|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
03-24-2008, 06:26 PM
|
#1 (permalink) |
|
Registered User
Join Date: Mar 2008
Posts: 9
OS: XP
|
Multiple Instances of iexplore.exe run on startup
Hi! When I restart Windows, I notice in task manager that there will be several instances of iexplore.exe running - even though there are no open windows. In some cases, I can hear a radio program or something in the background and this only goes away when I use Cntrl-Alt-Delete on the iexplore process. I have tried countless spyware programs but I cannot eliminate this issue. Please help. I have attached the log file below:
Deckard's System Scanner v20071014.68 Run by Mike on 2008-03-24 20:10:00 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 56: 2008-03-25 00:12:17 UTC - RP914 - Deckard's System Scanner Restore Point 55: 2008-03-24 04:00:00 UTC - RP913 - System Checkpoint 54: 2008-03-21 16:56:35 UTC - RP912 - Software Distribution Service 3.0 53: 2008-03-14 01:17:33 UTC - RP911 - Removed Babylon Toolbar 52: 2008-03-14 00:38:57 UTC - RP910 - Removed Windows Live Mail -- First Restore Point -- 1: 2008-01-21 12:31:11 UTC - RP859 - System Checkpoint Backed up registry hives. Performed disk cleanup. Percentage of Memory in Use: 76% (more than 75%). Total Physical Memory: 256 MiB (512 MiB recommended). -- HijackThis (run as Mike.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:17:50 PM, on 3/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\EzButton\CplBCL50.EXE C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Mike\Desktop\dss.exe C:\WINDOWS\system32\wuauclt.exe C:\DOCUME~1\Mike\MYDOCU~1\Mike.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theweathernetwork.com/weather/CAON0696 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_061230.dll start O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CplBCL50] C:\Program Files\EzButton\CplBCL50.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [xydzyh] C:\WINDOWS\system32\xydzyh.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103w.bay103.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136898693750 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bain.webex.com/client/T25L/webex/ieatgpc.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - C:\WINDOWS\system\svchest.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing) -- End of file - 7342 bytes -- HijackThis Fixed Entries (C:\DOCUME~1\Mike\MYDOCU~1\backups\) --------------- backup-20080303-203819-151 O2 - BHO: (no name) - {8FC234D4-D636-8EB4-1E82-FC5A103841C7} - C:\WINDOWS\system32\vcjeipw.dll (file missing) backup-20080303-203819-371 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) backup-20080303-203819-423 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll backup-20080303-203819-454 R3 - URLSearchHook: (no name) - {8FC234D4-D636-8EB4-1E82-FC5A103841C7} - C:\WINDOWS\system32\vcjeipw.dll (file missing) backup-20080303-203819-609 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe backup-20080303-203820-196 O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing) backup-20080303-203820-202 O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing) backup-20080303-203820-409 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll backup-20080303-203820-520 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll backup-20080303-203820-584 O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) -- File Associations ----------------------------------------------------------- .js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2 -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools> S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel(R) iQVW32.SYS> S3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver> S3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> S2 Indexingbox (Indexing Helps) - c:\windows\system\svchest.exe S2 Office Source Engine Help (OESH) - c:\program files\netmeeting\msmsgs -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Intel(R) PRO/Wireless LAN 2100 3B Mini PCI Adapter Device ID: PCI\VEN_8086&DEV_1043&SUBSYS_25278086&REV_04\4&16793A72&0&10F0 Manufacturer: Intel(R) Corporation Name: Intel(R) PRO/Wireless LAN 2100 3B Mini PCI Adapter PNP Device ID: PCI\VEN_8086&DEV_1043&SUBSYS_25278086&REV_04\4&16793A72&0&10F0 Service: w70n51 Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Device ID: ACPI\WEC0518\4&32D50C2&0 Manufacturer: Name: PNP Device ID: ACPI\WEC0518\4&32D50C2&0 Service: Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: PCI Modem Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_001214C0&REV_03\3&61AAA01&0&FE Manufacturer: Name: PCI Modem PNP Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_001214C0&REV_03\3&61AAA01&0&FE Service: -- Scheduled Tasks ------------------------------------------------------------- 