|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-10-2007, 08:49 AM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2
|
Need help with Virus.
Looking for some help to make sure I have cleaned my computer of a virus that downloaded last week. The major problem I have is that RoadRunner has blocked my access to the internet from my home computer until I get rid of this virus. I have run CA Security and found several viruses under the name WIN32/Cotmonger. I have cleaned these and deleted the .exe files.
Can someone review my HJT files to see if there is anything else I need to clean. Thanks! Mike Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:57:44 PM, on 10/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINDOWS\web\aolspy.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\twc\medicsp2\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\qttask.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe C:\Program Files\twc\medicsp2\bin\sprtcmd.exe C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\CA\CA Internet Security Suite\casecuritycenter.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\caav.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\caavGUIScan.exe C:\WINDOWS\system32\taskmgr.exe G:\Windows-KB890830-V1.34.exe d:\c4fb4ba76d0d5b4af673cf9fd1\mrtstub.exe C:\WINDOWS\system32\MRT.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62" O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [mtthmar] C:\WINDOWS\system32\mtthmar.exe O4 - HKLM\..\Run: [vhwbvgeoi] C:\WINDOWS\system32\vhwbvgeoi.exe O4 - HKLM\..\Run: [as] C:\WINDOWS\system32\as.exe O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2 O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe O4 - HKLM\..\Run: [daoumzbdda] C:\WINDOWS\system32\daoumzbdda.exe O4 - HKLM\..\Run: [uoowcp] C:\WINDOWS\system32\uoowcp.exe O4 - HKLM\..\Run: [ipkgn] C:\WINDOWS\system32\ipkgn.exe O4 - HKLM\..\Run: [sxrozsy] C:\WINDOWS\system32\sxrozsy.exe O4 - HKLM\..\Run: [bndhxvofiku] C:\WINDOWS\system32\bndhxvofiku.exe O4 - HKLM\..\Run: [bbaocrweww] C:\WINDOWS\system32\bbaocrweww.exe O4 - HKLM\..\Run: [oytslgp] C:\WINDOWS\system32\oytslgp.exe O4 - HKLM\..\Run: [qpfaylntz] C:\WINDOWS\system32\qpfaylntz.exe O4 - HKLM\..\Run: [ggfhrp] C:\WINDOWS\system32\ggfhrp.exe O4 - HKLM\..\Run: [qzi] C:\WINDOWS\system32\qzi.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe /scan /startup O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Mike Whitby') O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Mike Whitby') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O23 - Service: AOL Anti-Spyware Service (AOL_SpywareServ) - Unknown owner - C:\WINDOWS\web\aolspy.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing) O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: Print Spooler Service (ut6kum8u6u2rdh) - Unknown owner - C:\WINDOWS\system32\qzi.exe (file missing) O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O24 - Desktop Component 0: (no name) - http://www.nreds.com/siteimages/tour.../aRedGloss.jpg -- End of file - 12304 bytes |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-10-2007, 12:44 PM
|
#2 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2
|
Re: Need help with Virus.
Ok, I downloaded and installed SpywareBlaster and installed ComboFix and ran it as well. The comboFix report is listed below along with a newer version of HJT.
Hopefully I am getting close  Mike ComboFix 07-10-10.1 - Lauren Whitby 2007-10-10 11:35:29.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.296 [GMT -5:00] Running from: C:\Documents and Settings\Lauren Whitby\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\winbl32.dll . ((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 ))))))))))))))))))))))))))))))) . 2007-10-10 12:01 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-10-10 11:29 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-09 16:56 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-09 10:43 <DIR> d-------- C:\WINDOWS\ShellNew 2007-10-09 10:42 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2007-10-09 10:42 <DIR> d-------- C:\Program Files\Common Files\L&H 2007-09-19 21:36 4,057 --a------ C:\WINDOWS\prx.exe 2007-09-16 19:21 49,411 --a------ C:\prx.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-10 16:49 --------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-10-10 16:47 99,748 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0 2007-10-10 16:47 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7 2007-10-10 16:47 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6 2007-10-10 16:47 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5 2007-10-10 16:47 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4 2007-10-10 16:47 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3 2007-10-10 16:47 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2 2007-10-10 16:47 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1 2007-10-06 19:08 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-06 19:07 --------- d-----w C:\Program Files\Sony 2007-10-05 22:42 --------- d-----w C:\Program Files\pspvideo9 2007-10-05 22:41 --------- d--h--w C:\Program Files\Zero G Registry 2007-09-18 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA 2007-08-20 20:37 --------- d-----w C:\Program Files\AIM Toolbar 2007-08-13 16:42 --------- d-----w C:\Program Files\MySpace 2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-30 22:52 25,328 -c----w C:\Documents and Settings\Lauren Whitby\Application Data\GDIPFONTCACHEV1.DAT 2007-04-30 22:52 25,328 -c----w C:\Documents and Settings\Lauren Whitby\Application Data\GDIPFONTCACHEV1.DAT 2007-04-30 22:52 25,328 -c----w C:\Documents and Settings\Lauren Whitby\Application Data\GDIPFONTCACHEV1.DAT 2007-05-28 17:48:38 83,968 --sh--r C:\WINDOWS\Web\aolspy.