a------ c:\windows\SYSTEM32\DLLCACHE\usr1801.sys
2009-01-06 22:56 . 2004-08-04 04:00 571,392 --a------ c:\windows\SYSTEM32\DLLCACHE\tintlgnt.ime
2009-01-06 22:55 . 2001-08-17 14:56 172,768 --a------ c:\windows\SYSTEM32\DLLCACHE\t2r4disp.dll
2009-01-06 22:54 . 2004-08-04 04:00 456,704 --a------ c:\windows\SYSTEM32\DLLCACHE\smtpsvc.dll
2009-01-06 22:53 . 2004-08-03 22:41 404,990 --a------ c:\windows\SYSTEM32\DLLCACHE\slntamr.sys
2009-01-06 22:52 . 2001-08-17 22:36 386,560 --a------ c:\windows\SYSTEM32\DLLCACHE\sgiul50.dll
2009-01-06 22:51 . 2001-08-17 22:36 495,616 --a------ c:\windows\SYSTEM32\DLLCACHE\sblfx.dll
2009-01-06 22:50 . 2001-08-17 13:28 899,146 --a------ c:\windows\SYSTEM32\DLLCACHE\r2mdkxga.sys
2009-01-06 22:49 . 2004-08-04 04:00 482,304 --a------ c:\windows\SYSTEM32\DLLCACHE\pintlgnt.ime
2009-01-06 22:48 . 2001-08-17 14:05 351,616 --a------ c:\windows\SYSTEM32\DLLCACHE\ovcodek2.sys
2009-01-06 22:47 . 2008-08-14 03:22 2,015,744 --a------ c:\windows\SYSTEM32\DLLCACHE\OLD4AE.tmp
2009-01-06 22:46 . 2004-08-04 04:00 1,875,968 --a------ c:\windows\SYSTEM32\DLLCACHE\msir3jp.lex
2009-01-06 22:45 . 2001-08-17 12:50 320,384 --a------ c:\windows\SYSTEM32\DLLCACHE\mgaum.sys
2009-01-06 22:44 . 2004-08-04 04:00 1,158,818 --a------ c:\windows\SYSTEM32\DLLCACHE\korwbrkr.lex
2009-01-06 22:43 . 2004-08-04 04:00 811,064 --a------ c:\windows\SYSTEM32\DLLCACHE\imjp81k.dll
2009-01-06 22:42 . 2004-08-04 04:00 13,463,552 --a------ c:\windows\SYSTEM32\DLLCACHE\hwxjpn.dll
2009-01-06 22:41 . 2001-08-17 13:28 542,879 --a------ c:\windows\SYSTEM32\DLLCACHE\hsf_msft.sys
2009-01-06 22:40 . 2001-08-17 14:56 1,733,120 --a------ c:\windows\SYSTEM32\DLLCACHE\g400d.dll
2009-01-06 22:39 . 2001-08-17 12:17 629,952 --a------ c:\windows\SYSTEM32\DLLCACHE\eqn.sys
2009-01-06 22:38 . 2001-08-17 12:14 952,007 --a------ c:\windows\SYSTEM32\DLLCACHE\diwan.sys
2009-01-06 22:37 . 2001-08-17 22:36 419,357 --a------ c:\windows\SYSTEM32\DLLCACHE\dgconfig.dll
2009-01-06 22:36 . 2004-08-04 04:00 1,677,824 --a------ c:\windows\SYSTEM32\DLLCACHE\chsbrkr.dll
2009-01-06 22:35 . 2004-08-04 00:56 1,888,992 --a------ c:\windows\SYSTEM32\DLLCACHE\ati3duag.dll
2009-01-06 22:34 . 2009-01-06 22:47 <DIR> d-------- c:\windows\LastGood
2009-01-06 13:14 . 2009-01-06 13:15 <DIR> d-------- c:\windows\ERUNT
2009-01-06 13:03 . 2009-01-06 13:42 <DIR> d-------- C:\SDFix
2009-01-06 07:10 . 2009-01-06 07:10 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 00:49 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-06 00:48 . 2009-01-06 00:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 00:48 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-06 00:26 . 2009-01-06 00:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-06 00:25 . 2009-01-06 00:56 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-06 00:25 . 2009-01-06 00:56 <DIR> d-------- c:\documents and settings\Cass Mortenson\Application Data\SUPERAntiSpyware.com
2009-01-05 20:47 . 2009-01-06 00:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-04 20:55 . 2009-01-04 21:19 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-04 20:51 . 2005-08-25 19:18 118,784 --a------ c:\windows\SYSTEM32\MSSTDFMT.DLL
2009-01-04 19:29 . 2005-09-20 09:31 135,168 --a------ c:\windows\SYSTEM32\igfxres.dll
2009-01-04 19:13 . 2009-01-04 19:13 <DIR> d-------- c:\windows\ie8updates
2009-01-04 18:50 . 2009-01-04 18:50 <DIR> d-------- c:\program files\Windows Defender
2009-01-04 15:10 . 2009-01-04 17:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 12:03 . 2009-01-04 12:03 <DIR> d--hs---- c:\documents and settings\Cass Mortenson\PrivacIE
2009-01-04 10:54 . 2009-01-04 10:57 <DIR> d--h-c--- c:\windows\ie8
2009-01-04 09:20 . 2009-01-06 06:18 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-04 08:11 . 2009-01-04 08:11 <DIR> d-------- c:\documents and settings\Cass Mortenson\Application Data\Malwarebytes