2008-03-24 03:39:33 420 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{2116249E-EEC9-4D08-8C48-5C5BAC6D027B}.job 2008-03-21 19:22:09 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-02-24 and 2008-03-24 ----------------------------- 2008-03-24 18:33:09 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-03-24 18:33:03 0 d-------- C:\WINDOWS\LastGood 2008-03-24 18:21:29 0 d-------- C:\WINDOWS\pss 2008-03-23 21:26:24 0 d-------- C:\Program Files\Common Files\xing shared 2008-03-13 20:53:25 0 d---s---- C:\WINDOWS\system32\%SystemDrive% 2008-03-13 19:54:32 2566 --a------ C:\WINDOWS\system\svchest.reg 2008-03-13 19:54:32 123889 --a------ C:\WINDOWS\system\svchest.exe 2008-03-13 19:46:56 79872 -----n--- C:\WINDOWS\system32\winsys32_061230.dll 2008-03-13 19:41:21 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-13 19:40:04 0 d-------- C:\Program Files\Windows Live 2008-03-13 19:38:33 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-13 17:52:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-03-12 23:18:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-03 23:32:19 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-03 23:31:03 0 d-------- C:\Program Files\Spyware Doctor 2008-03-03 19:08:30 0 d-------- C:\Documents and Settings\Mike\.housecall6.6 2008-03-02 23:58:27 691545 --a------ C:\WINDOWS\unins000.exe 2008-03-02 23:58:23 2536 --a------ C:\WINDOWS\unins000.dat 2008-03-02 23:37:11 63488 ---hs---- C:\WINDOWS\system32\xydzyh.exe 2008-03-02 20:45:40 30720 -r-hs---- C:\WINDOWS\system32\winsys16_061230.dll 2008-03-02 20:45:40 30720 -r-hs---- C:\WINDOWS\system32\scrsys16_061230.scr 2008-03-02 20:45:38 175616 -r-hs---- C:\WINDOWS\system32\scrsys061230.scr 2008-03-02 20:45:37 175616 -r-hs---- C:\WINDOWS\system32\AlxRes061230.exe -- Find3M Report --------------------------------------------------------------- 2008-03-24 19:24:13 0 d-------- C:\Program Files\iTunes 2008-03-24 19:22:54 0 d-------- C:\Program Files\Google 2008-03-24 19:22:18 0 d-------- C:\Program Files\EzButton 2008-03-24 19:22:06 0 d-------- C:\Program Files\Easy CD-DA Extractor 9 2008-03-24 19:18:23 0 d-------- C:\Program Files\Apoint2K 2008-03-24 08:03:08 0 d-------- C:\Documents and Settings\Mike\Application Data\uTorrent 2008-03-23 21:26:24 0 d-------- C:\Program Files\Common Files 2008-03-23 21:26:09 0 d-------- C:\Program Files\Common Files\Real 2008-03-13 19:46:42 0 d-------- C:\Program Files\MSN Messenger 2008-02-22 20:50:30 0 d-------- C:\Program Files\iPod 2008-02-19 00:49:33 0 d-------- C:\Documents and Settings\Mike\Application Data\vlc 2008-02-18 23:53:49 0 d-------- C:\Program Files\VideoLAN 2008-02-15 20:39:08 0 d-------- C:\Program Files\QuickTime 2008-02-13 00:56:03 0 d-------- C:\Program Files\LimeWire 2008-02-11 09:07:03 0 d-------- C:\Documents and Settings\Mike\Application Data\Adobe 2008-02-06 23:43:01 0 d-------- C:\Documents and Settings\Mike\Application Data\webex 2008-02-06 23:41:17 202827 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing> 2008-01-29 19:51:55 0 d-------- C:\Program Files\Gabest 2008-01-29 09:36:53 0 d-------- C:\Program Files\DirectVobSub -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [11/19/2002 09:01 AM C:\WINDOWS\SOUNDMAN.EXE] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [12/18/2002 05:20 PM] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [] "ATIModeChange"="Ati2mdxx.exe" [09/04/2001 03:24 AM C:\WINDOWS\system32\Ati2mdxx.exe] "CplBCL50"="C:\Program Files\EzButton\CplBCL50.EXE" [01/29/2003 03:19 AM] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/20/2001 12:46 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM] "NWEReboot"="" [] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/12/2002 09:00 PM] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [10/10/2007 01:28 AM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM] "xydzyh"="C:\WINDOWS\system32\xydzyh.exe" [02/13/2008 10:18 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [05/19/2005 08:38 PM] "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [03/13/2008 09:08 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_061230.dll start" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f340303-7b49-11db-92b0-00023fb8d11b}] AutoRun\command- G:\AUTORUN.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edfc12d2-e933-11da-925d-00023fb8d11b}] AutoRun\command- F:\RunGame.exe *Newly Created Service* - RKPAVPROC -- End of Deckard's System Scanner: finished at 2008-03-24 20:19:04 ------------ |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
03-28-2008, 09:12 AM
|
#3 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,886
OS: WinXP and Vista
|
Re: Multiple Instances of iexplore.exe run on startup
Hello evilmike and welcome to TSF,
This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware.
