|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
05-06-2008, 01:43 PM
|
#1 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 8
OS: xp service pack 2
|
2020 search / 180 solutions / 123 messenger
also id like to add...
my task manager does not open... it says disabled by the admin i am the admin! lolz xD heres my Deckard System Scanner log Deckard's System Scanner v20071014.68 Run by Robert on 2008-05-06 16:15:45 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 54: 2008-05-06 20:15:49 UTC - RP54 - Deckard's System Scanner Restore Point 53: 2008-05-06 19:23:38 UTC - RP53 - Software Distribution Service 3.0 52: 2008-05-06 14:41:08 UTC - RP52 - System Checkpoint 51: 2008-05-05 14:17:54 UTC - RP51 - System Checkpoint 50: 2008-05-04 13:29:55 UTC - RP50 - System Checkpoint -- First Restore Point -- 1: 2008-04-05 05:26:03 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-05-06 16:17:32 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\explorer.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\alg.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\RTHDCPL.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\Robert.WILEYRPROMO\Local Settings\Temporary Internet Files\Content.IE5\GD3RASI1\dss[1].exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\ROBERT~1.WIL\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /I "C:\Program Files\Common Files\Wise Installation Wizard\WIS3BE826F35FE54D71BCD806C1B95773C1_1_0_6_26619.MSI" WISE_SETUP_EXE_PATH="C:\Documents and Settings\Robert.WILEYRPROMO\Local Settings\Temporary Internet Files\Content.IE5\MT81CBJF\LegalSetup[1].exe" O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207375747171 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) - http://javadl.sun.com/webapps/downlo...BundleId=19588 O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 8919 bytes -- File Associations ----------------------------------------------------------- .ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1 .reg - regfile - shell\open\command - "regedit.exe" "%1" .scr - scrfile - shell\open\command - "%1" %* .txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1 -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller> S3 igfx - c:\windows\system32\drivers\igdkmd32.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows Vista(R)> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour> S? MsSecurity1.209.4 - -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-05-06 15:27:42 574 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Robert.job 2008-05-06 15:19:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-04-06 and 2008-05-06 ----------------------------- 2008-05-06 16:07:33 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library> 2008-05-06 16:07:32 0 d-------- C:\Program Files\SpywareBlaster 2008-05-06 15:02:54 0 d-------- C:\Program Files\Panda Security 2008-05-06 03:19:36 0 d-------- C:\WINDOWS\LastGood 2008-05-06 03:18:18 0 d-------- C:\Program Files\VstPlugins 2008-05-06 03:18:17 0 d-------- C:\Program Files\Image-Line 2008-05-06 03:18:02 1777664 --a------ C:\WINDOWS\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-05-06 01:45:31 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\Malwarebytes 2008-05-06 01:45:17 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes 2008-05-06 01:45:16 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-06 01:15:39 0 d-------- C:\!KillBox 2008-05-05 22:43:16 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-05-05 20:56:01 0 d-------- C:\Program Files\Spyware Doctor 2008-05-05 20:56:01 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\PC Tools 2008-05-05 20:31:48 0 d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2008-05-05 18:15:59 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Macromedia 2008-05-05 18:15:59 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Adobe 2008-05-05 18:15:56 0 dr------- C:\Documents and Settings\LocalService.NT AUTHORITY\Favorites 2008-04-26 10:35:34 0 d-------- C:\Logs 2008-04-26 03:53:56 0 d-------- C:\Program Files\World of Warcraft 2008-04-25 23:40:31 517 --a------ C:\WINDOWS\AIMData.dat 2008-04-25 21:54:05 0 d-------- C:\Program Files\xyr0x security 2008-04-25 00:20:12 225280 --a------ C:\WINDOWS\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire> 2008-04-20 14:29:16 0 d-------- C:\Program Files\Symantec 2008-04-20 14:11:14 0 d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP 2008-04-19 17:31:08 0 d-------- C:\Program Files\Codemasters 2008-04-17 22:48:06 0 d-------- C:\b3a791f6ef0cfd8d9f591f50 2008-04-17 20:20:50 0 d-------- C:\ce576f3bf27c8ad45569cd18c5b05f 2008-04-16 16:13:11 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\MySpace 2008-04-16 16:13:08 0 d-------- C:\Program Files\MySpace 2008-04-15 20:12:12 0 d-------- C:\Program Files\FriendBlasterPro 