2009-01-04 08:11 . 2009-01-04 08:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 08:06 . 2008-10-16 14:09 31,768 --a------ c:\windows\SYSTEM32\wucltui.dll.mui
2009-01-04 08:06 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuaucpl.cpl.mui
2009-01-04 08:06 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuapi.dll.mui
2009-01-04 08:06 . 2008-10-16 14:07 18,456 --a------ c:\windows\SYSTEM32\wuaueng.dll.mui
2009-01-04 07:56 . 2009-01-04 07:56 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-04 07:34 . 2008-08-14 03:58 2,136,064 --a------ c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-01-04 07:34 . 2008-08-14 03:22 2,015,744 --a------ c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-01-04 07:34 . 2008-06-13 07:10 272,128 --------- c:\windows\SYSTEM32\DRIVERS\bthport.sys
2009-01-04 07:34 . 2008-06-13 07:10 272,128 --a------ c:\windows\SYSTEM32\DLLCACHE\bthport.sys
2009-01-04 00:05 . 2009-01-04 00:05 133,632 --a------ c:\windows\otesufol.dll
2009-01-03 21:22 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2009-01-03 21:22 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys
2009-01-03 09:02 . 2009-01-06 00:09 <DIR> d-------- c:\documents and settings\Cass Mortenson\.housecall6.6
2009-01-02 19:23 . 2009-01-04 15:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 05:14 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-06 18:45 8,098 ----a-w C:\bt.bat
2009-01-06 18:45 208 ----a-w C:\testfile.bat
2009-01-04 03:30 --------- d-----w c:\program files\Common Files\Apple
2009-01-03 02:11 --------- d-----w c:\program files\Free Offers from Freeze.com
2008-12-14 13:59 5,699,584 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-11-22 07:45 1,536 ----a-w C:\run.exe
2008-11-21 04:52 --------- d-----w c:\documents and settings\Cass Mortenson\Application Data\ZoomBrowser EX
2008-11-21 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-11-16 10:04 27,904 ----a-w c:\windows\system32\drivers\ndisprot.sys
2008-11-12 09:13 --------- d-----w c:\documents and settings\Cass Mortenson\Application Data\Viewpoint
2008-11-12 08:26 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-10 05:07 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-10 04:55 --------- d-----w c:\program files\Microsoft DirectX SDK (August 2008)
2008-11-10 04:44 120,328 ----a-w c:\windows\dxsdkuninst.exe
2008-11-10 03:53 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-09 10:15 --------- d-----w c:\program files\iTunes
2008-11-09 10:15 --------- d-----w c:\program files\iPod
2008-11-09 10:15 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-09 10:10 --------- d-----w c:\program files\QuickTime
2008-11-09 10:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-09 10:07 --------- d-----w c:\program files\Apple Software Update
2008-11-09 10:07 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-09 01:23 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-09 01:23 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-11-09 01:23 10,520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll
2008-11-09 01:23 --------- d-----w c:\program files\AVG
2008-10-24 11:10 453,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-15 16:57 332,800 ----a-w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-04 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 06:51 306688 c:\program files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 00:05 127035 c:\windows\SYSTEM32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 15:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 09:32 77824 c:\windows\SYSTEM32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 09:35 94208 c:\windows\SYSTEM32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 19:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-12 06:25 11776 c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-04-22 23:22 26112 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 13:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 02:36 36975 c:\program files\Java\jre1.5.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-11-08 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-08 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-08 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-11-08 76040]