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [2002-04-10 03:00] "RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [2003-10-21 12:20] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50] "nwiz"="nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46] "QuickTime Task"="C:\qttask.exe" [2006-12-23 18:41] "CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-06-12 12:32] "mtthmar"="C:\WINDOWS\system32\mtthmar.exe" [] "vhwbvgeoi"="C:\WINDOWS\system32\vhwbvgeoi.exe" [] "as"="C:\WINDOWS\system32\as.exe" [] "medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 11:53] "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-09-18 17:25] "cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-09-18 17:25] "capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-09-18 17:25] "capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-09-18 17:25] "daoumzbdda"="C:\WINDOWS\system32\daoumzbdda.exe" [] "uoowcp"="C:\WINDOWS\system32\uoowcp.exe" [] "ipkgn"="C:\WINDOWS\system32\ipkgn.exe" [] "sxrozsy"="C:\WINDOWS\system32\sxrozsy.exe" [] "bndhxvofiku"="C:\WINDOWS\system32\bndhxvofiku.exe" [] "bbaocrweww"="C:\WINDOWS\system32\bbaocrweww.exe" [] "oytslgp"="C:\WINDOWS\system32\oytslgp.exe" [] "qpfaylntz"="C:\WINDOWS\system32\qpfaylntz.exe" [] "ggfhrp"="C:\WINDOWS\system32\ggfhrp.exe" [] "qzi"="C:\WINDOWS\system32\qzi.exe" [] "QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-09-18 17:25] "CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [2007-09-18 17:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24] "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-01 10:55] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45] "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 08:28] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-07-08 09:53 102400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys R2 AOL_SpywareServ;AOL Anti-Spyware Service;"C:\WINDOWS\web\aolspy.exe" R2 DPPSUSB;DPPSUSB.Sys Sony DPP-SV55/77/88 USB Digital Photo Printer Driver;C:\WINDOWS\system32\Drivers\DPPSUSB.sys R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service /p medicsp2 R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe" R3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxgc.sys S2 MZTFUXIY;MZTFUXIY;\??\C:\WINDOWS\System32\mztfuxiy.gew S2 ut6kum8u6u2rdh;Print Spooler Service;C:\WINDOWS\system32\qzi.exe /service [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53dbe4a9-2cda-11db-ab4d-00e018b959ee}] AutoRun\command - I:\JDSecure\Windows\JDSecure30.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-10 13:16:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-10 13:28:42 - machine was rebooted . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:40:40 PM, on 10/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINDOWS\web\aolspy.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\twc\medicsp2\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\msiexec.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62" O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [mtthmar] C:\WINDOWS\system32\mtthmar.exe O4 - HKLM\..\Run: [vhwbvgeoi] C:\WINDOWS\system32\vhwbvgeoi.exe O4 - HKLM\..\Run: [as] C:\WINDOWS\system32\as.exe O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2 O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe O4 - HKLM\..\Run: [daoumzbdda] C:\WINDOWS\system32\daoumzbdda.exe O4 - HKLM\..\Run: [uoowcp] C:\WINDOWS\system32\uoowcp.exe O4 - HKLM\..\Run: [ipkgn] C:\WINDOWS\system32\ipkgn.exe O4 - HKLM\..\Run: [sxrozsy] C:\WINDOWS\system32\sxrozsy.exe O4 - HKLM\..\Run: [bndhxvofiku] C:\WINDOWS\system32\bndhxvofiku.exe O4 - HKLM\..\Run: [bbaocrweww] C:\WINDOWS\system32\bbaocrweww.exe O4 - HKLM\..\Run: [oytslgp] C:\WINDOWS\system32\oytslgp.exe O4 - HKLM\..\Run: [qpfaylntz] C:\WINDOWS\system32\qpfaylntz.exe O4 - HKLM\..\Run: [ggfhrp] C:\WINDOWS\system32\ggfhrp.exe O4 - HKLM\..\Run: [qzi] C:\WINDOWS\system32\qzi.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe /scan /startup O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Mike Whitby') O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Mike Whitby') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O23 - Service: AOL Anti-Spyware Service (AOL_SpywareServ) - Unknown owner - C:\WINDOWS\web\aolspy.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing) O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: Print Spooler Service (ut6kum8u6u2rdh) - Unknown owner - C:\WINDOWS\system32\qzi.exe (file missing) O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O24 - Desktop Component 0: (no name) - http://www.nreds.com/siteimages/tour.../aRedGloss.jpg -- End of file - 10827 bytes |
|
|
|
|
10-10-2007, 03:02 PM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2
|
Re: Need help with Virus.
Also wanted to incluse the DSS reports as well.