2008-04-12 20:00:30 5536 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-04-12 19:54:13 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment 2008-04-11 18:49:06 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows> 2008-04-11 17:36:56 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Shared 2008-04-11 17:36:55 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Incomplete 2008-04-11 17:36:44 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\LimeWire 2008-04-11 17:36:36 0 d-------- C:\Program Files\LimeWire 2008-04-06 13:46:56 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe -- Find3M Report --------------------------------------------------------------- 2008-05-06 14:56:13 0 d-------- C:\Program Files\Viewpoint 2008-05-05 20:23:58 13308 --ah----- C:\WINDOWS\system32\mlfcache.dat 2008-05-05 18:48:28 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-04-26 10:35:47 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-04-20 14:37:43 0 d-------- C:\Program Files\Common Files 2008-04-20 14:33:52 0 d-------- C:\Program Files\Norton AntiVirus 2008-04-17 19:42:37 0 d-------- C:\Program Files\Common Files\Adobe 2008-04-17 19:21:46 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\Adobe 2008-04-05 20:05:11 0 d-------- C:\Program Files\Realtek 2008-04-05 20:03:21 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\Apple Computer 2008-04-05 20:03:10 0 d-------- C:\Program Files\Safari 2008-04-05 20:02:40 0 d-------- C:\Program Files\Bonjour 2008-04-05 20:02:32 0 d-------- C:\Program Files\Apple Software Update 2008-04-05 14:58:44 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\WinRAR 2008-04-05 03:30:24 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\acccore 2008-04-05 03:30:03 0 d-------- C:\Program Files\AIM6 2008-04-05 02:56:28 0 d-------- C:\Program Files\BitLord 2008-04-05 02:44:29 0 d-------- C:\Program Files\Messenger 2008-04-05 02:14:03 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\Macromedia 2008-04-05 02:12:45 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\Sun 2008-04-05 02:12:25 0 d-------- C:\Program Files\Java 2008-04-05 02  28 0 d-------- C:\Program Files\Intel2008-04-05 02:05:13 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program> 2008-04-05 02:01:52 0 d-------- C:\Program Files\Digital Line Detect 2008-04-05 02:01:43 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\InstallShield 2008-04-05 01:25:48 0 d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\Identities 2008-04-05 01:18:00 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat 2008-04-04 20:09:08 62 --ahs---- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\desktop.ini 2008-03-31 15:19:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-03-31 15:17:27 0 d-------- C:\Program Files\MSXML 6.0 2008-03-24 04:25:49 0 d-------- C:\Program Files\QuickTime 2008-03-24 04:25:03 0 d-------- C:\Program Files\Common Files\Apple 2008-03-23 22:43:07 0 d-------- C:\Program Files\Windows Media Connect 2 2008-03-23 21:03:28 0 d-------- C:\Program Files\Windows Live 2008-03-23 21:02:38 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-23 20:58:01 0 d-------- C:\Program Files\Common Files\Java 2008-03-23 20:25:08 0 d-------- C:\Program Files\Common Files\AOL 2008-03-23 19:16:59 0 d-------- C:\Program Files\Modem Diagnostic Tool 2008-03-23 19 36 0 d--h----- C:\Program Files\InstallShield Installation Information2008-03-23 03:25:24 0 d-------- C:\Program Files\Broadcom 2008-03-23 03:24:09 0 d-------- C:\Program Files\Common Files\InstallShield 2008-03-23 03:20:35 0 d-------- C:\Program Files\Dell 2008-03-22 19:07:28 0 d-------- C:\Program Files\microsoft frontpage 2008-03-22 19:07:03 0 -rahs---- C:\MSDOS.SYS 2008-03-22 19:07:03 0 -rahs---- C:\IO.SYS 2008-03-22 19:07:03 0 --a------ C:\CONFIG.SYS 2008-03-22 19:07:03 0 --a------ C:\AUTOEXEC.BAT 2008-03-22 19:05:54 0 d--h----- C:\Program Files\WindowsUpdate 2008-03-22 19:05:03 0 d-------- C:\Program Files\Common Files\MSSoap 2008-03-22 19:04:56 0 d-------- C:\Program Files\Movie Maker 2008-03-22 19:03:49 0 d-------- C:\Program Files\Online Services 2008-03-22 19:03:41 0 d-------- C:\Program Files\MSN Gaming Zone 2008-03-22 19:03:33 0 d-------- C:\Program Files\Windows NT 2008-03-22 12:47:54 0 d-------- C:\Program Files\Common Files\ODBC 2008-03-22 12:47:52 0 d-------- C:\Program Files\Common Files\SpeechEngines -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UIUCU"="C:\DOCUME~1\ROBERT~1.WIL\LOCALS~1\Temp\UIUCU.exe" [] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM] "RTHDCPL"="RTHDCPL.EXE" [04/26/2007 02:27 PM C:\WINDOWS\RTHDCPL.exe] "Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 PM C:\WINDOWS\Alcmtr.exe] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [03/17/2008 08:05 AM] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [03/17/2008 