S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [2008-11-16 27904]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - f:\resycled\boot.com f:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43d795e5-9e55-11dd-916c-00038a000015}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - f:\resycled\boot.com f:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5872058a-aeb0-11db-9117-00038a000015}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a85de87-d9a6-11dd-918b-00038a000015}]
\Shell\AutoRun\command - F:\CDGO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcd8c5f5-4a84-11da-90f0-00038a000015}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-01-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-c:\windows\system32\kdplu.exe - c:\windows\system32\kdplu.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)
MSConfigStartUp-LKdtbFUQ - c:\windows\dfgeymvf.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\McAfee.com\Agent\McAgent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\McAfee.com\Agent\McUpdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MPSExe - c:\program files\McAfee.com\MPS\mscifapp.exe
MSConfigStartUp-New - c:\progra~1\NEWDOT~1\NEWDOT~2.DLL
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-Send To Phone (myPhoneFiles - c:\program files\SiGi - MyPhoneFiles.com
MSConfigStartUp-SurfAccuracy - c:\program files\SurfAccuracy\SAcc.exe
MSConfigStartUp-TosGbWatcher - c:\program files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
MSConfigStartUp-vgt75712 - c:\windows\system32\vgt75712.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Send to phone (myPhoneFiles.com) - c:\program files\SiGi - MyPhoneFiles.com Desktop Extension\mpfexe.htm
Trusted Zone: online.musicmatch.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 23:27:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4107866487-2833784691-940513215-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*NULL*]
"??"=hex:8d,aa,6d,87,57,12,8a,c8,ae,d0,95,6d,97,9d,18,e8,ce,48,d9,bf,0e,90,b6,\
f2,b8,a6,71,e3,a2,32,01,de,2a,d1,2d,3a,ec,bb,4f,c1,44,82,75,5e,c6,6b,6c,64,\
e0,27,63,a9,42,27,26,7d,e7,62,20,81,15,86,d3,08,53,14,b4,f8,9b,98,3b,68,89,\
eb,f7,91,60,5c,05,44,5b,63,6f,17,68,3f,ea,c9,5a,ed,17,72,35,6a,de,97,d8,4d,\
fb,1b,c9,cc,18,de,9f,a8,b2,d1,d4,18,7b,73,84,0e,49,49,e6,2d,4b,96,9f,08,ae,\
27,81,47,4a,76,76,5f,d9,54,85,21,55,62,95,59,ae,28,86,3d,ad,09,4e,cd,8d,13,\
12,1b,7f,15,6b,a9,3a,e6,64,39,0a,a7,fc,75,0d,c1,ac,60,44,be,b7,2b,63,25,1e,\
f3,ee,84,8d,89,e3,29,4e,53,88,20,59,5c,6c,b6,3d,63,16,d6,fb,2e,64,97,53,a4,\
fe,d9,eb,b1,f0,df,3d,a8,b1,9f,14,f6,50,45,53,8d,fc,91,c1,8c,36,bc,fd,39,f4,\
20,ff,48,0a,9e,4d,a9,ff,b8,e5,fe,47,d2,43,83,bb,9d,db,5a,cd,f9,3d,10,18,d5,\
0a,ca,14,47,26,3d,f6,62,21,24,7c,3d,59,32,ae,7f,65,75,88,99,6e,57,52,d7,60,\
c4,47,f4,92,af,77,67,1e,ee,f8,52,5c,09,ca,7a,94,13,74,b7,9d,56,84,ac,70,09,\
c3,11,b6,94,5d,55,68,14,84,a4,cc,62,3f,64,b3,a3,c0,a2,0a,bf,72,c3,eb,9f,6f,\
fd,18,0d,c8,57,41,0a,ff,09,93,7d,a3,ce,a8,35,cb,22,bf,33,85,3d,39,f7,52,24,\
46,1e,df,7a,96,c1,e5,5f,c2,4c,fd,4e,ef,f8,99,d3,04,bb,29,3f,64,cd,72,97,a1,\
71,3d,31,69,ab,a6,f2,cf,dc,81,8d,19,a8,9b,a0,e2,95,81,ff,01,5b,06,b2,18,b2,\
59,4b,5c,55,d5,d2,2e,eb,78,a1,9a,2b,b5,45,5d,16,63,61,bd,9b,f8,b1,3d,06,89,\
27,93,6a,5d,8f,b9,88,21,d1,5a,2f,f8,1f,73,1e,b7,39,c3,5c,3a,1f,69,fb,8f,f7,\
05,26,88,4a,d1,07,bd,54,3e,0e,93,48,39,31,d2,49,62,28,48,02,2e,81,10,cb,b1,\
41,9f,7a,19,3a,a4,ba,24,27,17,05,4e,f2,32,13,a0,64,1a,ef,17,d9,14,ec,dc,a8,\
b1,dd,08,11,f7,e0,8e,eb,c9,22,4e,80,93,5b,2c,b3,42,95,4a,f2,14,72,5b,2e,6b,\