Deckard's System Scanner v20070905.67 Run by Mike Whitby on 2007-10-10 15:49:38 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 3 Restore Point(s) -- 3: 2007-10-10 20:49:44 UTC - RP1242 - Deckard's System Scanner Restore Point 2: 2007-10-10 16:34:02 UTC - RP1241 - ComboFix created restore point 1: 2007-10-10 16:33:48 UTC - RP1240 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Mike Whitby.exe) ----------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:51:06 PM, on 10/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINDOWS\web\aolspy.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\twc\medicsp2\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\qttask.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe C:\Program Files\twc\medicsp2\bin\sprtcmd.exe C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Documents and Settings\Mike Whitby\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Mike Whitby.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62" O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [mtthmar] C:\WINDOWS\system32\mtthmar.exe O4 - HKLM\..\Run: [vhwbvgeoi] C:\WINDOWS\system32\vhwbvgeoi.exe O4 - HKLM\..\Run: [as] C:\WINDOWS\system32\as.exe O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2 O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe O4 - HKLM\..\Run: [daoumzbdda] C:\WINDOWS\system32\daoumzbdda.exe O4 - HKLM\..\Run: [uoowcp] C:\WINDOWS\system32\uoowcp.exe O4 - HKLM\..\Run: [sxrozsy] C:\WINDOWS\system32\sxrozsy.exe O4 - HKLM\..\Run: [bndhxvofiku] C:\WINDOWS\system32\bndhxvofiku.exe O4 - HKLM\..\Run: [bbaocrweww] C:\WINDOWS\system32\bbaocrweww.exe O4 - HKLM\..\Run: [oytslgp] C:\WINDOWS\system32\oytslgp.exe O4 - HKLM\..\Run: [qpfaylntz] C:\WINDOWS\system32\qpfaylntz.exe O4 - HKLM\..\Run: [ggfhrp] C:\WINDOWS\system32\ggfhrp.exe O4 - HKLM\..\Run: [qzi] C:\WINDOWS\system32\qzi.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe /scan /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O23 - Service: AOL Anti-Spyware Service (AOL_SpywareServ) - Unknown owner - C:\WINDOWS\web\aolspy.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing) O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: Print Spooler Service (ut6kum8u6u2rdh) - Unknown owner - C:\WINDOWS\system32\qzi.exe (file missing) O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 10555 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20071010-140044-836 O4 - HKLM\..\Run: [ipkgn] C:\WINDOWS\system32\ipkgn.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 prodrv04 (Star Force copy protection driver v4) - c:\windows\system32\drivers\prodrv04.sys <Not Verified; Protection Technology Co.; Star Force copy protection> R2 DPPSUSB (DPPSUSB.Sys Sony DPP-SV55/77/88 USB Digital Photo Printer Driver) - c:\windows\system32\drivers\dppsusb.sys <Not Verified; HMSA; DPP - SV55/77/88 USB Driver for Windows 95/98/2000> R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell> S1 DMICall (Sony DMI Call service) - c:\windows\system32\drivers\dmicall.sys (file missing) S2 MZTFUXIY - c:\windows\system32\mztfuxiy.gew (file missing) S3 catchme - c:\docume~1\lauren~1\locals~1\temp\catchme.sys (file missing) S3 ENTECH - c:\windows\system32\drivers\entech.sys (file missing) S3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - c:\windows\system32\drivers\w810bus.sys <Not Verified; MCCI; Sony Ericsson W810 Driver> S3 w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - c:\windows\system32\drivers\w810mdfl.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Modem Filter Driver> S3 w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - c:\windows\system32\drivers\w810mdm.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Data Modem> S3 w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\w810mgmt.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Device Management> S3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - c:\windows\system32\drivers\w810obex.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC OBEX Interface> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 AOL_SpywareServ (AOL Anti-Spyware Service) - "c:\windows\web\aolspy.exe" R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager> S2 McNASvc (McAfee Network Agent) - "c:\program files\common files\mcafee\mna\mcnasvc.exe" (file missing) S2 ut6kum8u6u2rdh (Print Spooler Service) - c:\windows\system32\qzi.exe /service (file missing) -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: PCI Modem Device ID: PCI\VEN_1039&DEV_7013&SUBSYS_8128104D&REV_A0\3&61AAA01&0&16 Manufacturer: Name: PCI Modem PNP Device ID: PCI\VEN_1039&DEV_7013&SUBSYS_8128104D&REV_A0\3&61AAA01&0&16 Service: Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Multimedia Video Controller Device ID: PCI\VEN_104D&DEV_8087&SUBSYS_80ED104D&REV_01\3&61AAA01&0&78 Manufacturer: Name: Multimedia Video Controller PNP Device ID: PCI\VEN_104D&DEV_8087&SUBSYS_80ED104D&REV_01\3&61AAA01&0&78 Service: -- Scheduled Tasks ------------------------------------------------------------- 2007-10-09 14:26:44 436 --a------ C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Lauren Whitby at 2 25 PM.job 2007-10-08 22:29:25 328 --a------ C:\WINDOWS\Tasks\Scheduled Checkpoint.job -- Files created between 2007-09-10 and 2007-10-10 ----------------------------- 2007-10-10 12:01:56 0 d-------- C:\Program Files\SpywareBlaster 2007-10-10 12:01:03 0 d-------- C:\Documents and Settings\Mike Whitby\Application Data\Adobe 2007-10-09 16:56:24 0 d-------- C:\Program Files\Trend Micro 2007-10-09 14:26:19 0 --a------ C:\Documents and Settings\Mike Whitby\core 2007-10-09 14:26:18 0 --a------ C:\Documents and Settings\Lauren Whitby\core 2007-10-09 10:43:01 0 d-------- C:\WINDOWS\ShellNew 2007-10-09 10:42:52 0 d-------- C:\Program Files\Common Files\L&H 2007-10-09 10:42:51 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Templates 2007-10-04 12:23:35 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2007-10-04 12:23:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Recent 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\My