|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
06-09-2008, 05:12 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 10
OS: XP SP2
|
Clogged Computer
Helping a friend whose PC is clogged with malware. He's running XP (SP2) and symptoms are very sluggish, lots of popups, buffer overflow msgs, and attempt to install McAfee recently appeared to work, but program doesn't operate properly.
DSS main.txt is below. Extra.txt and Panda scans are attached. Your help is greatly appreciated. Dwight main.txt*************** Deckard's System Scanner v20071014.68 Run by fam on 2008-06-09 18:56:03 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 108: 2008-06-09 23:56:21 UTC - RP299 - Deckard's System Scanner Restore Point 107: 2008-06-09 21:07:51 UTC - RP298 - System Checkpoint 106: 2008-06-08 20:43:22 UTC - RP297 - System Checkpoint 105: 2008-06-07 20:13:45 UTC - RP296 - System Checkpoint 104: 2008-06-05 17:51:29 UTC - RP295 - System Checkpoint -- First Restore Point -- 1: 2008-05-15 20:16:41 UTC - RP192 - System Checkpoint Backed up registry hives. Performed disk cleanup. Total Physical Memory: 384 MiB (512 MiB recommended). -- HijackThis (run as fam.exe) ------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:59:16 PM, on 6/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\VirusScan\McShield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\SiteAdvisor\6261\SAService.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\fam\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\fam.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: {89759dcd-19e4-4779-3184-eec3fa8b2382} - {2832b8af-3cee-4813-9774-4e91dcd95798} - C:\WINDOWS\system32\hmbgeuij.dll O2 - BHO: (no name) - {4855CC91-9912-46CF-8DCE-270EE2069FF6} - C:\WINDOWS\system32\iiffEXqP.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\mlJAqnMF.dll O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll (file missing) O2 - BHO: (no name) - {D7953349-2B19-4654-BE43-26629652213A} - C:\WINDOWS\system32\efcBtUOi.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Tracy.TURBO\Application Data\Deskbar_{EE464417-8E32-47dd-8DF5-0EE50BAA86D3}\starter.exe O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Glen\Local Settings\Temporary Internet Files\Content.IE5\VRDQ5B90\setup_sbd_en[1].exe O4 - HKLM\..\Run: [BM97b6fe8d] Rundll32.exe "C:\WINDOWS\system32\aowfnnvc.dll",s O4 - HKLM\..\Run: [9485cd11] rundll32.exe "C:\WINDOWS\system32\svpbtxcb.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O20 - Winlogon Notify: mlJAqnMF - C:\WINDOWS\SYSTEM32\mlJAqnMF.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe -- End of file - 7447 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 aecc - c:\windows\system32\drivers\aecc.sys R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell> S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller> S3 mr7910 (Photo Viewer) - c:\windows\system32\drivers\mr7910.sys <Not Verified; Mars Semiconductor Corp.; PhotoViewer> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing) -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-05-15 16:28:42 348 --a------ C:\WINDOWS\Tasks\McDefragTask.job 2008-05-15 16:28:41 350 --a------ C:\WINDOWS\Tasks\McQcTask.job -- Files created between 2008-05-09 and 2008-06-09 ----------------------------- 2008-06-09 18:58:39 0 d-------- C:\Program Files\Trend Micro 2008-06-09 18:39:12 0 d-------- C:\ie-spyad_zo 2008-06-09 18:20:40 0 d-------- C:\Program Files\SpywareBlaster 2008-06-09 10:46:36 0 d-------- C:\Program Files\Panda Security 2008-06-09 10:46:34 0 d-------- C:\WINDOWS\LastGood 2008-06-09 10:38:37 111616 --a------ C:\WINDOWS\system32\hmbgeuij.dll 2008-06-09 10:35:30 96256 --a------ C:\WINDOWS\system32\svpbtxcb.dll 2008-06-09 10:33:45 108544 --a------ C:\WINDOWS\system32\aowfnnvc.dll 2008-06-08 22:00:56 113664 --a------ C:\WINDOWS\system32\qfsydpjd.dll 2008-06-08 21:58:46 101376 -----n--- C:\WINDOWS\system32\pxtccvdu.dll 2008-06-08 21:58:15 105472 --a------ C:\WINDOWS\system32\utotswpf.dll 2008-06-08 13:31:54 0 d-------- C:\WINDOWS\pss 2008-06-08 12:50:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2008-06-08 12:48:35 0 d-------- C:\Documents and