08:05 AM] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [03/17/2008 08:05 AM] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/04/2007 10:05 PM] "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [06/26/2007 01:00 AM] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM] "Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 04:21 PM] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [02/01/2008 04:32 PM] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] "WiseStubReboot"=MSIEXEC /I "C:\Program Files\Common Files\Wise Installation Wizard\WIS3BE826F35FE54D71BCD806C1B95773C1_1_0_6_26619.MSI" WISE_SETUP_EXE_PATH="C:\Documents and Settings\Robert.WILEYRPROMO\Local Settings\Temporary Internet Files\Content.IE5\MT81CBJF\LegalSetup[1].exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/23/2008 7:00:49 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" *Newly Created Service* - RKPAVPROC -- Hosts ----------------------------------------------------------------------- 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 8300 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-05-06 16:18:14 ------------ |
|
     |
|
05-09-2008, 10:28 AM
|
#2 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 19,091
OS: WinXP and Vista
|
Re: 2020 search / 180 solutions / 123 messenger
Hello robertpwns and welcome,
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows:
Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log. |
|
|
|
|
05-16-2008, 02:49 PM
|
#3 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 8
OS: xp service pack 2
|
Re: 2020 search / 180 solutions / 123 messenger
umm..a few things. combo fix doesnt work for me.
saved to my desktop. tried to drag te windows xp sp2 onto it. and i got a blue window it said please wait combofix is trying to run... 2 seconds later i get a pop up grep.cfexe has encountered a problem and needs to close we are sorry for the inconvenience and i get another error.... you cannot rename ComboFix as ComboFix please use another name preferbaly made up of alphanumeric characters then a pop up DISCLAIMER OF WARRANTY ON SOFTWARE a guide on proper ComboFix usage may be found at: http://www.bleepingcomputer.com/comb...o-use-combofix typing the rest of that window will take forever haha. down a little further it says: if you do not agree to the terms, please click no and exit. id click yes and continue. but i didnt see this window on the page i downloaded combofix from. just wanted to be safe and ask first |
|
|
|
|
05-16-2008, 05:37 PM
|
#4 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 19,091
OS: WinXP and Vista
|
Re: 2020 search / 180 solutions / 123 messenger
Hi robertpwns,
You did the right thing in asking first.  Change of tactics... Delete your existing ComboFix.exe. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *************************************************** 1. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix). Do not run it yet. 2. Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix Link 1 Link 2 **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- -------------------------------------------------------------------- 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script.
-------------------------------------------------------------------- From Normal Mode... Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on ComboFix.exe & follow the prompts. When the tool is finished, it will produce a report for you at C:\ComboFix.txt which I will need in your next reply. -------------------------------------------------------------------- Run a new scan with HijackThis.exe (not dss.exe) and save the log. -------------------------------------------------------------------- Please include the following in your next reply: C:\SDFix\Report.txt C:\ComboFix.txt New HijackThis log |
|
|
|
|
06-12-2008, 07:25 PM
|
#5 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 8
OS: xp service pack 2
|
Re: 2020 search / 180 solutions / 123 messenger
sorry its been awhile, i havent been home alot lately.
but anyway i booted in safe mode and tried SDfix and when i type Y and pressed enter in the command prompt all it did was say "The File path Selected Cannot Be Specified" like 20 times. ? i did A and pressed enter it just exited the prompt window but now i have ALOT of folders and notepads on my desktop that wernt there before? what do i do now? just skip it? and proceed to the next step with ComboFix?  |
|
|
|
|
06-15-2008, 06:41 PM
|
#6 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 19,091
OS: WinXP and Vista
|
Re: 2020 search / 180 solutions / 123 messenger
A month is a very long time between posts. I typically only remain subscribed to a thread for 4 days since so many people need assistance. If we're going to clean this, time truly is of the essence.