Documents 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\Favorites 2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\Desktop 2007-10-04 12:23:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies 2007-10-04 12:23:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2007-10-04 12:23:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2007-10-04 12:23:34 786432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat 2007-09-19 21:36:16 4057 --a------ C:\WINDOWS\prx.exe 2007-09-16 19:21:54 49411 --a------ C:\prx.exe -- Find3M Report --------------------------------------------------------------- 2007-10-10 15:47:42 0 d-------- C:\Program Files\Microsoft AntiSpyware 2007-10-09 10:42:52 0 d-------- C:\Program Files\Common Files 2007-10-06 14:08:48 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-10-06 14:07:56 0 d-------- C:\Program Files\Sony 2007-10-05 17:42:50 0 d-------- C:\Program Files\pspvideo9 2007-10-05 17:41:48 0 d--h----- C:\Program Files\Zero G Registry 2007-08-20 15:37:53 0 d-------- C:\Program Files\AIM Toolbar 2007-08-18 21:55:17 0 d-------- C:\Program Files\Java 2007-08-13 11:42:46 0 d-------- C:\Program Files\MySpace -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [04/10/2002 03:00 AM] "RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [10/21/2003 12:20 PM] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/29/2004 05:50 PM] "nwiz"="nwiz.exe" [10/29/2004 05:50 PM C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [10/29/2004 05:50 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 11:29 AM] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [07/12/2005 03:35 PM] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [02/01/2005 10:00 PM] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM] "QuickTime Task"="C:\qttask.exe" [12/23/2006 06:41 PM] "CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [06/12/2007 12:32 PM] "mtthmar"="C:\WINDOWS\system32\mtthmar.exe" [] "vhwbvgeoi"="C:\WINDOWS\system32\vhwbvgeoi.exe" [] "as"="C:\WINDOWS\system32\as.exe" [] "medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [03/07/2007 11:53 AM] "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [09/18/2007 05:25 PM] "cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [09/18/2007 05:25 PM] "capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [09/18/2007 05:25 PM] "capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [09/18/2007 05:25 PM] "daoumzbdda"="C:\WINDOWS\system32\daoumzbdda.exe" [] "uoowcp"="C:\WINDOWS\system32\uoowcp.exe" [] "sxrozsy"="C:\WINDOWS\system32\sxrozsy.exe" [] "bndhxvofiku"="C:\WINDOWS\system32\bndhxvofiku.exe" [] "bbaocrweww"="C:\WINDOWS\system32\bbaocrweww.exe" [] "oytslgp"="C:\WINDOWS\system32\oytslgp.exe" [] "qpfaylntz"="C:\WINDOWS\system32\qpfaylntz.exe" [] "ggfhrp"="C:\WINDOWS\system32\ggfhrp.exe" [] "qzi"="C:\WINDOWS\system32\qzi.exe" [] "QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [09/18/2007 05:25 PM] "CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [09/18/2007 05:25 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/16/2007 08:28 AM] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [07/08/2003 09:53 AM 102400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] UmxWnp.Dll 05/18/2007 02:30 PM 79368 C:\WINDOWS\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" -- End of Deckard's System Scanner: finished at 2007-10-10 15:52:39 ------------ |
|
|
|
|
10-10-2007, 10:53 PM
|
#5 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista
|
Re: Need help with Virus.
Hello MikeW,
I'd like to draw your attention to our Bumping Rules. They can be found in Step 5 of our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log Quote:
As you can see, we are quite busy in this forum. One of the Analysts will get to your log as soon as possible and we would appreciate your patience. |
|
|
|
|
|
10-12-2007, 10:14 AM
|
#6 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista
|
Re: Need help with Virus.
Hello Mike,
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *************************************************** 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Note: Do not mouseclick combofix's window while it's running. That may cause it to stall -------------------------------------------------------------------- Also please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component.
Please include the following in your next reply: C:\ComboFix.txt Kaspersky results Update on system behavior |
|
|
|
|
|
10-12-2007, 10:54 AM
|
#7 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2
|
Re: Need help with Virus.
Hi Ried,
Thanks for the help first of all! I am running the ComboFix prgram now and the computer rebooted and is giving me an error message; rget.cfexe Application failed to initialize properly (0xc0000005) Anything to worry about or keep going???? Thanks, Mike I will post the reports when finished. |
|
|
|
|
10-12-2007, 11:07 AM
|
#9 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista
|
Re: Need help with Virus.
Hi Mike,
Try running from Safe Mode. If it still gives the find.exe message, end task on find.exe in your Task Manager. If you still cannot get ComboFix to complete, please run dss.exe again and post the main.txt |
|
|
|
|
10-12-2007, 11:11 AM
|
#10 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2
|
Re: Need help with Virus.
Finally produced a report but I received 2 other error messages;
Application failed: tree.com regedit.exe I will need to contact Road Runner and have them unblock me so I can run the Kaspersky downlaod. That could take a while. I will update in a couple of hours when complete. Thanks again! |
|
|
|
|
10-12-2007, 11:16 AM
|
#11 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista
|
Re: Need help with Virus.
Don't perform the online scan yet.
Try running the CFScript from Safe Mode. If it still produces errors, I need to see a new dss.exe main.txt, and we'll take it from there. 
|
|
|
|
|
10-12-2007, 11:21 AM
|
#12 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2
|
Re: Need help with Virus.