|
|
|
|
|
03-28-2008, 04:27 PM
|
#4 (permalink) |
|
Registered User
Join Date: Mar 2008
Posts: 9
OS: XP
|
Re: Multiple Instances of iexplore.exe run on startup
Great, thanks for the help. Here is the combofix log:
ComboFix 08-03-27.1 - Mike 2008-03-28 18:09:03.1 - NTFSx86 Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Mike\Application Data\CURITY~1 C:\Documents and Settings\Mike\Application Data\YMANTE~1 C:\mydelm.bat C:\Program Files\Common Files\crosof~1.net C:\Program Files\Common Files\ymante~1 C:\Program Files\ystem3~1 C:\WINDOWS\Downloaded Program Files\Quarantine C:\WINDOWS\mywinsys.ini C:\WINDOWS\system\svchest.exe C:\WINDOWS\system\svchest.reg C:\WINDOWS\system32\AlxRes061230.exe C:\WINDOWS\system32\asks~1 C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\mywebhit.ini C:\WINDOWS\system32\mywebhit.ini.tmp C:\WINDOWS\system32\Packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\scrsys061230.scr C:\WINDOWS\system32\scrsys16_061230.scr C:\WINDOWS\system32\WanPacket.dll C:\WINDOWS\system32\winsys16_061230.dll C:\WINDOWS\system32\winsys32_061230.dll C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\system32\xydzyh.exe C:\WINDOWS\system32\ystem3~1 C:\WINDOWS\ymbols~1 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Service_Indexingbox -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 ))))))))))))))))))))))))))))))) . 2008-03-26 21:50 . 2008-03-26 22:21 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner 2008-03-26 21:07 . 2008-03-26 21:07 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-03-24 18:37 . 2008-03-24 18:37 <DIR> d-------- C:\Deckard 2008-03-24 18:33 . 2008-03-26 21:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-03-24 18:33 . 2008-03-24 18:33 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-03-24 18:33 . 2008-03-24 18:33 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-03-24 18:33 . 2008-03-24 18:33 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-03-13 20:53 . 2008-03-13 20:53 <DIR> d---s---- C:\WINDOWS\system32\%SystemDrive% 2008-03-13 19:41 . 2008-03-26 21:05 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-13 19:40 . 2008-03-26 21:05 <DIR> d-------- C:\Program Files\Windows Live 2008-03-13 19:38 . 2008-03-13 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-13 17:52 . 2008-03-13 17:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-03-13 08:25 . 2008-03-26 22:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-13 08:25 . 2008-03-13 08:25 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-12 23:18 . 2008-03-12 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-03 23:32 . 2008-03-03 23:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-03 23:31 . 2008-03-04 00:14 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-03-03 19:08 . 2008-03-04 00:03 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6 2008-03-02 23:58 . 2008-03-02 23:53 691,545 --a------ C:\WINDOWS\unins000.exe 2008-03-02 23:58 . 2008-03-02 23:58 2,536 --a------ C:\WINDOWS\unins000.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-28 21:49 --------- d-----w C:\Documents and Settings\Mike\Application Data\uTorrent 2008-03-27 01:07 --------- d-----w C:\Program Files\Common Files\Real 2008-03-27 01:06 --------- d-----w C:\Program Files\MSN Messenger 2008-03-27 01:06 --------- d-----w C:\Program Files\Google 2008-03-24 23:24 --------- d-----w C:\Program Files\iTunes 2008-03-24 23:22 --------- d-----w C:\Program Files\EzButton 2008-03-24 23:22 --------- d-----w C:\Program Files\Easy CD-DA Extractor 9 2008-03-24 23:18 --------- d-----w C:\Program Files\Apoint2K 2008-03-03 13:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-03-03 13:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-02-23 00:50 --------- d-----w C:\Program Files\iPod 2008-02-19 04:49 --------- d-----w C:\Documents and Settings\Mike\Application Data\vlc 2008-02-19 03:53 --------- d-----w C:\Program Files\VideoLAN 2008-02-16 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2008-02-16 00:39 --------- d-----w C:\Program Files\QuickTime 2008-02-13 04:56 --------- d-----w C:\Program Files\LimeWire 2008-02-07 03:43 --------- d-----w C:\Documents and Settings\Mike\Application Data\webex 2008-02-07 03:41 51,304 ----a-w C:\WINDOWS\system32\drivers\atnt40k.sys 2008-01-29 23:51 --------- d-----w C:\Program Files\Gabest 2008-01-29 13:36 --------- d-----w C:\Program Files\DirectVobSub . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 21:08 68856] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2002-11-19 09:01 46592 C:\WINDOWS\SOUNDMAN.EXE] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 17:20 86016] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 03:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe] "CplBCL50"="C:\Program Files\EzButton\CplBCL50.EXE" [2003-01-29 03:19 163840] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2001-10-20 00:46 118784] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "NWEReboot"="" [] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-10-12 21:00 294912] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] C:\Program Files\BitTorrent\bittorrent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] --------- 2005-05-19 20:38 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-10-10 01:28 36352 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\utorrent\\utorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "17872:TCP"= 17872:TCP:BitComet 17872 TCP "17872:UDP"= 17872:UDP:BitComet 17872 UDP S2 Office Source Engine Help;OESH;C:\Program Files\NetMeeting\msmsgs [2008-03-13 19:53] S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 22:01] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f340303-7b49-11db-92b0-00023fb8d11b}] \Shell\AutoRun\command - G:\AUTORUN.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edfc12d2-e933-11da-925d-00023fb8d11b}] \Shell\AutoRun\command - F:\RunGame.exe . Contents of the 'Scheduled Tasks' folder "2008-03-21 23:22:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-28 18:16:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Office Source Engine Help] "ImagePath"="C:\Program Files\NetMeeting\msmsgs" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Windows Media Player\WMPNetwk.