 Delete your existing ComboFix.exe and download the latest version from here. **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System  Download the file & save it as it's originally named, next to ComboFix.exe.  --------------------------------------------------------------------
|
|
|
|
|
06-16-2008, 01:05 PM
|
#7 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 8
OS: xp service pack 2
|
Re: 2020 search / 180 solutions / 123 messenger
i would of attached both text files. but it wouldnt let me attach the HijackThis for some reason it said it was invalid.
i had no problems this time it all worked out =] the ComboFix Log is attached ComboFix 08-06-15.4 - Robert 2008-06-16 15:48:37.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1161 [GMT -4:00] Running from: C:\Documents and Settings\Robert.WILEYRPROMO\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Robert.WILEYRPROMO\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\mainms.vpi C:\WINDOWS\megavid.cdt C:\WINDOWS\muotr.so . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSSECURITY1.209.4 ((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 ))))))))))))))))))))))))))))))) . 2008-06-12 21:58 . 2008-06-11 02:08 <DIR> d-------- C:\SDFix 2008-06-12 02:26 . 2008-06-14 00:25 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-06-12 02:26 . 2008-06-12 02:26 6,656 --ahs---- C:\WINDOWS\system32\Thumbs.db 2008-06-12 02:04 . 2008-06-12 02:21 <DIR> d-------- C:\Fraps 2008-06-11 03:33 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 03:33 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-05-24 01:29 . 2008-05-24 01:29 <DIR> d-------- C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\Acreon 2008-05-20 18:29 . 2008-05-20 18:29 <DIR> d-------- C:\Program Files\Windows Sidebar 2008-05-20 18:29 . 2008-05-20 18:33 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-05-20 18:29 . 2008-05-20 18:33 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2008-05-20 18:29 . 2008-05-20 18:33 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-05-20 18:29 . 2008-05-20 18:33 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-05-20 18:12 . 2008-05-20 18:12 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Symantec Temporary Files . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-13 22:18 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2008-06-12 06:26 --------- d-----w C:\Program Files\LimeWire 2008-06-11 20:34 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-06-11 20:33 --------- d-----w C:\Program Files\Spyware Doctor 2008-06-11 20:30 --------- d-----w C:\Program Files\SpywareBlaster 2008-06-11 18:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-06-10 23:02 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-10 23:02 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys 2008-06-08 15:01 --------- d-----w C:\Program Files\World of Warcraft 2008-05-24 03:30 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-05-20 22:50 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec 2008-05-20 22:35 --------- d-----w C:\Program Files\Norton AntiVirus 2008-05-20 22:33 --------- d-----w C:\Program Files\Symantec 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-06 19:03 --------- d-----w C:\Program Files\Panda Security 2008-05-06 18:56 --------- d-----w C:\Program Files\Viewpoint 2008-05-06 18:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint 2008-05-06 07:19 --------- d-----w C:\Program Files\Image-Line 2008-05-06 07:18 --------- d-----w C:\Program Files\VstPlugins 2008-05-06 05:45 --------- d-----w C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\Malwarebytes 2008-05-06 05:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes 2008-05-06 03:19 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-05-06 02:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-05-06 00:56 --------- d-----w C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\PC Tools 2008-05-05 22:48 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll 2008-05-05 22:15 --------- d-----w C:\Program Files\FriendBlasterPro 2008-04-26 14:16 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2008-04-26 01:54 --------- d-----w C:\Program Files\xyr0x security 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-04-19 21:31 --------- d-----w C:\Program Files\Codemasters 2008-04-17 23:42 --------- d-----w C:\Program Files\Common Files\Adobe 2008-04-16 20:13 --------- d-----w C:\Program Files\MySpace 2008-04-16 20:13 --------- d-----w C:\Documents and Settings\Robert.WILEYRPROMO\Application Data\MySpace 