Here is the ComboFix Report;
ComboFix 07-10-10.1 - Lauren Whitby 2007-10-12 11:33:44.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.569 [GMT -5:00] Running from: C:\Documents and Settings\Lauren Whitby\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Lauren Whitby\Desktop\CFScript.txt * Created a new restore point FILE:: C:\prx.exe C:\WINDOWS\prx.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\prx.exe C:\WINDOWS\prx.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_UT6KUM8U6U2RDH -------\ut6kum8u6u2rdh ((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 ))))))))))))))))))))))))))))))) . 2007-10-10 15:49 <DIR> d-------- C:\Deckard 2007-10-10 12:01 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-10-10 11:29 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-09 16:56 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-09 10:43 <DIR> d-------- C:\WINDOWS\ShellNew 2007-10-09 10:42 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2007-10-09 10:42 <DIR> d-------- C:\Program Files\Common Files\L&H . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-12 16:50 --------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7 2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6 2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5 2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4 2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3 2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2 2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1 2007-10-12 16:39 102,788 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0 2007-10-06 19:08 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-06 19:07 --------- d-----w C:\Program Files\Sony 2007-10-05 22:42 --------- d-----w C:\Program Files\pspvideo9 2007-10-05 22:41 --------- d--h--w C:\Program Files\Zero G Registry 2007-09-18 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA 2007-08-20 20:37 --------- d-----w C:\Program Files\AIM Toolbar 2007-08-13 16:42 --------- d-----w C:\Program Files\MySpace 2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-30 22:52 25,328 -c----w C:\Documents and Settings\Lauren Whitby\Application Data\GDIPFONTCACHEV1.DAT 2007-05-28 17:48:38 83,968 --sh--r C:\WINDOWS\Web\aolspy.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [2002-04-10 03:00] "RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [2003-10-21 12:20] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50] "nwiz"="nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46] "QuickTime Task"="C:\qttask.exe" [2006-12-23 18:41] "CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-06-12 12:32] "medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 11:53] "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-09-18 17:25] "cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-09-18 17:25] "capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-09-18 17:25] "capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-09-18 17:25] "QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-09-18 17:25] "CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [2007-09-18 17:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24] "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-01 10:55] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45] "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 08:28] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-07-08 09:53 102400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys R2 AOL_SpywareServ;AOL Anti-Spyware Service;"C:\WINDOWS\web\aolspy.exe" R2 DPPSUSB;DPPSUSB.Sys Sony DPP-SV55/77/88 USB Digital Photo Printer Driver;C:\WINDOWS\system32\Drivers\DPPSUSB.sys R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service /p medicsp2 R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe" R3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxgc.sys S2 MZTFUXIY;MZTFUXIY;\??\C:\WINDOWS\System32\mztfuxiy.gew [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53dbe4a9-2cda-11db-ab4d-00e018b959ee}] AutoRun\command - I:\JDSecure\Windows\JDSecure30.exe . Contents of the 'Scheduled Tasks' folder "2007-10-09 19:26:44 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Lauren Whitby at 2 25 PM.job" - C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe "2007-10-09 03:29:25 C:\WINDOWS\Tasks\Scheduled Checkpoint.job" - C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-12 11:50:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-12 12  06 - machine was rebooted C:\ComboFix2.txt ... 2007-10-10 13:28 . --- E O F --- |
|
|
|
|
10-12-2007, 06:40 PM
|
#14 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2
|
Re: Need help with Virus.
Here is the copy of the Kaspersky file. It took a while to run it and it found several more viruses. I went ahead and turned off the computer just in case it tries to send more spam.
Let me know if you need any other reports and I will start up the computer and load them up. Thanks, Mike |
|
|
|
|
10-12-2007, 07:15 PM
|
#15 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2
|
Re: Need help with Virus.
Forgot the DSS Report.
Deckard's System Scanner v20070905.67 Run by Mike Whitby on 2007-10-12 20:10:21 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Mike Whitby.exe) ----------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:10:31 PM, on 10/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\qttask.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe C:\Program Files\twc\medicsp2\bin\sprtcmd.exe C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\WINDOWS\web\aolspy.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\twc\medicsp2\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\system32\zqnunj.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Documents and Settings\Mike Whitby\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\MIKEWH~1.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62" O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2 O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe /scan /startup O4 - HKLM\..\Run: [hrr] C:\WINDOWS\system32\hrr.exe O4 - HKLM\..\Run: [zqnunj] C:\WINDOWS\system32\zqnunj.exe O4 - HKLM\..\RunServices: [hrr] C:\WINDOWS\system32\hrr.exe O4 - HKLM\..\RunServices: [zqnunj] C:\WINDOWS\system32\zqnunj.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O23 - Service: AOL Anti-Spyware Service (AOL_SpywareServ) - Unknown owner - C:\WINDOWS\web\aolspy.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing) O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Print Spooler Service (ouhpyeuaoeweuy9k) - Unknown owner - C:\WINDOWS\system32\hrr.