02,db,d6,bf,aa,97,c9,ea,4e,cd,22,6f,1d,b5,88,8f,af,01,85,a6,05,c0,b0,9e,75,\
da,4d,ae,ed,64,f0,2b,60,bf,5a,03,5d,e6,c4,ad,a4,a6,82,9e,09,26,8c,64,92,34,\
30,eb,11,bf,ec,2a,0d,92,b4,69,1a,85,fb,79,66,3b,15,52,c1,b6,89,4f,8f,63,01,\
82,53,d7,9e,00,95,89,7e,9e,1c,65,ac,3f,d2,75,8c,63,9c,f3,78,7e,b9,8d,4c,9f,\
2c,04,f1,b4,e5,8b,d6,d9,67,56,b3,8a,ca,fa,c3,fc,c6,48,b9,65,1c,52,a6,a3,4f,\
5e,8e,c6,1a,58,26,08,e6,6a,6e,c8,52,22,73,01,cf,1f,e8,96,87,d6,61,21,8e,9e,\
62,aa,a6,d2,21,33,a0,05,99,ae,b4,32,71,81,98,e8,c5,fb,79,35,d3,ac,78,d3,ac,\
fd,f0,04,f1,7f,84,19,8a,e8,75,9d,b3,a9,48,37,79,8b,f9,a5,4d,d1,06,81,0d,fc,\
38,23,f1,58,97,b6,a5,df,00,aa,6e,8f,73,e2,94,43,a5,a5,d1,5d,44,bd,c7,fa,2d,\
80,5e,59,84,e5,6a,18,f5,01,93,62,fc,2d,db,1d,f9,ec,79,b6,c1,96,4b,1f,6e,04,\
b8,2c,95,7b,5a,06,37,f6,38,e9,fb,ee,d0,03,4b,21,ba,48,7d,72,12,90,10,d9,03,\
2c,01,f5,e8,a5,1a,d2,0e,97,43,86,f4,99,00,68,d7,2d,53,02,df,2e,98,30,cc,36,\
f4,7a,54,9b,c0,25,7f,fe,cd,a0,95,2b,15,7c,15,72,9a,97,01,dd,4f,cf,92,f4,a5,\
0c,f2,ea,ea,34,f2,fa,fa,3c
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
Completion time: 2009-01-06 23:29:08
ComboFix-quarantined-files.txt 2009-01-07 05:29:02
Pre-Run: 99,394,420,736 bytes free
Post-Run: 99,387,195,392 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
308 --- E O F --- 2009-01-05 19:08:57
ComboFix 09-01-05.05 - Cass Mortenson 2009-01-06 23:24:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.224 [GMT -6:00]
Running from: c:\documents and settings\Cass Mortenson\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\bszip.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.
2009-01-06 23:00 . 2004-08-04 00:56 116,224 --a------ c:\windows\SYSTEM32\DLLCACHE\xrxwiadr.dll
2009-01-06 23:00 . 2001-08-17 22:37 99,865 --a------ c:\windows\SYSTEM32\DLLCACHE\xlog.exe
2009-01-06 23:00 . 2004-08-04 04:00 28,288 --a------ c:\windows\SYSTEM32\DLLCACHE\xjis.nls
2009-01-06 23:00 . 2001-08-17 22:37 27,648 --a------ c:\windows\SYSTEM32\DLLCACHE\xrxftplt.exe
2009-01-06 23:00 . 2001-08-17 22:36 23,040 --a------ c:\windows\SYSTEM32\DLLCACHE\xrxwbtmp.dll
2009-01-06 23:00 . 2001-08-17 22:36 17,408 --a------ c:\windows\SYSTEM32\DLLCACHE\xrxscnui.dll
2009-01-06 23:00 . 2001-08-17 22:37 4,608 --a------ c:\windows\SYSTEM32\DLLCACHE\xrxflnch.exe
2009-01-06 22:58 . 2001-08-17 13:28 765,884 --a------ c:\windows\SYSTEM32\DLLCACHE\usrti.sys
2009-01-06 22:57 . 2001-08-17 13:28 794,654 --a------ c:\windows\SYSTEM32\DLLCACHE\usr1801.sys
2009-01-06 22:56 . 2004-08-04 04:00 571,392 --a------ c:\windows\SYSTEM32\DLLCACHE\tintlgnt.ime
2009-01-06 22:55 . 2001-08-17 14:56 172,768 --a------ c:\windows\SYSTEM32\DLLCACHE\t2r4disp.dll
2009-01-06 22:54 . 2004-08-04 04:00 456,704 --a------ c:\windows\SYSTEM32\DLLCACHE\smtpsvc.dll
2009-01-06 22:53 . 2004-08-03 22:41 404,990 --a------ c:\windows\SYSTEM32\DLLCACHE\slntamr.sys
2009-01-06 22:52 . 2001-08-17 22:36 386,560 --a------ c:\windows\SYSTEM32\DLLCACHE\sgiul50.dll
2009-01-06 22:51 . 2001-08-17 22:36 495,616 --a------ c:\windows\SYSTEM32\DLLCACHE\sblfx.dll
2009-01-06 22:50 . 2001-08-17 13:28 899,146 --a------ c:\windows\SYSTEM32\DLLCACHE\r2mdkxga.sys
2009-01-06 22:49 . 2004-08-04 04:00 482,304 --a------ c:\windows\SYSTEM32\DLLCACHE\pintlgnt.ime
2009-01-06 22:48 . 2001-08-17 14:05 351,616 --a------ c:\windows\SYSTEM32\DLLCACHE\ovcodek2.sys
2009-01-06 22:47 . 2008-08-14 03:22 2,015,744 --a------ c:\windows\SYSTEM32\DLLCACHE\OLD4AE.tmp
2009-01-06 22:46 . 2004-08-04 04:00 1,875,968 --a------ c:\windows\SYSTEM32\DLLCACHE\msir3jp.lex
2009-01-06 22:45 . 2001-08-17 12:50 320,384 --a------ c:\windows\SYSTEM32\DLLCACHE\mgaum.sys
2009-01-06 22:44 . 2004-08-04 04:00 1,158,818 --a------ c:\windows\SYSTEM32\DLLCACHE\korwbrkr.lex
2009-01-06 22:43 . 2004-08-04 04:00 811,064 --a------ c:\windows\SYSTEM32\DLLCACHE\imjp81k.dll
2009-01-06 22:42 . 2004-08-04 04:00 13,463,552 --a------ c:\windows\SYSTEM32\DLLCACHE\hwxjpn.dll