Settings\Administrator\Favorites 2008-06-08 12:48:35 0 d-------- C:\Documents and Settings\Administrator\Desktop 2008-06-08 12:48:35 0 d--hs---- C:\Documents and Settings\Administrator\Cookies 2008-06-08 12:48:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-06-08 12:48:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-06-08 12:48:34 0 d--h----- C:\Documents and Settings\Administrator\Templates 2008-06-08 12:48:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2008-06-08 12:48:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-06-08 12:48:34 0 d--h----- C:\Documents and Settings\Administrator\Recent 2008-06-08 12:48:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2008-06-08 12:48:34 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2008-06-08 12:48:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2008-06-08 12:48:34 0 d-------- C:\Documents and Settings\Administrator\My Documents 2008-06-08 12:48:34 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-06-07 21:59:51 111616 --a------ C:\WINDOWS\system32\xsnrcuwd.dll 2008-06-07 21:59:33 101376 --a------ C:\WINDOWS\system32\gnmxbfpr.dll 2008-06-06 21:58:04 93184 --a------ C:\WINDOWS\system32\avwurjdd.dll 2008-06-06 21:57:53 108544 --a------ C:\WINDOWS\system32\ttbeidvu.dll 2008-06-06 21:57:38 107520 --a------ C:\WINDOWS\system32\jrdcefaw.dll 2008-06-06 21:56:17 107520 --a------ C:\WINDOWS\system32\bcohiwfg.dll 2008-06-05 15:00:36 0 d-------- C:\Documents and Settings\Guest\Application Data\Move Networks 2008-06-04 21:11:15 97280 -----n--- C:\WINDOWS\system32\oqxhdbsp.dll 2008-06-04 21:11:06 104448 --a------ C:\WINDOWS\system32\fcaibryo.dll 2008-06-04 21:10:49 106496 --a------ C:\WINDOWS\system32\mpylqmro.dll 2008-06-03 14:37:01 114688 --a------ C:\WINDOWS\system32\twakmbgs.dll 2008-06-02 13:07:47 114688 --a------ C:\WINDOWS\system32\utbgrkss.dll 2008-06-01 13:03:00 108544 --a------ C:\WINDOWS\system32\ugnexgrj.dll 2008-06-01 12:59:54 104448 --a------ C:\WINDOWS\system32\pnaejahk.dll 2008-05-31 13:01:20 108544 --a------ C:\WINDOWS\system32\xkkwjtul.dll 2008-05-31 12:59:27 95232 -----n--- C:\WINDOWS\system32\mwsjykyc.dll 2008-05-31 12:59:13 104448 --a------ C:\WINDOWS\system32\slxquroj.dll 2008-05-31 12:46:55 0 d-------- C:\Documents and Settings\fam\Application Data\Leadertech 2008-05-30 13  39 104448 --a------ C:\WINDOWS\system32\yhtjapgi.dll2008-05-30 12:58:31 109568 --a------ C:\WINDOWS\system32\mxlkyirm.dll 2008-05-29 22:33:01 0 d-------- C:\Documents and Settings\fam\Application Data\Yahoo! 2008-05-29 22:33:01 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion 2008-05-29 11:58:56 101376 -----n--- C:\WINDOWS\system32\igtutjtt.dll 2008-05-29 11:58:48 111616 --a------ C:\WINDOWS\system32\qdkqpskn.dll 2008-05-29 11:58:33 106496 --a------ C:\WINDOWS\system32\sujvscyg.dll 2008-05-29 11:57:50 106496 --a------ C:\WINDOWS\system32\klkevmfd.dll 2008-05-28 10:50:43 97280 -----n--- C:\WINDOWS\system32\vgfyhbui.dll 2008-05-28 10:50:28 104448 --a------ C:\WINDOWS\system32\wnaaimsu.dll 2008-05-26 02:20:29 94208 -----n--- C:\WINDOWS\system32\qxgxrkeq.dll 2008-05-26 02:16:15 117760 --a------ C:\WINDOWS\system32\ukjesyso.dll 2008-05-26 02:14:26 109056 --a------ C:\WINDOWS\system32\pgtkyrfv.dll 2008-05-24 23:35:13 117760 --a------ C:\WINDOWS\system32\dsmasgyr.dll 2008-05-24 23:30:43 108544 --a------ C:\WINDOWS\system32\iennvokw.dll 2008-05-23 22:45:51 118272 --a------ C:\WINDOWS\system32\ntgmnjuq.dll 2008-05-23 22:39:52 110080 --a------ C:\WINDOWS\system32\ypqidihb.dll 2008-05-22 22:44:09 93184 --a------ C:\WINDOWS\system32\twnkoujp.dll 2008-05-22 22:40:42 117760 --a------ C:\WINDOWS\system32\hykswuei.dll 2008-05-22 22:38:50 109568 --a------ C:\WINDOWS\system32\vfjhucyu.dll 2008-05-22 12:03:44 0 d-------- C:\Documents and Settings\fam\Application Data\MSNInstaller 2008-05-21 22:56:08 117760 --a------ C:\WINDOWS\system32\uomkmmru.dll 2008-05-21 20:58:06 109056 --a------ C:\WINDOWS\system32\glijdlhy.dll 2008-05-21 12:51:26 93696 -----n--- C:\WINDOWS\system32\sraxkwar.dll 2008-05-20 21:00:06 118272 --a------ C:\WINDOWS\system32\fyoylbyk.dll 2008-05-20 20:57:03 109056 --a------ C:\WINDOWS\system32\nlhdbrnc.dll 2008-05-19 21:04:00 