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 10252 bytes -- Files created between 2007-09-12 and 2007-10-12 ----------------------------- 2007-10-12 20:08:41 224655 --a------ C:\WINDOWS\system32\zqnunj.exe 2007-10-12 15:01:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-12 15:01:08 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-12 14:58:18 0 d---s---- C:\Documents and Settings\Mike Whitby\UserData 2007-10-12 14:51:33 224655 --a------ C:\WINDOWS\system32\hrr.exe 2007-10-10 12:01:56 0 d-------- C:\Program Files\SpywareBlaster 2007-10-10 12:01:03 0 d-------- C:\Documents and Settings\Mike Whitby\Application Data\Adobe 2007-10-09 16:56:24 0 d-------- C:\Program Files\Trend Micro 2007-10-09 14:26:19 0 --a------ C:\Documents and Settings\Mike Whitby\core 2007-10-09 14:26:18 0 --a------ C:\Documents and Settings\Lauren Whitby\core 2007-10-09 10:43:01 0 d-------- C:\WINDOWS\ShellNew 2007-10-09 10:42:52 0 d-------- C:\Program Files\Common Files\L&H 2007-10-09 10:42:51 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Templates 2007-10-04 12:23:35 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2007-10-04 12:23:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Recent 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\My Documents 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\Favorites 2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\Desktop 2007-10-04 12:23:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies 2007-10-04 12:23:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2007-10-04 12:23:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2007-10-04 12:23:34 786432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat -- Find3M Report --------------------------------------------------------------- 2007-10-12 20:09:18 0 d-------- C:\Program Files\Microsoft AntiSpyware 2007-10-09 10:42:52 0 d-------- C:\Program Files\Common Files 2007-10-06 14:08:48 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-10-06 14:07:56 0 d-------- C:\Program Files\Sony 2007-10-05 17:42:50 0 d-------- C:\Program Files\pspvideo9 2007-10-05 17:41:48 0 d--h----- C:\Program Files\Zero G Registry 2007-08-20 15:37:53 0 d-------- C:\Program Files\AIM Toolbar 2007-08-18 21:55:17 0 d-------- C:\Program Files\Java 2007-08-13 11:42:46 0 d-------- C:\Program Files\MySpace -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [04/10/2002 03:00 AM] "RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [10/21/2003 12:20 PM] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/29/2004 05:50 PM] "nwiz"="nwiz.exe" [10/29/2004 05:50 PM C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [10/29/2004 05:50 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 11:29 AM] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [07/12/2005 03:35 PM] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [02/01/2005 10:00 PM] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM] "QuickTime Task"="C:\qttask.exe" [12/23/2006 06:41 PM] "CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [06/12/2007 12:32 PM] "medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [03/07/2007 11:53 AM] "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [09/18/2007 05:25 PM] "cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [09/18/2007 05:25 PM] "capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [09/18/2007 05:25 PM] "capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [09/18/2007 05:25 PM] "QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [09/18/2007 05:25 PM] "CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [09/18/2007 05:25 PM] "hrr"="C:\WINDOWS\system32\hrr.exe" [10/12/2007 02:51 PM] "zqnunj"="C:\WINDOWS\system32\zqnunj.exe" [10/12/2007 08:08 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/16/2007 08:28 AM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "hrr"=C:\WINDOWS\system32\hrr.exe "zqnunj"=C:\WINDOWS\system32\zqnunj.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [07/08/2003 09:53 AM 102400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] UmxWnp.Dll 05/18/2007 02:30 PM 79368 C:\WINDOWS\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" *Newly Created Service* - OUHPYEUAOEWEUY9K -- End of Deckard's System Scanner: finished at 2007-10-12 20:12:00 ------------ |
|
|
|
|
10-12-2007, 10:02 PM
|
#16 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista
|
Re: Need help with Virus.
Hi Mike,
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *************************************************** Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) -------------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- Empty the following Quarantine folders: Norton AntiVirus Trend Micro Internet Security -------------------------------------------------------------------- Please include the following in your next reply: C:\SDFix\Report.txt C:\ComboFix.txt |
|
|
|
|
|
10-14-2007, 05:03 PM
|
#17 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2
|
Re: Need help with Virus.
Sorry for the delay - Kids sports all weekend....
Here is the ComboFix Report and I attached the SDFix Report as well. Thanks! ComboFix 07-10-10.1 - Lauren Whitby 2007-10-14 17:09:00.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.578 [GMT -5:00] Running from: C:\Documents and Settings\Lauren Whitby\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Lauren Whitby\Desktop\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\system32\hrr.exe C:\WINDOWS\system32\zqnunj.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\hrr.exe C:\WINDOWS\system32\zqnunj.exe D:\Drive C\Program Files\Common Files\midaddle D:\Drive C\Program Files\Common Files\midaddle\uninst.exe D:\Drive C\Program Files\Common Files\midaddle\Uninstaller.exe D:\Drive C\Program Files\Common Files\midaddle\Updater.exe D:\Drive C\Program Files\Lycos D:\Drive C\Program Files\Lycos\IEagent\control.dat D:\Drive C\Program Files\Lycos\IEagent\CSBIINST.DLL D:\Drive C\Program Files\Lycos\IEagent\csie_dictionary.dat D:\Drive C\Program Files\Lycos\IEagent\csie_edomains.dat D:\Drive C\Program Files\Lycos\IEagent\csie_idomainsd.dat D:\Drive C\Program Files\Lycos\IEagent\csie_patterns.dat D:\Drive C\Program Files\Lycos\IEagent\csie_ron_sbday.dat D:\Drive C\Program Files\Lycos\IEagent\csie_ron_sbhour.dat D:\Drive C\Program Files\Lycos\IEagent\csie_rules.dat D:\Drive C\Program Files\Lycos\IEagent\csie_srchrule.dat D:\Drive C\Program Files\Lycos\IEagent\csie_ss_edomains.dat D:\Drive C\Program Files\Lycos\IEagent\csie_ss_idomainsd.dat D:\Drive C\Program Files\Lycos\IEagent\csie_usb_sbday.dat D:\Drive C\Program Files\Lycos\IEagent\csie_usb_sbhour.dat D:\Drive C\Program Files\Lycos\IEagent\CSSOINST.DLL D:\Drive C\Program Files\Lycos\IEagent\CSTMINST.DLL . ((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 ))))))))))))))))))))))))))))))) . 2007-10-14 16:35 <DIR> d-------- C:\WINDOWS\ERUNT 2007-10-14 16:33 225,509 --a------ C:\WINDOWS\sptawl.exe 2007-10-14 16:31 225,509 --a------ C:\WINDOWS\system32\juunrlpiqtz.exe 2007-10-14 16:24 225,509 --a------ C:\WINDOWS\system32\hx.exe 2007-10-12 15:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-12 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-12 14:58 <DIR> d---s---- C:\Documents and Settings\Mike Whitby\UserData 2007-10-10 15:49 <DIR> d-------- C:\Deckard 2007-10-10 12:01 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-10-10 11:29 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-09 16:56 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-09 10:43 <DIR> d-------- C:\WINDOWS\ShellNew 2007-10-09 10:42 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2007-10-09 10:42 <DIR> d-------- C:\Program Files\Common Files\L&H . