Tech Support Forum - View Single Post

herring · 05-06-2007, 10:05 PM

I will hold off on any installs of my own until we are sure the light at the end of the tunnel isn't a train.

Here is ComboFix.log from tonight:

"123" - 2007-05-06 20:58:32 Service Pack 2
ComboFix 07-05.05.4.V - Running from: "C:\Documents and Settings\123\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))

2007-05-06 07:44 <DIR> d-------- C:\WINDOWS\LastGood
2007-05-06 07:42 21,895 --------- C:\WINDOWS\system32\comext.dll
2007-05-06 01:34 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-05 13:22 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Talkback
2007-05-05 13:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-04 12:13 60 --a------ C:\fix.bat
2007-05-04 11:56 <DIR> d-------- C:\Deckard
2007-05-04 11:18 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft
2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-07 01:47:40 -------- d-----w C:\Program Files\ltmoh
2007-05-05 20:22:23 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Talkback
2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft
2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\comext.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{e57ce738-33e8-4c51-8354-bb4de9d215d1}"="C:\WINDOWS\system32\upnpui.dll"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\comext

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFNF5"
"hkey"="HKLM"
"command"="TFNF5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TosHKCW"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 20:59:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-06 20:59:13
C:\ComboFix-quarantined-files.txt ... 2007-05-06 20:59
C:\ComboFix2.txt ... 2007-05-05 09:48
C:\ComboFix3.txt ... 2007-05-04 21:38

05-06-2007, 10:05 PM	#42 (permalink)
herring Registered User Join Date: May 2007 Posts: 25 OS: XP	Re: cp1041.nls removal help I will hold off on any installs of my own until we are sure the light at the end of the tunnel isn't a train. Here is ComboFix.log from tonight: "123" - 2007-05-06 20:58:32 Service Pack 2 ComboFix 07-05.05.4.V - Running from: "C:\Documents and Settings\123\Desktop\" ((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 )))))))))))))))))))))))))))))))))) 2007-05-06 07:44 <DIR> d-------- C:\WINDOWS\LastGood 2007-05-06 07:42 21,895 --------- C:\WINDOWS\system32\comext.dll 2007-05-06 01:34 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-05-05 13:22 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Talkback 2007-05-05 13:21 0 --a------ C:\WINDOWS\nsreg.dat 2007-05-04 12:13 60 --a------ C:\fix.bat 2007-05-04 11:56 <DIR> d-------- C:\Deckard 2007-05-04 11:18 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee 2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll 2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft 2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-07 01:47:40 -------- d-----w C:\Program Files\ltmoh 2007-05-05 20:22:23 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Talkback 2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft 2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\comext.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "{e57ce738-33e8-4c51-8354-bb4de9d215d1}"="C:\WINDOWS\system32\upnpui.dll" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\comext HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /installquiet" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPEnh" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPLpr" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TFNF5" "hkey"="HKLM" "command"="TFNF5.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TosHKCW" "hkey"="HKLM" "command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TouchED" "hkey"="HKLM" "command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-06 20:59:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 2007-05-06 20:59:13 C:\ComboFix-quarantined-files.txt ... 2007-05-06 20:59 C:\ComboFix2.txt ... 2007-05-05 09:48 C:\ComboFix3.txt ... 2007-05-04 21:38 Last edited by herring; 05-06-2007 at 10:14 PM.