117760 --a------ C:\WINDOWS\system32\qkadwfvb.dll 2008-05-19 21:01:05 94208 --a------ C:\WINDOWS\system32\canxkbrb.dll 2008-05-19 20:55:01 109056 --a------ C:\WINDOWS\system32\tmmhfael.dll 2008-05-19 13:08:43 0 d-------- C:\Documents and Settings\fam\Application Data\Macromedia 2008-05-19 13:07:45 0 d-------- C:\Documents and Settings\fam\Application Data\Adobe 2008-05-19 13:07:09 0 d-------- C:\Documents and Settings\fam\Application Data\SiteAdvisor 2008-05-19 13 27 0 d-------- C:\Documents and Settings\fam\Application Data\Identities2008-05-19 13:05:58 0 d--h----- C:\Documents and Settings\fam\Templates 2008-05-19 13:05:58 0 dr------- C:\Documents and Settings\fam\Start Menu 2008-05-19 13:05:58 0 dr-h----- C:\Documents and Settings\fam\SendTo 2008-05-19 13:05:58 0 dr-h----- C:\Documents and Settings\fam\Recent 2008-05-19 13:05:58 0 d--h----- C:\Documents and Settings\fam\PrintHood 2008-05-19 13:05:58 0 d--h----- C:\Documents and Settings\fam\NetHood 2008-05-19 13:05:58 0 dr------- C:\Documents and Settings\fam\My Documents 2008-05-19 13:05:58 0 d--h----- C:\Documents and Settings\fam\Local Settings 2008-05-19 13:05:58 0 dr------- C:\Documents and Settings\fam\Favorites 2008-05-19 13:05:58 0 d-------- C:\Documents and Settings\fam\Desktop 2008-05-19 13:05:58 0 d--hs---- C:\Documents and Settings\fam\Cookies 2008-05-19 13:05:58 0 dr-h----- C:\Documents and Settings\fam\Application Data 2008-05-19 13:05:57 3670016 --ah----- C:\Documents and Settings\fam\NTUSER.DAT 2008-05-18 21:21:50 0 d-------- C:\Documents and Settings\Guest\Application Data\SiteAdvisor 2008-05-18 20:59:02 95232 --a------ C:\WINDOWS\system32\narytiqq.dll 2008-05-18 20:53:00 737556 --ahs---- C:\WINDOWS\system32\iOUtBcfe.ini2 2008-05-18 20:52:54 375808 --a------ C:\WINDOWS\system32\efcBtUOi.dll 2008-05-17 15:20:59 109568 --a------ C:\WINDOWS\system32\idmixyju.dll 2008-05-17 10:34:39 83664 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2008-05-17 10:24:25 95232 --a------ C:\WINDOWS\system32\slwhbhfy.dll 2008-05-16 16:22:39 0 d-------- C:\Program Files\Svconr 2008-05-16 16:22:38 0 d-------- C:\Program Files\Temporary 2008-05-16 15:29:16 93696 -----n--- C:\WINDOWS\system32\udnlixhq.dll 2008-05-16 15:20:15 108544 --a------ C:\WINDOWS\system32\ifmgfjmk.dll 2008-05-16 14:30:34 93696 --a------ C:\WINDOWS\system32\yaxgkmlg.dll 2008-05-16 14:28:53 108544 --a------ C:\WINDOWS\system32\shwbhrlq.dll 2008-05-16 14:27:32 1342214 --ahs---- C:\WINDOWS\system32\gQYGOXbc.ini2 2008-05-16 12:44:15 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-05-15 21:45:45 0 d-------- C:\Program Files\AntiSpywareMaster 2008-05-15 17:25:39 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Desktop 2008-05-15 17:25:39 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\SiteAdvisor 2008-05-15 16:32:21 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Desktop 2008-05-15 16:32:21 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\SiteAdvisor 2008-05-15 16:32:05 0 d-------- C:\Program Files\SiteAdvisor 2008-05-15 16:32:04 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor 2008-05-15 16:27:58 0 d-------- C:\Program Files\McAfee.com 2008-05-15 16:27:34 0 d-------- C:\Program Files\Common Files\McAfee 2008-05-15 16:27:22 0 d-------- C:\Program Files\McAfee 2008-05-15 16:22:03 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee 2008-05-15 15:22:31 116224 --a------ C:\WINDOWS\system32\prhykopg.dll 2008-05-15 15:19:19 0 d-------- C:\Temp 2008-05-15 15:18:56 0 d-------- C:\Program Files\dbar 2008-05-15 15:17:50 108544 --a------ C:\WINDOWS\system32\jlpjqfst.dll 2008-05-15 14:04:29 0 d-------- C:\Program Files\Common Files\Scanner 2008-05-15 14:04:28 0 d-------- C:\Program Files\PCPitstop 2008-05-15 14:02:31 0 dr------- C:\Documents and Settings\LocalService.NT AUTHORITY\Favorites 2008-05-14 16:46:33 1345106 --ahs---- C:\WINDOWS\system32\PqXEffii.ini2 2008-05-14 16:45:07 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ> 2008-05-14 16:42:25 861 --a------ C:\WINDOWS\system32\winpfz33.sys 2008-05-14 16:41:48 298311 --a------ C:\WINDOWS\system32\gside.exe 2008-05-14 16:41:41 0 d--hs---- C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk 2008-05-14 16:41:39 49159 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver> 2008-05-14 16:41:30 86144 -----n--- C:\WINDOWS\system32\drivers\aecc.sys 2008-05-14 16:41:29 0 d-------- C:\Program Files\winvi 2008-05-14 16:41:26 0 d-------- C:\WINDOWS\system32\polX 2008-05-14 16:41:26 0 d-------- C:\WINDOWS\system32\GUI2 2008-05-14 16:41:26 0 d-------- C:\WINDOWS\system32\binR 2008-05-14 16:41:26 0 d-------- C:\WINDOWS\system32\3036a 2008-05-14 16:41:22 0 d-------- C:\WINDOWS\system32\dFrnx18 2008-05-14 16:41:16 28672 -----n--- C:\WINDOWS\system32\mlJAqnMF.dll 2008-05-14 15:15:45 0 d-------- C:\Program Files\Microsoft Works 2008-05-14 15:07:58 0 d-------- C:\WINDOWS\SHELLNEW 2008-05-13 15:01:40 0 d-------- C:\Program Files\Microsoft Small Business 2008-05-13 14:57:45 0 d-------- C:\Program Files\Microsoft.NET 2008-05-13 14:55:00 0 d-------- C:\Program Files\Microsoft SQL Server 2008-05-12 08:43:38 68096 --a------ C:\WINDOWS\b155.exe -- Find3M Report --------------------------------------------------------------- 2008-05-29 22:28:33 0 d-------- C:\Program Files\Yahoo! 2008-05-22 12:02:41 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-05-22 12:00:15 0 d-------- C:\Program Files\Common Files 2008-05-18 01:13:18 0 d-------- C:\Program Files\Hunting Unlimited 2008-05-15 15:21:45 0 d-------- C:\Program Files\LimeWire 2008-05-15 15:21:30 0 d-------- C:\Program Files\Google -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2832b8af-3cee-4813-9774-4e91dcd95798}] 06/09/2008 10:38 AM 111616 --a------ C:\WINDOWS\system32\hmbgeuij.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4855CC91-9912-46CF-8DCE-270EE2069FF6}] C:\WINDOWS\system32\iiffEXqP.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}] 05/14/2008 04:41 PM 28672 --------- C:\WINDOWS\system32\mlJAqnMF.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}] C:\Program Files\dbar\Deskbar.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7953349-2B19-4654-BE43-26629652213A}] 05/18/2008 08:52 PM 375808 --a------ C:\WINDOWS\system32\efcBtUOi.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 10:32 PM] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM] "Host Process"="C:\WINDOWS\Fonts\svchost.exe" [] "dbar_starter"="C:\Documents and Settings\Tracy.TURBO\Application Data\Deskbar_{EE464417-8E32-47dd-8DF5-0EE50BAA86D3}\starter.exe" [] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [06/21/2007 03:06 PM] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM] "SBI"="C:\Documents and Settings\Glen\Local Settings\Temporary Internet Files\Content.IE5\VRDQ5B90\setup_sbd_en[1].exe" [05/15/2008 11:29 PM] "BM97b6fe8d"="C:\WINDOWS\system32\aowfnnvc.dll" [06/09/2008 10:33 AM] "9485cd11"="C:\WINDOWS\system32\svpbtxcb.dll" [06/09/2008 10:35 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\mlJAqnMF.dll [05/14/2008 04:41 PM 28672] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJAqnMF] mlJAqnMF.dll 05/14/2008 04:41 PM 28672 C:\WINDOWS\system32\mlJAqnMF.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\efcBtUOi [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" *Newly Created Service* - RKPAVPROC -- Hosts ----------------------------------------------------------------------- 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 8382 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-06-09 19:01:15 ------------ |
|
     
|
|
06-12-2008, 07:39 PM
|
#3 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 25,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Clogged Computer
If your system seems sluggish, it could be due to low RAM, as well as the infections present.
Quote:
Please visit Crucial where you can either input your model number or download a small application that will tell you exactly the type of RAM you need. Address this as needed after the cleaning is complete. =================================== Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed.  Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. If you have any questions along the way, STOP and ask them before proceeding.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Our help is voluntary, but this site needs donations to operate.