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-14 22:15 --------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-10-14 22:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7 2007-10-14 22:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6 2007-10-14 22:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5 2007-10-14 22:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4 2007-10-14 22:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3 2007-10-14 22:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2 2007-10-14 22:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1 2007-10-14 22:12 107,348 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0 2007-10-06 19:08 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-06 19:07 --------- d-----w C:\Program Files\Sony 2007-10-05 22:42 --------- d-----w C:\Program Files\pspvideo9 2007-10-05 22:41 --------- d--h--w C:\Program Files\Zero G Registry 2007-09-18 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA 2007-08-20 20:37 --------- d-----w C:\Program Files\AIM Toolbar 2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-30 22:52 25,328 -c----w C:\Documents and Settings\Lauren Whitby\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( snapshot@2007-10-10_13.21.06.40 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 163,328 2007-10-14 11:14:42 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE ----a-w 544,768 2007-10-14 21:36:09 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat ----a-w 8,192 2007-10-14 21:36:09 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat ----a-w 163,328 2007-10-14 11:14:42 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE ----a-w 544,768 2007-10-14 21:35:59 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat ----a-w 8,192 2007-10-14 21:35:59 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat ----a-w 213,048 2005-05-24 17:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll ----a-w 94,208 2007-08-29 20:47:20 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe ----a-w 950,272 2007-08-29 20:49:54 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [2002-04-10 03:00] "RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [2003-10-21 12:20] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50] "nwiz"="nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46] "QuickTime Task"="C:\qttask.exe" [2006-12-23 18:41] "CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-06-12 12:32] "medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 11:53] "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-09-18 17:25] "cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-09-18 17:25] "capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-09-18 17:25] "capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-09-18 17:25] "QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-09-18 17:25] "CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [2007-09-18 17:25] "juunrlpiqtz"="C:\WINDOWS\system32\juunrlpiqtz.exe" [2007-10-14 16:31] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24] "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-01 10:55] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45] "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 08:28] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "juunrlpiqtz"=C:\WINDOWS\system32\juunrlpiqtz.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-07-08 09:53 102400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys R2 DPPSUSB;DPPSUSB.Sys Sony DPP-SV55/77/88 USB Digital Photo Printer Driver;C:\WINDOWS\system32\Drivers\DPPSUSB.sys R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service /p medicsp2 R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe" R3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxgc.sys S2 MZTFUXIY;MZTFUXIY;\??\C:\WINDOWS\System32\mztfuxiy.gew S2 ouhpyeuaoeweuy9k;Print Spooler Service;C:\WINDOWS\system32\juunrlpiqtz.exe /service [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53dbe4a9-2cda-11db-ab4d-00e018b959ee}] AutoRun\command - I:\JDSecure\Windows\JDSecure30.exe *Newly Created Service* - OUHPYEUAOEWEUY9K . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-14 17:18:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-14 17:30:39 - machine was rebooted C:\ComboFix2.txt ... 2007-10-12 12:06 C:\ComboFix3.txt ... 2007-10-10 13:28 . --- E O F --- |
|
|
|
|
10-14-2007, 05:47 PM
|
#18 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista
|
Re: Need help with Virus.
Hello Mike,
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *************************************************** 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- Run another online scan at Kaspersky and save the results. -------------------------------------------------------------------- Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt Kaspersky results New HijackThis log **please do not attach the reports unless requested--simply copy/paste them in the reply box. |
|
|
|
|
|
10-15-2007, 08:31 AM
|
#19 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2
|
Re: Need help with Virus.
Here are the requested reports. The local profiles for windows settings were lost during during the last update. Is that supposed to happen or did I do something incorrectly?
Thanks! ComboFix 07-10-10.1 - Lauren Whitby 2007-10-14 20:08:14.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.584 [GMT -5:00] Running from: C:\Documents and Settings\Lauren Whitby\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Lauren Whitby\Desktop\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\sptawl.exe C:\WINDOWS\system32\hx.exe C:\WINDOWS\system32\juunrlpiqtz.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\sptawl.exe C:\WINDOWS\system32\hx.exe C:\WINDOWS\system32\juunrlpiqtz.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_OUHPYEUAOEWEUY9K -------\ouhpyeuaoeweuy9k ((((((((((((((((((((((((( Files Created from 2007-09-15 to 2007-10-15 ))))))))))))))))))))))))))))))) . 2007-10-14 16:35 <DIR> d-------- C:\WINDOWS\ERUNT 2007-10-12 15:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-12 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-12 14:58 <DIR> d---s---- C:\Documents and Settings\Mike Whitby\UserData 2007-10-10 15:49 <DIR> d-------- C:\Deckard 2007-10-10 12:01 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-10-10 11:29 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-09 16:56 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-09 10:43 <DIR> d-------- C:\WINDOWS\ShellNew 2007-10-09 10:42 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2007-10-09 10:42 <DIR> d-------- C:\Program Files\Common Files\L&H . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-15 01:16 --------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-10-15 01:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7 2007-10-15 01:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6 2007-10-15 01:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5 2007-10-15 01:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4 2007-10-15 01:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3 2007-10-15 01:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2 2007-10-15 01:12 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1 2007-10-15 01:12 242,484 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0 2007-10-06 19:08 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-06 19:07 --------- d-----w C:\Program Files\Sony 2007-10-05 22:42 --------- d-----w C:\Program Files\pspvideo9 2007-10-05 22:41 --------- d--h--w C:\Program Files\Zero G Registry 2007-09-18 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA 2007-08-20 20:37 --------- d-----w C:\Program Files\AIM Toolbar 2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-30 22:52 25,328 -c----w C:\Documents and Settings\Lauren Whitby\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( snapshot@2007-10-10_13.21.06.40 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 163,328 