2009-01-06 22:41 . 2001-08-17 13:28 542,879 --a------ c:\windows\SYSTEM32\DLLCACHE\hsf_msft.sys
2009-01-06 22:40 . 2001-08-17 14:56 1,733,120 --a------ c:\windows\SYSTEM32\DLLCACHE\g400d.dll
2009-01-06 22:39 . 2001-08-17 12:17 629,952 --a------ c:\windows\SYSTEM32\DLLCACHE\eqn.sys
2009-01-06 22:38 . 2001-08-17 12:14 952,007 --a------ c:\windows\SYSTEM32\DLLCACHE\diwan.sys
2009-01-06 22:37 . 2001-08-17 22:36 419,357 --a------ c:\windows\SYSTEM32\DLLCACHE\dgconfig.dll
2009-01-06 22:36 . 2004-08-04 04:00 1,677,824 --a------ c:\windows\SYSTEM32\DLLCACHE\chsbrkr.dll
2009-01-06 22:35 . 2004-08-04 00:56 1,888,992 --a------ c:\windows\SYSTEM32\DLLCACHE\ati3duag.dll
2009-01-06 22:34 . 2009-01-06 22:47 <DIR> d-------- c:\windows\LastGood
2009-01-06 13:14 . 2009-01-06 13:15 <DIR> d-------- c:\windows\ERUNT
2009-01-06 13:03 . 2009-01-06 13:42 <DIR> d-------- C:\SDFix
2009-01-06 07:10 . 2009-01-06 07:10 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 00:49 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-06 00:48 . 2009-01-06 00:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 00:48 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-06 00:26 . 2009-01-06 00:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-06 00:25 . 2009-01-06 00:56 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-06 00:25 . 2009-01-06 00:56 <DIR> d-------- c:\documents and settings\Cass Mortenson\Application Data\SUPERAntiSpyware.com
2009-01-05 20:47 . 2009-01-06 00:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-04 20:55 . 2009-01-04 21:19 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-04 20:51 . 2005-08-25 19:18 118,784 --a------ c:\windows\SYSTEM32\MSSTDFMT.DLL
2009-01-04 19:29 . 2005-09-20 09:31 135,168 --a------ c:\windows\SYSTEM32\igfxres.dll
2009-01-04 19:13 . 2009-01-04 19:13 <DIR> d-------- c:\windows\ie8updates
2009-01-04 18:50 . 2009-01-04 18:50 <DIR> d-------- c:\program files\Windows Defender
2009-01-04 15:10 . 2009-01-04 17:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 12:03 . 2009-01-04 12:03 <DIR> d--hs---- c:\documents and settings\Cass Mortenson\PrivacIE
2009-01-04 10:54 . 2009-01-04 10:57 <DIR> d--h-c--- c:\windows\ie8
2009-01-04 09:20 . 2009-01-06 06:18 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-04 08:11 . 2009-01-04 08:11 <DIR> d-------- c:\documents and settings\Cass Mortenson\Application Data\Malwarebytes
2009-01-04 08:11 . 2009-01-04 08:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 08:06 . 2008-10-16 14:09 31,768 --a------ c:\windows\SYSTEM32\wucltui.dll.mui
2009-01-04 08:06 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuaucpl.cpl.mui
2009-01-04 08:06 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuapi.dll.mui
2009-01-04 08:06 . 2008-10-16 14:07 18,456 --a------ c:\windows\SYSTEM32\wuaueng.dll.mui
2009-01-04 07:56 . 2009-01-04 07:56 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-04 07:34 . 2008-08-14 03:58 2,136,064 --a------ c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-01-04 07:34 . 2008-08-14 03:22 2,015,744 --a------ c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-01-04 07:34 . 2008-06-13 07:10 272,128 --------- c:\windows\SYSTEM32\DRIVERS\bthport.sys
2009-01-04 07:34 . 2008-06-13 07:10 272,128 --a------ c:\windows\SYSTEM32\DLLCACHE\bthport.sys
2009-01-04 00:05 . 2009-01-04 00:05 133,632 --a------ c:\windows\otesufol.dll
2009-01-03 21:22 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2009-01-03 21:22 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys
2009-01-03 09:02 . 2009-01-06 00:09 <DIR> d-------- c:\documents and settings\Cass Mortenson\.housecall6.6
2009-01-02 19:23 . 2009-01-04 15:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 05:14 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-06 18:45 8,098 ----a-w C:\bt.bat
2009-01-06 18:45 208 ----a-w C:\testfile.bat