2008-04-05 06:05 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-26 20:16 920,088 ----a-w C:\WINDOWS\system32\igxpun.exe 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-17 12:57 147,456 ----a-w C:\WINDOWS\system32\igfxCoIn_v4935.dll 2008-03-17 12:46 2,207,168 ----a-w C:\WINDOWS\system32\igxpdv32.dll 2008-03-17 12:45 57,344 ----a-w C:\WINDOWS\system32\igxprd32.dll 2008-03-17 12:45 3,174,912 ----a-w C:\WINDOWS\system32\igxpdx32.dll 2008-03-17 12:45 151,552 ----a-w C:\WINDOWS\system32\igxpgd32.dll 2008-03-17 12:34 294,912 ----a-w C:\WINDOWS\system32\igldev32.dll 2008-03-17 12:34 2,334,720 ----a-w C:\WINDOWS\system32\iglicd32.dll 2008-03-17 12:06 532,480 ----a-w C:\WINDOWS\system32\igfxcfg.exe 2008-03-17 12:05 24,576 ----a-w C:\WINDOWS\system32\igfxexps.dll 2008-03-17 12:05 204,800 ----a-w C:\WINDOWS\system32\igfxpph.dll 2008-03-17 12:05 163,840 ----a-w C:\WINDOWS\system32\igfxext.exe 2008-03-17 12:05 159,744 ----a-w C:\WINDOWS\system32\hkcmd.exe 2008-03-17 12:05 135,168 ----a-w C:\WINDOWS\system32\igfxtray.exe 2008-03-17 12:05 135,168 ----a-w C:\WINDOWS\system32\igfxdo.dll 2008-03-17 12:05 131,072 ----a-w C:\WINDOWS\system32\igfxpers.exe 2008-03-17 12:04 48,128 ----a-w C:\WINDOWS\system32\igfxsrvc.dll 2008-03-17 12:04 3,293,184 ----a-w C:\WINDOWS\system32\igfxress.dll 2008-03-17 12:04 249,856 ----a-w C:\WINDOWS\system32\igfxsrvc.exe 2008-03-17 12:04 208,896 ----a-w C:\WINDOWS\system32\igfxdev.dll 2008-03-17 12:04 163,840 ----a-w C:\WINDOWS\system32\igfxzoom.exe 2008-03-17 12:04 106,496 ----a-w C:\WINDOWS\system32\hccutils.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] 2008-05-20 18:34 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "WiseStubReboot"="MSIEXEC /I C:\Program Files\Common Files\Wise Installation Wizard\WIS3BE826F35FE54D71BCD806C1B95773C1_1_0_6_26619.MSI WISE_SETUP_EXE_PATH=C:\Documents and Settings\Robert.WILEYRPROMO\Local Settings\Temporary Internet Files\Content.IE5\MT81CBJF\LegalSetup[1].exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "RTHDCPL"="RTHDCPL.EXE" [2007-04-26 14:27 16132608 C:\WINDOWS\RTHDCPL.exe] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-17 08:05 135168] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-03-17 08:05 159744] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-17 08:05 131072] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 21:47 51048] "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2008-02-07 02:49 718704] "Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-03-23 19:00:49 50688] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [] S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32] S3 igfx;igfx;C:\WINDOWS\system32\DRIVERS\igdkmd32.sys [2007-08-24 20:39] S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-10 19:02] . Contents of the 'Scheduled Tasks' folder "2008-06-10 19:19:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-16 18:57:46 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Robert.job" - C:\Program Files\Norton AntiVirus\Navw32.exep/TASK: . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-16 15:53:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe . ************************************************************************** . Completion time: 2008-06-16 15:58:31 - machine was rebooted [Robert] ComboFix-quarantined-files.txt 2008-06-16 19:58:11 Pre-Run: 26,898,423,808 bytes free Post-Run: 28,019,605,504 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 184 --- E O F --- 2008-06-12 07:02:46 HijackThis Log _________________________________ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:00:49 PM, on 6/16/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\Robert.WILEYRPROMO\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /I "C:\Program Files\Common Files\Wise Installation Wizard\WIS3BE826F35FE54D71BCD806C1B95773C1_1_0_6_26619.MSI" WISE_SETUP_EXE_PATH="C:\Documents and Settings\Robert.WILEYRPROMO\Local Settings\Temporary Internet Files\Content.IE5\MT81CBJF\LegalSetup[1].exe" O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207375747171 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588 O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 7229 bytes Last edited by Ried : 06-16-2008 at 07:49 PM. |
|
|
|
|
06-16-2008, 07:57 PM
|
#8 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 19,091
OS: WinXP and Vista
|
Re: 2020 search / 180 solutions / 123 messenger
Looking much better.
It's important to run an online scan to search for any remnants that may be lurking. Please go here to run an online scannner from ESET.
|
|
|
|