2007-10-14 11:14:42 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE ----a-w 544,768 2007-10-14 21:36:09 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat ----a-w 8,192 2007-10-14 21:36:09 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat ----a-w 163,328 2007-10-14 11:14:42 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE ----a-w 544,768 2007-10-14 21:35:59 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat ----a-w 8,192 2007-10-14 21:35:59 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat ----a-w 213,048 2005-05-24 17:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll ----a-w 94,208 2007-08-29 20:47:20 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe ----a-w 950,272 2007-08-29 20:49:54 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [2002-04-10 03:00] "RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [2003-10-21 12:20] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50] "nwiz"="nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46] "QuickTime Task"="C:\qttask.exe" [2006-12-23 18:41] "CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-06-12 12:32] "medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 11:53] "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-09-18 17:25] "cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-09-18 17:25] "capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-09-18 17:25] "capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-09-18 17:25] "QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-09-18 17:25] "CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [2007-09-18 17:25] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-07-08 09:53 102400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys R2 DPPSUSB;DPPSUSB.Sys Sony DPP-SV55/77/88 USB Digital Photo Printer Driver;C:\WINDOWS\system32\Drivers\DPPSUSB.sys R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service /p medicsp2 R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe" R3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxgc.sys S2 MZTFUXIY;MZTFUXIY;\??\C:\WINDOWS\System32\mztfuxiy.gew . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-14 20:18:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-14 20:31:03 - machine was rebooted C:\ComboFix2.txt ... 2007-10-14 17:30 C:\ComboFix3.txt ... 2007-10-12 12:06 . --- E O F --- Deckard's System Scanner v20070905.67 Run by Mike Whitby on 2007-10-15 09:20:57 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Mike Whitby.exe) ----------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:21:07 AM, on 10/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\twc\medicsp2\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\qttask.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe C:\Program Files\twc\medicsp2\bin\sprtcmd.exe C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Documents and Settings\Mike Whitby\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\MIKEWH~1.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62" O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2 O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe /scan /startup O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing) O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 9673 bytes -- Files created between 2007-09-15 and 2007-10-15 ----------------------------- 2007-10-14 16:35:49 0 d-------- C:\WINDOWS\ERUNT 2007-10-12 15:01:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-12 15:01:08 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-12 14:58:18 0 d---s---- C:\Documents and Settings\Mike Whitby\UserData 2007-10-10 12:01:56 0 d-------- C:\Program Files\SpywareBlaster 2007-10-10 12:01:03 0 d-------- C:\Documents and Settings\Mike Whitby\Application Data\Adobe 2007-10-09 16:56:24 0 d-------- C:\Program Files\Trend Micro 2007-10-09 14:26:19 0 --a------ C:\Documents and Settings\Mike Whitby\core 2007-10-09 14:26:18 0 --a------ C:\Documents and Settings\Lauren Whitby\core 2007-10-09 10:43:01 0 d-------- C:\WINDOWS\ShellNew 2007-10-09 10:42:52 0 d-------- C:\Program Files\Common Files\L&H 2007-10-09 10:42:51 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Templates 2007-10-04 12:23:35 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2007-10-04 12:23:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Recent 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\My Documents 2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\Favorites 2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\Desktop 2007-10-04 12:23:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies 2007-10-04 12:23:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2007-10-04 12:23:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2007-10-04 12:23:34 786432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat -- Find3M Report --------------------------------------------------------------- 2007-10-15 09:19:52 0 d-------- C:\Program Files\Microsoft AntiSpyware 2007-10-09 10:42:52 0 d-------- C:\Program Files\Common Files 2007-10-06 14:08:48 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-10-06 14:07:56 0 d-------- C:\Program Files\Sony 2007-10-05 17:42:50 0 d-------- C:\Program Files\pspvideo9 2007-10-05 17:41:48 0 d--h----- C:\Program Files\Zero G Registry 2007-08-20 15:37:53 0 d-------- C:\Program Files\AIM Toolbar 2007-08-18 21:55:17 0 d-------- C:\Program Files\Java -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [04/10/2002 03:00 AM] "RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [10/21/2003 12:20 PM] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/29/2004 05:50 PM] "nwiz"="nwiz.exe" [10/29/2004 05:50 PM C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [10/29/2004 05:50 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 11:29 AM] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [07/12/2005 03:35 PM] "EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [02/01/2005 10:00 PM] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM] "QuickTime Task"="C:\qttask.exe" [12/23/2006 06:41 PM] "CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [06/12/2007 12:32 PM] "medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [03/07/2007 11:53 AM] "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [09/18/2007 05:25 PM] "cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [09/18/2007 05:25 PM] "capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [09/18/2007 05:25 PM] "capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [09/18/2007 05:25 PM] "QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [09/18/2007 05:25 PM] "CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [09/18/2007 05:25 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/16/2007 08:28 AM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [07/08/2003 09:53 AM 102400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] UmxWnp.Dll 05/18/2007 02:30 PM 79368 C:\WINDOWS\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" -- End of Deckard's System Scanner: finished at 2007-10-15 09:22:15 ------------ |
|
|
|
|
10-15-2007, 10:43 AM
|
#20 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,596
OS: WinXP and Vista
|
Re: Need help with Virus.
Mike, can you please clarify this statement:
Quote:
We've done nothing that should affect those. Please navigate to C:\Qoobox\ComboFix-quarantined-files.txt and post the contents here. |
|
|
|
|
| Thread Tools | |
|
|