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Apoint2K\Apntex.exe . ************************************************************************** . Completion time: 2008-03-28 18:23:26 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-28 22:23:21 Pre-Run: 25,221,124,096 bytes free Post-Run: 25,161,547,776 bytes free . 2008-03-27 02:14:07 --- E O F --- AND HERE IS THE NEW DSS HIJACK THIS LOG: Deckard's System Scanner v20071014.68 Run by Mike on 2008-03-28 18:25:48 Computer is in Normal Mode. -------------------------------------------------------------------------------- Percentage of Memory in Use: 85% (more than 75%). Total Physical Memory: 256 MiB (512 MiB recommended). -- HijackThis (run as Mike.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:25:59 PM, on 3/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\EzButton\CplBCL50.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\Mike\Desktop\dss.exe C:\DOCUME~1\Mike\MYDOCU~1\Mike.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theweathernetwork.com/weather/CAON0696 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CplBCL50] C:\Program Files\EzButton\CplBCL50.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103w.bay103.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136898693750 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bain.webex.com/client/T25L/webex/ieatgpc.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing) -- End of file - 6643 bytes -- Files created between 2008-02-28 and 2008-03-28 ----------------------------- 2008-03-28 18:04:24 0 d-------- C:\cmdcons 2008-03-28 18:02:17 68096 --a------ C:\WINDOWS\system32\zip.exe 2008-03-28 18:02:17 98816 --a------ C:\WINDOWS\system32\sed.exe 2008-03-28 18:02:17 80412 --a------ C:\WINDOWS\system32\grep.exe 2008-03-28 18:02:17 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-03-26 21:50:36 0 d-------- C:\Program Files\RegVac Registry Cleaner 2008-03-26 21:07:30 0 d-------- C:\Program Files\Common Files\xing shared 2008-03-24 18:33:09 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-03-24 18:21:29 0 d-------- C:\WINDOWS\pss 2008-03-13 20:53:25 0 d---s---- C:\WINDOWS\system32\%SystemDrive% 2008-03-13 19:41:21 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-13 19:40:04 0 d-------- C:\Program Files\Windows Live 2008-03-13 19:38:33 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-13 17:52:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-03-12 23:18:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-03 23:32:19 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-03 23:31:03 0 d-------- C:\Program Files\Spyware Doctor 2008-03-03 19:08:30 0 d-------- C:\Documents and Settings\Mike\.housecall6.6 2008-03-02 23:58:27 691545 --a------ C:\WINDOWS\unins000.exe 2008-03-02 23:58:23 2536 --a------ C:\WINDOWS\unins000.dat -- Find3M Report --------------------------------------------------------------- 2008-03-28 18:09:36 0 d-------- C:\Program Files\Common Files 2008-03-28 17:49:37 0 d-------- C:\Documents and Settings\Mike\Application Data\uTorrent 2008-03-26 21:07:20 0 d-------- C:\Program Files\Common Files\Real 2008-03-26 21  28 0 d-------- C:\Program Files\Google2008-03-26 21 14 0 d-------- C:\Program Files\MSN Messenger2008-03-24 19:24:13 0 d-------- C:\Program Files\iTunes 2008-03-24 19:22:18 0 d-------- C:\Program Files\EzButton 2008-03-24 19:22:06 0 d-------- C:\Program Files\Easy CD-DA Extractor 9 2008-03-24 19:18:23 0 d-------- C:\Program Files\Apoint2K 2008-02-22 20:50:30 0 d-------- C:\Program Files\iPod 2008-02-19 00:49:33 0 d-------- C:\Documents and Settings\Mike\Application Data\vlc 2008-02-18 23:53:49 0 d-------- C:\Program Files\VideoLAN 2008-02-15 20:39:08 0 d-------- C:\Program Files\QuickTime 2008-02-13 00:56:03 0 d-------- C:\Program Files\LimeWire 2008-02-11 09:07:03 0 d-------- C:\Documents and Settings\Mike\Application Data\Adobe 2008-02-06 23:43:01 0 d-------- C:\Documents and Settings\Mike\Application Data\webex 2008-02-06 23:41:17 202827 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing> 2008-01-29 19:51:55 0 d-------- C:\Program Files\Gabest 2008-01-29 09:36:53 0 d-------- C:\Program Files\DirectVobSub -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [11/19/2002 09:01 AM C:\WINDOWS\SOUNDMAN.EXE] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [12/18/2002 05:20 PM] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [] "ATIModeChange"="Ati2mdxx.exe" [09/04/2001 03:24 AM C:\WINDOWS\system32\Ati2mdxx.exe] "CplBCL50"="C:\Program Files\EzButton\CplBCL50.EXE" [01/29/2003 03:19 AM] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/20/2001 12:46 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM] "NWEReboot"="" [] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/12/2002 09:00 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [03/13/2008 09:08 PM] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "C:\Program Files\Winamp\winampa.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f340303-7b49-11db-92b0-00023fb8d11b}] AutoRun\command- G:\AUTORUN.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edfc12d2-e933-11da-925d-00023fb8d11b}] AutoRun\command- F:\RunGame.exe -- End of Deckard's System Scanner: finished at 2008-03-28 18:26:22 ------------ |
|
|
|
|
03-28-2008, 10:06 PM
|
#5 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,886
OS: WinXP and Vista
|
Re: Multiple Instances of iexplore.exe run on startup
Mike, please navigate to the following folder and tell me what it contains:
C:\WINDOWS\system32\%SystemDrive% |
|
|
|
|
03-28-2008, 10:20 PM
|
#6 (permalink) |
|
Registered User
Join Date: Mar 2008
Posts: 9
OS: XP
|
Re: Multiple Instances of iexplore.exe run on startup
it contains the following:
...%SystemDrive%\Documents and Settings\Mike\Application Data\Microsoft ...... and then there are two files: CryptnetUrlCache and SystemCertificates CryptnetUrlCache\content & CryptnetUrlCache\metadata both of these folders contain 2 system files each with file names containing a long string of letters and numbers and Systemcertificates\My\ ... and 3 folders: Certificates, CRLs, and CTLs (these three folders are empty) |
|
|
|
|
03-28-2008, 10:29 PM
|
#7 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,886
OS: WinXP and Vista
|
Re: Multiple Instances of iexplore.exe run on startup
Thanks, Mike.