2009-01-04 03:30 --------- d-----w c:\program files\Common Files\Apple
2009-01-03 02:11 --------- d-----w c:\program files\Free Offers from Freeze.com
2008-12-14 13:59 5,699,584 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-11-22 07:45 1,536 ----a-w C:\run.exe
2008-11-21 04:52 --------- d-----w c:\documents and settings\Cass Mortenson\Application Data\ZoomBrowser EX
2008-11-21 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-11-16 10:04 27,904 ----a-w c:\windows\system32\drivers\ndisprot.sys
2008-11-12 09:13 --------- d-----w c:\documents and settings\Cass Mortenson\Application Data\Viewpoint
2008-11-12 08:26 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-10 05:07 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-10 04:55 --------- d-----w c:\program files\Microsoft DirectX SDK (August 2008)
2008-11-10 04:44 120,328 ----a-w c:\windows\dxsdkuninst.exe
2008-11-10 03:53 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-09 10:15 --------- d-----w c:\program files\iTunes
2008-11-09 10:15 --------- d-----w c:\program files\iPod
2008-11-09 10:15 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-09 10:10 --------- d-----w c:\program files\QuickTime
2008-11-09 10:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-09 10:07 --------- d-----w c:\program files\Apple Software Update
2008-11-09 10:07 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-09 01:23 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-09 01:23 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-11-09 01:23 10,520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll
2008-11-09 01:23 --------- d-----w c:\program files\AVG
2008-10-24 11:10 453,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-15 16:57 332,800 ----a-w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-04 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 06:51 306688 c:\program files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 00:05 127035 c:\windows\SYSTEM32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 15:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 09:32 77824 c:\windows\SYSTEM32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 09:35 94208 c:\windows\SYSTEM32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 19:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-12 06:25 11776 c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-04-22 23:22 26112 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 13:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 02:36 36975 c:\program files\Java\jre1.5.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-11-08 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-08 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-08 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-11-08 76040]
S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [2008-11-16 27904]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - f:\resycled\boot.com f:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43d795e5-9e55-11dd-916c-00038a000015}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - f:\resycled\boot.com f:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5872058a-aeb0-11db-9117-00038a000015}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a85de87-d9a6-11dd-918b-00038a000015}]
\Shell\AutoRun\command - F:\CDGO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcd8c5f5-4a84-11da-90f0-00038a000015}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-01-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-c:\windows\system32\kdplu.exe - c:\windows\system32\kdplu.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)
MSConfigStartUp-LKdtbFUQ - c:\windows\dfgeymvf.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\McAfee.com\Agent\McAgent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\McAfee.com\Agent\McUpdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MPSExe - c:\program files\McAfee.com\MPS\mscifapp.exe