Please consider Donating to the Forum. Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience. |
|
|
|
|
|
06-13-2008, 09:34 AM
|
#4 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 10
OS: XP SP2
|
Re: Clogged Computer
3 logs attached: 2x combofix and 1x hijackthis. Had trouble finding how to turn off all resident parts of McAfee, but thought we'd finally done it. Also, the recovery console install did not appear to work as expected. First combofix log (combofix_1.txt) identified both problems: AV still running and recoveryconsole not installed. So uninstalled McAfee. Recovery console install worked 2nd time. Second combofix log (combofix_2.txt) went much more quickly. Finally, ran hijackthis--log pasted below.
Roger the RAM problem. Have some DIMMs that should work. Thanks for your time and expertise. Dwight ComboFix 08-06-11.7 - fam 2008-06-13 11:11:19.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.170 [GMT -5:00] Running from: C:\Documents and Settings\fam\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\fam\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Glen\Start Menu\Programs\Startup\Deewoo.lnk C:\Documents and Settings\Glen\Start Menu\Programs\Startup\DW_Start.lnk C:\temp\tn3 C:\WINDOWS\b155.exe C:\WINDOWS\system32\drivers\aecc.sys C:\WINDOWS\system32\drivers\core.cache(2).dsk C:\WINDOWS\system32\drivers\core.cache(3).dsk C:\WINDOWS\system32\drivers\core.cache(4).dsk C:\WINDOWS\system32\drivers\core.cache.dsk . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AECC -------\Service_aecc ((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 ))))))))))))))))))))))))))))))) . 2008-06-11 01:34 . 2008-06-11 01:35 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Move Networks 2008-06-09 18:58 . 2008-06-09 18:58 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-09 18:55 . 2008-06-09 18:55 <DIR> d-------- C:\Deckard 2008-06-09 18:39 . 2008-06-09 18:42 <DIR> d-------- C:\ie-spyad_zo 2008-06-09 18:20 . 2008-06-09 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-09 10:46 . 2008-06-09 10:50 <DIR> d-------- C:\Program Files\Panda Security 2008-06-08 12:48 . 2008-06-08 12:48 <DIR> d-------- C:\Documents and Settings\Administrator 2008-06-05 15:00 . 2008-06-05 15:05 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Move Networks 2008-05-31 12:46 . 2008-05-31 12:46 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Leadertech 2008-05-29 22:33 . 2008-05-29 22:33 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Yahoo! 2008-05-22 12:03 . 2008-05-22 12:03 <DIR> d-------- C:\Documents and Settings\fam\Application Data\MSNInstaller 2008-05-19 13:05 . 2008-06-08 12:40 <DIR> d-------- C:\Documents and Settings\fam 2008-05-17 10:34 . 2008-05-17 10:34 83,664 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2008-05-16 15:57 . 2008-06-02 15:01 637 --a------ C:\WINDOWS\wininit.ini 2008-05-16 12:44 . 2008-05-16 12:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-05-16 12:44 . 2008-05-16 19:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-05-15 16:32 . 2008-06-13 11:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor 2008-05-15 16:22 . 2008-06-13 11:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee 2008-05-15 15:19 . 2008-06-13 11:14 <DIR> d-------- C:\Temp 2008-05-15 14:04 . 2008-05-15 14:04 <DIR> d-------- C:\Program Files\PCPitstop 2008-05-15 14:04 . 2008-05-15 15:14 <DIR> d-------- C:\Program Files\Common Files\Scanner 2008-05-14 16:45 . 2008-05-14 16:45 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2008-05-14 16:41 . 2008-05-15 17:24 <DIR> d--hs---- C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk 2008-05-14 16:41 . 2008-05-14 16:41 <DIR> d-------- C:\WINDOWS\system32\polX 2008-05-14 16:41 . 2008-06-09 18:08 <DIR> d-------- C:\WINDOWS\system32\GUI2 2008-05-14 16:41 . 2008-05-15 17:19 <DIR> d-------- C:\WINDOWS\system32\dFrnx18 2008-05-14 16:41 . 2008-05-14 16:41 <DIR> d-------- C:\WINDOWS\system32\binR 2008-05-14 16:41 . 2008-05-14 16:41 <DIR> d-------- C:\WINDOWS\system32\3036a 2008-05-14 15:15 . 2008-05-14 15:15 <DIR> d-------- C:\Program Files\Microsoft Works 2008-05-14 15:07 . 2008-05-14 15:21 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-05-13 15:18 . 2008-05-13 15:18 422 --a------ C:\WINDOWS\system32\mapisvc.inf 2008-05-13 15:01 . 2008-05-22 11:57 <DIR> d-------- C:\Program Files\Microsoft Small Business 2008-05-13 14:57 . 2008-05-22 11:58 <DIR> d-------- C:\Program Files\Microsoft.NET 2008-05-13 14:55 . 2008-05-13 15:00 <DIR> d-------- C:\Program Files\Microsoft SQL Server . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-13 15:51 --------- d-----w C:\Program Files\Yahoo! 2008-06-13 15:35 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2008-05-22 17:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help 2008-05-22 17:02 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-18 06:13 --------- d-----w C:\Program Files\Hunting Unlimited 2008-05-15 22:19 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! 2008-05-15 20:21 --------- d-----w C:\Program Files\LimeWire 2008-05-15 20:21 --------- d-----w C:\Program Files\Google 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk\command.exe 2005-07-29 21:24 472 --sha-r C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk\tZU5v21VxrlCtrLAvaL4.vbs . ((((((((((((((((((((((((((((( snapshot@2008-06-13_10.55.44.79 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll + 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll + 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll + 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll + 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll + 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll + 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll + 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll + 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll + 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll + 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll + 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll + 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll + 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll + 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll + 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll + 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll + 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll + 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe + 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll + 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe + 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll - 2008-06-13 15:52:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-13 16:15:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-13 16:13:51 2,046 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{DF1E336C-AFD1-455D-9051-B66A5BE80B41}.bin - 2004-08-04 10:00:00 561,179 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll + 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll - 2004-08-04 10:00:00 512,029 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll + 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll - 2004-08-04 10:00:00 319,517 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll + 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll - 2004-08-04 10:00:00 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll + 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll - 2004-08-04 10:00:00 358,976 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll + 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll - 2004-08-04 10:00:00 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll + 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll - 2004-08-04 10:00:00 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll + 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll - 2004-08-04 10:00:00 241,693 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll + 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll - 2004-08-04 10:00:00 213,023 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll + 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll - 2004-08-04 10:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll + 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll - 2004-08-04 10:00:00 421,919 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll + 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll - 2004-08-04 10:00:00 315,423 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll + 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll - 2004-08-04 10:00:00 552,989 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll + 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll - 2004-08-04 10:00:00 258,077 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll + 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll - 2004-08-04 10:00:00 831,519 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll + 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll - 2004-08-04 10:00:00 614,429 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll + 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll - 2004-08-04 10:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll + 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll - 2004-08-04 10:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll + 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll - 2004-08-04 10:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll + 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll - 2004-08-04 10:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll + 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll - 2004-08-04 10:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll + 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll - 2004-08-04 10:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll + 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll - 2004-08-04 10:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll + 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll - 2004-08-04 10:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll + 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll - 2004-08-04 10:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll + 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll - 2004-08-04 10:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll + 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll - 2004-08-04 10:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll + 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll - 2004-08-04 10:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll + 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll - 2004-08-04 10:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll + 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll - 2004-08-04 10:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll + 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll - 2004-08-04 10:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll + 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll - 2004-08-04 10:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll + 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13AC25C6-947A-4CF0-8EC3-8285EC3B5EE3}] C:\WINDOWS\system32\efcBtUOi.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4855CC91-9912-46CF-8DCE-270EE2069FF6}] C:\WINDOWS\system32\iiffEXqP.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}] C:\WINDOWS\system32\mlJAqnMF.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}] C:\Program Files\dbar\Deskbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\mlJAqnMF.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJAqnMF] mlJAqnMF.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= ctwdm32.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [] R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 17:29] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-13 11:16:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\devldr32.exe . ************************************************************************** . Completion time: 2008-06-13 11:18:52 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-13 16:18:48 ComboFix2.txt 2008-06-13 15:56:47 Pre-Run: 139,409,104,896 bytes free Post-Run: 139,319,607,296 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 233 --- E O F --- 2008-06-13 16:12:51 HIJACKTHIS Log*************** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:23:38 AM, on 6/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\WINDOWS\system32\ctfmon.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: (no name) - {13AC25C6-947A-4CF0-8EC3-8285EC3B5EE3} - C:\WINDOWS\system32\efcBtUOi.dll (file missing) O2 - BHO: (no name) - {4855CC91-9912-46CF-8DCE-270EE2069FF6} - C:\WINDOWS\system32\iiffEXqP.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\mlJAqnMF.dll (file missing) O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll (file missing) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O20 - Winlogon Notify: mlJAqnMF - mlJAqnMF.dll (file missing) O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) -- End of file - 4536 bytes Last edited by tetonbob : 06-13-2008 at 10:44 AM. |
|
|
|
|
06-13-2008, 10:51 AM
|
#5 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 25,561
OS: 2000 Pro; XP Pro; XP Home
|
Re: Clogged Computer
Wow, uninstalling McAfee seems drastic. Now there's no protection on the machine. Perhaps you'd like to take this opportunity to install something else? I can give you links an excellent freeware AntiVirus. Let me know in this next reply, or reinstall McAfee after running ComboFix, but before the new HijackThis log.