While I'm looking into that, please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html Answer Yes, when prompted to install an ActiveX component.
|
|
|
|
|
03-29-2008, 08:16 AM
|
#8 (permalink) |
|
Registered User
Join Date: Mar 2008
Posts: 9
OS: XP
|
Re: Multiple Instances of iexplore.exe run on startup
Here is the Kaspersky scan report ... thanks again.
------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Saturday, March 29, 2008 10:14:03 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 29/03/2008 Kaspersky Anti-Virus database records: 670608 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 296499 Number of viruses found: 6 Number of infected objects: 70 Number of suspicious objects: 0 Duration of the scan process: 02 56Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F7B61AB.tcf Infected: Trojan-Downloader.Win32.PurityScan.bj skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\458C0C57.htm Infected: Trojan-Downloader.JS.IstBar.j skipped C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Mike\.housecall6.6\Quarantine\svchest.exe.bac_a03520/data.rar/svchests.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\Documents and Settings\Mike\.housecall6.6\Quarantine\svchest.exe.bac_a03520/data.rar Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\Documents and Settings\Mike\.housecall6.6\Quarantine\svchest.exe.bac_a03520 RarSFX: infected - 2 skipped C:\Documents and Settings\Mike\.housecall6.6\Quarantine\svchest.exe.bac_a03520 CryptFF.b: infected - 2 skipped C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Messenger\mikkeburton@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Messenger\mikkeburton@hotmail.com\SharingMetadata\pending.dat Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Messenger\mikkeburton@hotmail.com\SharingMetadata\Working\database_32B8_FCD8_B8FC_9B93\dfsr.db Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Messenger\mikkeburton@hotmail.com\SharingMetadata\Working\database_32B8_FCD8_B8FC_9B93\fsr.log Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Messenger\mikkeburton@hotmail.com\SharingMetadata\Working\database_32B8_FCD8_B8FC_9B93\fsrtmp.log Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Messenger\mikkeburton@hotmail.com\SharingMetadata\Working\database_32B8_FCD8_B8FC_9B93\tmp.edb Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows Live Contacts\mikkeburton@hotmail.com\real\members.stg Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows Live Contacts\mikkeburton@hotmail.com\shadow\members.stg Object is locked skipped C:\Documents and Settings\Mike\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Mike\Local Settings\History\History.IE5\MSHist012008032920080330\index.dat Object is locked skipped C:\Documents and Settings\Mike\Local Settings\temp\~DF1C5B.tmp Object is locked skipped C:\Documents and Settings\Mike\Local Settings\temp\~DF1D65.tmp Object is locked skipped C:\Documents and Settings\Mike\Local Settings\temp\~DF6C38.tmp Object is locked skipped C:\Documents and Settings\Mike\Local Settings\temp\~DF6F4B.tmp Object is locked skipped C:\Documents and Settings\Mike\Local Settings\temp\~DFA05A.tmp Object is locked skipped C:\Documents and Settings\Mike\Local Settings\temp\~DFA09D.tmp Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Mike\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Mike\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\temp\Perflib_Perfdata_558.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\NetMeeting\msmsgs Infected: Backdoor.Win32.Hupigon.bhet skipped C:\QooBox\Quarantine\C\WINDOWS\system32\AlxRes061230.exe.vir Infected: Trojan.Win32.Vaklik.us skipped C:\QooBox\Quarantine\C\WINDOWS\system32\scrsys061230.scr.vir Infected: Trojan.Win32.Vaklik.us skipped C:\QooBox\Quarantine\C\WINDOWS\system32\scrsys16_061230.scr.vir Infected: Virus.Win32.AutoRun.aij skipped C:\QooBox\Quarantine\C\WINDOWS\system32\winsys16_061230.dll.vir Infected: Virus.Win32.AutoRun.aij skipped C:\QooBox\Quarantine\C\WINDOWS\system32\winsys32_061230.dll.vir Infected: Virus.Win32.AutoRun.aij skipped C:\QooBox\Quarantine\C\WINDOWS\system32\xydzyh.exe.vir Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0128084.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0128131.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0129131.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0129140.exe/data.rar/svchest.exe/data.rar/svchests.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0129140.exe/data.rar/svchest.exe/data.rar Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0129140.exe/data.rar/svchest.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0129140.exe/data.rar Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0129140.exe RarSFX: infected - 4 skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0129148.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0129173.exe/data.rar/svchests.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0129173.exe/data.rar Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP898\A0129173.exe RarSFX: infected - 2 skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP907\A0130785.dll Infected: Virus.Win32.AutoRun.aij skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP910\A0130955.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP910\A0130967.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP911\A0131050.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP911\A0132079.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP911\A0133082.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP911\A0133113.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP912\A0133509.