MSConfigStartUp-New - c:\progra~1\NEWDOT~1\NEWDOT~2.DLL
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-Send To Phone (myPhoneFiles - c:\program files\SiGi - MyPhoneFiles.com
MSConfigStartUp-SurfAccuracy - c:\program files\SurfAccuracy\SAcc.exe
MSConfigStartUp-TosGbWatcher - c:\program files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
MSConfigStartUp-vgt75712 - c:\windows\system32\vgt75712.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Send to phone (myPhoneFiles.com) - c:\program files\SiGi - MyPhoneFiles.com Desktop Extension\mpfexe.htm
Trusted Zone: online.musicmatch.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 23:27:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4107866487-2833784691-940513215-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*NULL*]
"??"=hex:8d,aa,6d,87,57,12,8a,c8,ae,d0,95,6d,97,9d,18,e8,ce,48,d9,bf,0e,90,b6,\
f2,b8,a6,71,e3,a2,32,01,de,2a,d1,2d,3a,ec,bb,4f,c1,44,82,75,5e,c6,6b,6c,64,\
e0,27,63,a9,42,27,26,7d,e7,62,20,81,15,86,d3,08,53,14,b4,f8,9b,98,3b,68,89,\
eb,f7,91,60,5c,05,44,5b,63,6f,17,68,3f,ea,c9,5a,ed,17,72,35,6a,de,97,d8,4d,\
fb,1b,c9,cc,18,de,9f,a8,b2,d1,d4,18,7b,73,84,0e,49,49,e6,2d,4b,96,9f,08,ae,\
27,81,47,4a,76,76,5f,d9,54,85,21,55,62,95,59,ae,28,86,3d,ad,09,4e,cd,8d,13,\
12,1b,7f,15,6b,a9,3a,e6,64,39,0a,a7,fc,75,0d,c1,ac,60,44,be,b7,2b,63,25,1e,\
f3,ee,84,8d,89,e3,29,4e,53,88,20,59,5c,6c,b6,3d,63,16,d6,fb,2e,64,97,53,a4,\
fe,d9,eb,b1,f0,df,3d,a8,b1,9f,14,f6,50,45,53,8d,fc,91,c1,8c,36,bc,fd,39,f4,\
20,ff,48,0a,9e,4d,a9,ff,b8,e5,fe,47,d2,43,83,bb,9d,db,5a,cd,f9,3d,10,18,d5,\
0a,ca,14,47,26,3d,f6,62,21,24,7c,3d,59,32,ae,7f,65,75,88,99,6e,57,52,d7,60,\
c4,47,f4,92,af,77,67,1e,ee,f8,52,5c,09,ca,7a,94,13,74,b7,9d,56,84,ac,70,09,\
c3,11,b6,94,5d,55,68,14,84,a4,cc,62,3f,64,b3,a3,c0,a2,0a,bf,72,c3,eb,9f,6f,\
fd,18,0d,c8,57,41,0a,ff,09,93,7d,a3,ce,a8,35,cb,22,bf,33,85,3d,39,f7,52,24,\
46,1e,df,7a,96,c1,e5,5f,c2,4c,fd,4e,ef,f8,99,d3,04,bb,29,3f,64,cd,72,97,a1,\
71,3d,31,69,ab,a6,f2,cf,dc,81,8d,19,a8,9b,a0,e2,95,81,ff,01,5b,06,b2,18,b2,\
59,4b,5c,55,d5,d2,2e,eb,78,a1,9a,2b,b5,45,5d,16,63,61,bd,9b,f8,b1,3d,06,89,\
27,93,6a,5d,8f,b9,88,21,d1,5a,2f,f8,1f,73,1e,b7,39,c3,5c,3a,1f,69,fb,8f,f7,\
05,26,88,4a,d1,07,bd,54,3e,0e,93,48,39,31,d2,49,62,28,48,02,2e,81,10,cb,b1,\
41,9f,7a,19,3a,a4,ba,24,27,17,05,4e,f2,32,13,a0,64,1a,ef,17,d9,14,ec,dc,a8,\
b1,dd,08,11,f7,e0,8e,eb,c9,22,4e,80,93,5b,2c,b3,42,95,4a,f2,14,72,5b,2e,6b,\
02,db,d6,bf,aa,97,c9,ea,4e,cd,22,6f,1d,b5,88,8f,af,01,85,a6,05,c0,b0,9e,75,\
da,4d,ae,ed,64,f0,2b,60,bf,5a,03,5d,e6,c4,ad,a4,a6,82,9e,09,26,8c,64,92,34,\
30,eb,11,bf,ec,2a,0d,92,b4,69,1a,85,fb,79,66,3b,15,52,c1,b6,89,4f,8f,63,01,\
82,53,d7,9e,00,95,89,7e,9e,1c,65,ac,3f,d2,75,8c,63,9c,f3,78,7e,b9,8d,4c,9f,\
2c,04,f1,b4,e5,8b,d6,d9,67,56,b3,8a,ca,fa,c3,fc,c6,48,b9,65,1c,52,a6,a3,4f,\
5e,8e,c6,1a,58,26,08,e6,6a,6e,c8,52,22,73,01,cf,1f,e8,96,87,d6,61,21,8e,9e,\
62,aa,a6,d2,21,33,a0,05,99,ae,b4,32,71,81,98,e8,c5,fb,79,35,d3,ac,78,d3,ac,\
fd,f0,04,f1,7f,84,19,8a,e8,75,9d,b3,a9,48,37,79,8b,f9,a5,4d,d1,06,81,0d,fc,\
38,23,f1,58,97,b6,a5,df,00,aa,6e,8f,73,e2,94,43,a5,a5,d1,5d,44,bd,c7,fa,2d,\
80,5e,59,84,e5,6a,18,f5,01,93,62,fc,2d,db,1d,f9,ec,79,b6,c1,96,4b,1f,6e,04,\
b8,2c,95,7b,5a,06,37,f6,38,e9,fb,ee,d0,03,4b,21,ba,48,7d,72,12,90,10,d9,03,\
2c,01,f5,e8,a5,1a,d2,0e,97,43,86,f4,99,00,68,d7,2d,53,02,df,2e,98,30,cc,36,\
f4,7a,54,9b,c0,25,7f,fe,cd,a0,95,2b,15,7c,15,72,9a,97,01,dd,4f,cf,92,f4,a5,\
0c,f2,ea,ea,34,f2,fa,fa,3c
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
Completion time: 2009-01-06 23:29:08
ComboFix-quarantined-files.txt 2009-01-07 05:29:02
Pre-Run: 99,394,420,736 bytes free
Post-Run: 99,387,195,392 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
308 --- E O F --- 2009-01-05 19:08:57
And also, not too long after Combofix was done, AVG popped up with the Trojan horse Clicker.VMS again and the firewall shut down.