====================================== Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Our help is voluntary, but this site needs donations to operate.
Please consider Donating to the Forum. Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience. |
|
|
|
|
|
06-13-2008, 07:31 PM
|
#6 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 10
OS: XP SP2
|
Re: Clogged Computer
Ran script you provided. ComboFix log is attached. Reinstalled McAfee. My friend has a year subscription so will install freeware before that runs out. Which one do you recommend? HijackThis log is pasted below. There are also weird symbols on the boot screen when first starting the computer. Any ideas about that? Was already planning to check for BIOS updates once the viruses were gone. And add the RAM. Greatly appreciate your help with all of this. Dwight *************** ComboFix 08-06-11.7 - fam 2008-06-13 21:03:09.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.194 [GMT -5:00] Running from: C:\Documents and Settings\fam\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\fam\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\vbzip10.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\3036a C:\WINDOWS\system32\3036a\dBparsdll.exe C:\WINDOWS\system32\binR C:\WINDOWS\system32\binR\Wvram13.exe C:\WINDOWS\system32\dFrnx18 C:\WINDOWS\system32\GUI2 C:\WINDOWS\system32\polX C:\WINDOWS\system32\polX\roEbdll2.exe C:\WINDOWS\system32\vbzip10.dll C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk\command.exe C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk\tZU5v21VxrlCtrLAvaL4.vbs . ((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 ))))))))))))))))))))))))))))))) . 2008-06-13 20:44 . 2008-06-13 20:44 <DIR> d-------- C:\WINDOWS\LastGood 2008-06-13 12:43 . 2008-06-13 12:43 <DIR> d--h----- C:\BJPrinter 2008-06-13 12:43 . 2002-09-05 14:00 87,552 --a------ C:\WINDOWS\system32\CNMLM3m.DLL 2008-06-13 12:43 . 2002-07-30 02:59 73,728 --a------ C:\WINDOWS\system32\CNMCP3m.exe 2008-06-13 12:43 . 2002-09-05 14:00 5,632 --a------ C:\WINDOWS\system32\CNMVS3m.DLL 2008-06-11 01:34 . 2008-06-11 01:35 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Move Networks 2008-06-09 18:58 . 2008-06-09 18:58 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-09 18:55 . 2008-06-09 18:55 <DIR> d-------- C:\Deckard 2008-06-09 18:39 . 2008-06-09 18:42 <DIR> d-------- C:\ie-spyad_zo 2008-06-09 18:20 . 2008-06-09 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-09 10:46 . 2008-06-09 10:50 <DIR> d-------- C:\Program Files\Panda Security 2008-06-08 12:48 . 2008-06-08 12:48 <DIR> d-------- C:\Documents and Settings\Administrator 2008-06-05 15:00 . 2008-06-05 15:05 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Move Networks 2008-05-31 12:46 . 2008-05-31 12:46 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Leadertech 2008-05-29 22:33 . 2008-05-29 22:33 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Yahoo! 2008-05-22 12:03 . 2008-05-22 12:03 <DIR> d-------- C:\Documents and Settings\fam\Application Data\MSNInstaller 2008-05-19 13:05 . 2008-06-08 12:40 <DIR> d-------- C:\Documents and Settings\fam 2008-05-17 10:34 . 2008-05-17 10:34 83,664 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2008-05-16 15:57 . 2008-06-02 15:01 637 --a------ C:\WINDOWS\wininit.ini 2008-05-16 12:44 . 2008-05-16 12:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-05-16 12:44 . 2008-05-16 19:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-05-15 16:32 . 2008-06-13 11:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor 2008-05-15 16:22 . 2008-06-13 11:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee 2008-05-15 15:19 . 2008-06-13 11:14 <DIR> d-------- C:\Temp 2008-05-15 14:04 . 2008-05-15 14:04 <DIR> d-------- C:\Program Files\PCPitstop 2008-05-15 14:04 . 2008-05-15 15:14 <DIR> d-------- C:\Program Files\Common Files\Scanner 2008-05-14 15:15 . 2008-05-14 15:15 <DIR> d-------- C:\Program Files\Microsoft Works 2008-05-14 15:07 . 2008-05-14 15:21 <DIR> d-------- C:\WINDOWS\SHELLNEW . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-13 16:43 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2008-06-13 15:51 --------- d-----w C:\Program Files\Yahoo! 2008-05-22 17:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help 2008-05-22 17:02 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-22 16:58 --------- d-----w C:\Program Files\Microsoft.NET 2008-05-22 16:57 --------- d-----w C:\Program Files\Microsoft Small Business 2008-05-18 06:13 --------- d-----w C:\Program Files\Hunting Unlimited 2008-05-15 22:19 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! 