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP914\A0133543.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP914\A0133566.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP914\A0133578.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP914\A0133591.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP914\A0133605.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP915\A0133615.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP915\A0134257.dll Infected: Virus.Win32.AutoRun.aij skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP915\A0134357.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP916\A0134363.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP916\A0135007.dll Infected: Virus.Win32.AutoRun.aij skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP916\A0135107.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP917\A0135113.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP917\A0135757.dll Infected: Virus.Win32.AutoRun.aij skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP917\A0135857.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP918\A0135865.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP918\A0136508.dll Infected: Virus.Win32.AutoRun.aij skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP918\A0136608.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP919\A0136615.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP919\A0136666.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP920\A0136677.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP920\A0137293.dll Infected: Virus.Win32.AutoRun.aij skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP920\A0137392.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP921\A0137414.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP921\A0138026.dll Infected: Virus.Win32.AutoRun.aij skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP921\A0138125.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP921\A0138350.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP922\A0138389.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP923\A0138544.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP923\A0138574.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP923\A0138587.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP923\A0139586.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP925\A0139706.exe Infected: Trojan-Downloader.Win32.Murlo.jv skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP925\A0139711.exe Infected: Trojan.Win32.Vaklik.us skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP925\A0139712.scr Infected: Trojan.Win32.Vaklik.us skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP925\A0139713.scr Infected: Virus.Win32.AutoRun.aij skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP925\A0139714.dll Infected: Virus.Win32.AutoRun.aij skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP925\A0139715.dll Infected: Virus.Win32.AutoRun.aij skipped C:\System Volume Information\_restore{93DDA4B0-43DB-423B-894A-6B109A6E72CF}\RP926\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. |
|
|
|
|
03-31-2008, 09:17 AM
|
#9 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,886
OS: WinXP and Vista
|
Re: Multiple Instances of iexplore.exe run on startup
Hi Mike,
My apologies for the delay. Please delete your existing ComboFix.exe and download the latest version from any of the links below: Link 1 Link 2 Link 3 **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure how to do this, please see this link http://www.bleepingcomputer.com/forums/topic114351.html -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts.
|
|
|
|
|
03-31-2008, 04:13 PM
|
#10 (permalink) |
|
Registered User
Join Date: Mar 2008
Posts: 9
OS: XP
|
Re: Multiple Instances of iexplore.exe run on startup
No problem, I appreciate the help! Here is the updated combofix.txt log:
ComboFix 08-03-30.4 - Mike 2008-03-31 17:55:45.2 - NTFSx86 Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 ))))))))))))))))))))))))))))))) . 2008-03-29 00:32 . 2008-03-29 00:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-03-29 00:32 . 2008-03-29 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-03-28 18:30 . 2008-03-28 18:30 <DIR> d-------- C:\WINDOWS\LastGood 2008-03-26 21:50 . 2008-03-26 22:21 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner 2008-03-26 21:07 . 2008-03-26 21:07 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-03-24 18:37 . 2008-03-24 18:37 <DIR> d-------- C:\Deckard 2008-03-24 18:33 . 2008-03-26 21:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-03-24 18:33 . 2008-03-24 18:33 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-03-24 18:33 . 2008-03-24 18:33 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-03-24 18:33 . 2008-03-24 18:33 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-03-13 20:53 . 2008-03-13 20:53 <DIR> d---s---- C:\WINDOWS\system32\%SystemDrive% 2008-03-13 19:41 . 2008-03-26 21:05 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-13 19:40 . 2008-03-26 21:05 <DIR> d-------- C:\Program Files\Windows Live 2008-03-13 19:38 . 2008-03-13 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-13 17:52 . 2008-03-13 17:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-03-13 08:25 . 2008-03-26 22:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-13 08:25 . 2008-03-13 08:25 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-12 23:18 . 2008-03-12 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-03 23:32 . 2008-03-03 23:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-03 23:31 . 2008-03-04 00:14 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-03-03 19:08 . 