Thank you for helping. I don't know if I should just try a different firewall or not.
Thank you for helping. I don't know if I should just try a different firewall or not.
•
•
Join Date: Jul 2008
Posts: 3,078
Reputation:
Solved Threads: 174
Exactly what firewall are you using?
There are several programs you need to uninstall, as shown in your combofix log.
Free Offers from Freeze.com
Viewpoint Media Player.
Look for those first in Add/Remove.
If you don't find them there then look here;
c:\program files\Free Offers from Freeze.com
c:\documents and settings\Cass Mortenson\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint
Reboot the computer. Update MBA-M and then run a full system scan and have it remove everything found.
Reboot the computer and run a new HJT scan and post back with both logs.
There are several programs you need to uninstall, as shown in your combofix log.
Free Offers from Freeze.com
Viewpoint Media Player.
Look for those first in Add/Remove.
If you don't find them there then look here;
c:\program files\Free Offers from Freeze.com
c:\documents and settings\Cass Mortenson\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint
Reboot the computer. Update MBA-M and then run a full system scan and have it remove everything found.
Reboot the computer and run a new HJT scan and post back with both logs.
I am using the Windows firewall. I ran MBA-M and HJT again. Here they are.
Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 2
1/7/2009 3:45:06 PM
mbam-log-2009-01-07 (15-45-06).txt
Scan type: Full Scan (C:\|)
Objects scanned: 116159
Time elapsed: 1 hour(s), 4 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msn (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnhost (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnconvert (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnmessendger (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
___________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:10 PM, on 1/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Send to phone (myPhoneFiles.com) - C:\Program Files\SiGi - MyPhoneFiles.com Desktop Extension\mpfexe.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
--
End of file - 6096 bytes
Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 2
1/7/2009 3:45:06 PM
mbam-log-2009-01-07 (15-45-06).txt
Scan type: Full Scan (C:\|)
Objects scanned: 116159
Time elapsed: 1 hour(s), 4 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msn (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnhost (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnconvert (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnmessendger (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
___________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:10 PM, on 1/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Send to phone (myPhoneFiles.com) - C:\Program Files\SiGi - MyPhoneFiles.com Desktop Extension\mpfexe.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
--
End of file - 6096 bytes
•
•
Join Date: Jul 2008
Posts: 3,078
Reputation:
Solved Threads: 174
Ok, things look much better. Do you feel things are fixed or are you still having difficulties?
Judy
Judy
Thank you, thank you, thank you!!!!! Well the firewall hasn't turned off for about 7 or so hours. I think that is a great sign. Thanks for all your help. I hope I didn't frustrate you too much. If you have time, I would just like to ask you a couple of questions. If you don't have time to answer, no need to worry. I was just wondering how you know what you are looking for, what is good and what is bad in these logs. It is very interesting. I am on my second year of school for programing and networking, but I haven't seen this stuff. Just curious how you do learn. By the way, on all the forums I've used, I have NEVER seen someone do so much to help, AND, how fast you reply to all of these. I really do apreciate it, and I can't thank you enough Judy. (I hope you get paid a lot of money!!!)
|
Similar Threads
- Server Busy Virus - Hijack log (Viruses, Spyware and other Nasties)
- Trouble accessing certain sites - HiJackThis log inc. (Viruses, Spyware and other Nasties)
- URGENT VIRUS Problem - PLEASE HELP (Viruses, Spyware and other Nasties)
- memory virus (Viruses, Spyware and other Nasties)
- Having trouble with virus (Viruses, Spyware and other Nasties)
- McAfee Virus (Viruses, Spyware and other Nasties)
- Everyone's having trouble with aurora it seems, and me included. (Viruses, Spyware and other Nasties)
- Suspected Virus Trouble. Help Needed! (Viruses, Spyware and other Nasties)
- help me get rid of a virus (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Virus? Windows Update redirects to msn AND cannot download malware removal tool
- Next Thread: Please check logs after virus cleanup
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch pdf phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect report research risk rogueantivirus rootkit samhain sans search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume vulnerability war warning windows worm yahoo zero-day zeroday