2008-05-15 20:21 --------- d-----w C:\Program Files\LimeWire 2008-05-15 20:21 --------- d-----w C:\Program Files\Google 2008-05-13 20:00 --------- d-----w C:\Program Files\Microsoft SQL Server 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys . ((((((((((((((((((((((((((((( snapshot_2008-06-13_11.18.29.68 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-13 16:15:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-14 01:42:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2004-08-04 10:00:00 2,804,224 ----a-w C:\WINDOWS\system32\dllcache\msi.dll + 2005-05-04 19:45:32 2,890,240 -c--a-w C:\WINDOWS\system32\dllcache\msi.dll - 2004-08-04 10:00:00 77,312 ----a-w C:\WINDOWS\system32\dllcache\msiexec.exe + 2005-05-04 19:45:36 78,848 -c--a-w C:\WINDOWS\system32\dllcache\msiexec.exe - 2004-08-04 10:00:00 331,264 ----a-w C:\WINDOWS\system32\dllcache\msihnd.dll + 2005-05-04 19:45:36 271,360 -c--a-w C:\WINDOWS\system32\dllcache\msihnd.dll - 2004-08-04 10:00:00 884,736 ----a-w C:\WINDOWS\system32\dllcache\msimsg.dll + 2005-05-04 19:45:36 884,736 -c--a-w C:\WINDOWS\system32\dllcache\msimsg.dll - 2004-08-04 10:00:00 44,032 ----a-w C:\WINDOWS\system32\dllcache\msisip.dll + 2005-05-04 19:45:36 15,360 -c--a-w C:\WINDOWS\system32\dllcache\msisip.dll - 2004-08-04 10:00:00 2,804,224 ----a-w C:\WINDOWS\system32\msi.dll + 2005-05-04 19:45:32 2,890,240 ----a-w C:\WINDOWS\system32\msi.dll - 2004-08-04 10:00:00 77,312 ----a-w C:\WINDOWS\system32\msiexec.exe + 2005-05-04 19:45:36 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe - 2004-08-04 10:00:00 331,264 ----a-w C:\WINDOWS\system32\msihnd.dll + 2005-05-04 19:45:36 271,360 ----a-w C:\WINDOWS\system32\msihnd.dll - 2004-08-04 10:00:00 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll + 2005-05-04 19:45:36 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll - 2004-08-04 10:00:00 44,032 ----a-w C:\WINDOWS\system32\msisip.dll + 2005-05-04 19:45:36 15,360 ----a-w C:\WINDOWS\system32\msisip.dll + 2002-09-05 19:00:00 51,200 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNBMC130.DLL + 2002-09-05 19:00:00 50,176 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCP3m.DLL + 2002-09-05 19:00:00 208,384 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMD43m.DLL + 2002-09-05 19:00:00 400,384 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMDR3m.DLL + 2002-09-05 19:00:00 17,920 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMFU3m.DLL + 2002-09-05 19:00:00 13,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMOP3m.DLL + 2002-09-05 19:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP03m.DAT + 2002-09-05 19:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP13m.DAT + 2002-09-05 19:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP23m.DAT + 2002-09-05 19:00:00 6,144 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPI3m.DLL + 2002-09-05 19:00:00 57,856 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPV3m.EXE + 2002-09-05 19:00:00 876,544 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSB3m.DLL + 2002-09-05 19:00:00 9,216 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSD3m.EXE + 2002-09-05 19:00:00 109,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSM3m.EXE + 2002-09-05 19:00:00 6,144 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSQ3m.EXE + 2002-09-05 19:00:00 47,104 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSR3m.DLL + 2002-09-05 19:00:00 110,080 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUB3m.DLL + 2002-09-05 19:00:00 1,406,976 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUI3m.DLL + 2002-09-05 19:00:00 146,944 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUR3m.DLL + 2002-09-05 19:00:00 13,824 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD3m.DLL + 2002-09-05 19:00:00 46,080 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP3m.DLL . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= ctwdm32.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [] R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 17:29] *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-13 21:05:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-13 21 31ComboFix-quarantined-files.txt 2008-06-14 02 28ComboFix2.txt 2008-06-13 16:18:53 ComboFix3.txt 2008-06-13 15:56:47 Pre-Run: 139,098,345,472 bytes free Post-Run: 139,164,205,056 bytes free 159 --- E O F --- 2008-06-13 22:54:43 \Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:22:37 PM, on 6/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\devldr32.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\SiteAdvisor\6172\SAService.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1006.bak\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?') O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1006.bak\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?') O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1006.bak\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?') O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1006.bak\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1006.bak\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User '?') O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1007.bak\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator') O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-501\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Guest') O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-501\..\Run: [9485cd11] rundll32.exe "C:\WINDOWS\system32\avwurjdd.dll",b (User 'Guest') O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-501\..\Run: [BM97b6fe8d] Rundll32.exe "C:\WINDOWS\system32\jrdcefaw.dll",s (User 'Guest') O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag. |