2008-03-04 00:03 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6 2008-03-02 23:58 . 2008-03-02 23:53 691,545 --a------ C:\WINDOWS\unins000.exe 2008-03-02 23:58 . 2008-03-02 23:58 2,536 --a------ C:\WINDOWS\unins000.dat 2008-02-22 20:49 . 2008-03-24 19:24 <DIR> d-------- C:\Program Files\iTunes 2008-02-19 00:49 . 2008-02-19 00:49 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\vlc 2008-02-18 23:53 . 2008-02-18 23:53 <DIR> d-------- C:\Program Files\VideoLAN 2008-02-15 20:38 . 2008-02-15 20:39 <DIR> d-------- C:\Program Files\QuickTime 2008-02-06 23:42 . 2008-02-06 23:43 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\webex 2008-02-06 23:41 . 2008-02-06 23:41 202,827 --a------ C:\WINDOWS\system32\atasnt40.dll 2008-02-06 23:41 . 2008-02-06 23:41 51,304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys 2008-02-01 00:13 . 2008-02-01 00:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-02-01 00:13 . 2008-02-01 00:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-31 21:51 --------- d-----w C:\Documents and Settings\Mike\Application Data\uTorrent 2008-03-27 01:07 --------- d-----w C:\Program Files\Common Files\Real 2008-03-27 01:06 --------- d-----w C:\Program Files\MSN Messenger 2008-03-27 01:06 --------- d-----w C:\Program Files\Google 2008-03-24 23:22 --------- d-----w C:\Program Files\EzButton 2008-03-24 23:22 --------- d-----w C:\Program Files\Easy CD-DA Extractor 9 2008-03-24 23:18 --------- d-----w C:\Program Files\Apoint2K 2008-03-03 13:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-03-03 13:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-02-23 00:50 --------- d-----w C:\Program Files\iPod 2008-02-16 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2008-02-13 04:56 --------- d-----w C:\Program Files\LimeWire 2008-01-29 23:51 --------- d-----w C:\Program Files\Gabest 2008-01-29 13:36 --------- d-----w C:\Program Files\DirectVobSub . ((((((((((((((((((((((((((((( snapshot@2008-03-28_18.22.57.32 ))))))))))))))))))))))))))))))))))))))))) . + 2007-03-06 01:22:34 22,752 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spcustom.dll + 2007-03-06 01:22:36 14,048 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spmsg.dll + 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst.exe + 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll + 2007-03-06 01:22:59 716,000 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\update.exe + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\updspapi.dll + 2007-08-13 22:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll - 2007-08-13 22:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll + 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll + 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 21:08 68856] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2002-11-19 09:01 46592 C:\WINDOWS\SOUNDMAN.EXE] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 17:20 86016] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 03:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe] "CplBCL50"="C:\Program Files\EzButton\CplBCL50.EXE" [2003-01-29 03:19 163840] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2001-10-20 00:46 118784] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "NWEReboot"="" [] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-10-12 21:00 294912] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] C:\Program Files\BitTorrent\bittorrent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] --------- 2005-05-19 20:38 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-10-10 01:28 36352 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\utorrent\\utorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "17872:TCP"= 17872:TCP:BitComet 17872 TCP "17872:UDP"= 17872:UDP:BitComet 17872 UDP S2 Office Source Engine Help;OESH;C:\Program Files\NetMeeting\msmsgs [2008-03-13 19:53] S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 22:01] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f340303-7b49-11db-92b0-00023fb8d11b}] \Shell\AutoRun\command - G:\AUTORUN.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edfc12d2-e933-11da-925d-00023fb8d11b}] \Shell\AutoRun\command - F:\RunGame.exe . Contents of the 'Scheduled Tasks' folder "2008-03-28 23:22:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-31 18:01:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Office Source Engine Help] "ImagePath"="C:\Program Files\NetMeeting\msmsgs" . Completion time: 2008-03-31 18:05:41 ComboFix-quarantined-files.txt 2008-03-31 22:05:35 ComboFix2.txt 2008-03-28 22:23:27 Pre-Run: 25,527,312,384 bytes free Post-Run: 25,522,233,344 bytes free . 2008-03-28 22:31:57 --- E O F --- and here is the new hijack this report: Deckard's System Scanner v20071014.68 Run by Mike on 2008-03-31 18:10:34 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 256 MiB (512 MiB recommended). -- HijackThis (run as Mike.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:10:44 PM, on 3/31/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\EzButton\CplBCL50.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Mike\Desktop\dss.exe C:\DOCUME~1\Mike\MYDOCU~1\Mike.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theweathernetwork.com/weather/CAON0696 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CplBCL50] C:\Program Files\EzButton\CplBCL50.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103w.bay103.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136898693750 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bain.webex.com/client/T25L/webex/ieatgpc.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing) -- End of file - 6648 bytes -- Files created between 2008-02-29 and 2008-03-31 ----------------------------- 2008-03-29 00:32:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-03-29 00:32:20 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-03-28 18:30:28 0 d-------- C:\WINDOWS\LastGood 2008-03-28 18:04:24 0 d-------- C:\cmdcons 2008-03-28 18:02:17 68096 --a------ C:\WINDOWS\system32\zip.exe 2008-03-28 18:02:17 98816 --a------ C:\WINDOWS\system32\sed.exe 2008-03-28 18:02:17 80412 --a------ C:\WINDOWS\system32\grep.exe 2008-03-28 18:02:17 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-03-26 21:50:36 0 d-------- C:\Program Files\RegVac Registry Cleaner 2008-03-26 21:07:30 0 d-------- C:\Program Files\Common Files\xing shared 2008-03-24 18:33:09 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-03-24 18:21:29 0 d-------- C:\WINDOWS\pss 2008-03-13 20:53:25 0 d---s---- C:\WINDOWS\system32\%SystemDrive% 2008-03-13 19:41:21 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-13 19:40:04 0 d-------- C:\Program Files\Windows Live 2008-03-13 19:38:33 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-13 17:52:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-03-12 23:18:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-03 23:32:19 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-03 23:31:03 0 d-------- C:\Program Files\Spyware Doctor 2008-03-03 19:08:30 0 d-------- C:\Documents and Settings\Mike\.housecall6.6 2008-03-02 23:58:27 691545 --a------ C:\WINDOWS\unins000.exe 2008-03-02 23:58:23 2536 --a------ C:\WINDOWS\unins000.dat -- Find3M Report --------------------------------------------------------------- 2008-03-31 17:51:31 0 d-------- C:\Documents and Settings\Mike\Application Data\uTorrent 2008-03-28 18:09:36 0 d-------- C:\Program Files\Common Files 2008-03-26 21:07:20 0 d-------- C:\Program Files\Common Files\Real 2008-03-26 21 28 0 d-------- C:\Program Files\Google2008-03-26 21 14 0 d-------- C:\Program Files\MSN Messenger2008-03-24 19:24:13 0 d-------- C:\Program Files\iTunes 2008-03-24 19:22:18 0 d-------- C:\Program Files\EzButton 2008-03-24 19:22:06 0 d-------- C:\Program Files\Easy CD-DA Extractor 9 2008-03-24 19:18:23 0 d-------- C:\Program Files\Apoint2K 2008-02-22 20:50:30 0 d-------- C:\Program Files\iPod 2008-02-19 00:49:33 0 d-------- C:\Documents and Settings\Mike\Application Data\vlc 2008-02-18 23:53:49 0 d-------- C:\Program Files\VideoLAN 2008-02-15 20:39:08 0 d-------- C:\Program Files\QuickTime 2008-02-13 00:56:03 0 d-------- C:\Program Files\LimeWire 2008-02-11 09:07:03 0 d-------- C:\Documents and Settings\Mike\Application Data\Adobe 2008-02-06 23:43:01 0 d-------- C:\Documents and Settings\Mike\Application Data\webex 2008-02-06 23:41:17 202827 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing> -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [11/19/2002 09:01 AM C:\WINDOWS\SOUNDMAN.EXE] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [12/18/2002 05:20 PM] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [] "ATIModeChange"="Ati2mdxx.exe" [09/04/2001 03:24 AM C:\WINDOWS\system32\Ati2mdxx.exe] "CplBCL50"="C:\Program Files\EzButton\CplBCL50.EXE" [01/29/2003 03:19 AM] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/20/2001 12:46 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM] "NWEReboot"="" [] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/12/2002 09:00 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [03/13/2008 09:08 PM] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "C:\Program Files\Winamp\winampa.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f340303-7b49-11db-92b0-00023fb8d11b}] AutoRun\command- G:\AUTORUN.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edfc12d2-e933-11da-925d-00023fb8d11b}] AutoRun\command- F:\RunGame.exe -- End of Deckard's System Scanner: finished at 2008-03-31 18:11:06 ------------ |
|
|
|
|
04-01-2008, 01:11 AM
|
#11 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,886
OS: WinXP and Vista
|
Re: Multiple Instances of iexplore.exe run on startup
Thanks Mike,
One last round. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) -------------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script.
Run a new scan with dss.exe -------------------------------------------------------------------- Please include the following in your next reply: C:\SDFix\Report.txt main.txt Update on system behavior |
|
|
|
|
04-01-2008, 06:47 AM
|
#12 (permalink) |
|
Registered User
Join Date: Mar 2008
Posts: 9
OS: XP
|
Re: Multiple Instances of iexplore.exe run on startup
When I restarted the computer, an iexplore.exe was running (it was a SYSTEM process versus a User Name MIKE process) ... I used control alt delete to end it, but maybe this is normal? There were no other instances of iexplore running. Usually there would be a few of these running but there wasn't this time. Here is the Report txt. And I greatly appreciate the help!
SDFix: Version 1.165 Run by Mike on Tue 04/01/2008 at 08:20 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-01 08:29:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:9eb6e6a6 "s2"=dword:3e10f645 "h0"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000001 "ujdew"=hex:9c,ff,b6,27,82,93,94,2a,da,a7,77,6d,a9,aa,76,b3,7b,5d,f6,3c,73,.. "p0"="C:\Program Files\Alcohol Soft\Alcohol 52\" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:f8,0c,29,b0,f9,ad,de,36,f7,d3,70,d2,5d,d7,8a,e4,60,10,a4,f3,24,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000001 "ujdew"=hex:9c,ff,b6,27,82,93,94,2a,da,a7,77,6d,a9,aa,76,b3,7b,5d,f6,3c,73,.. "p0"="C:\Program Files\Alcohol Soft\Alcohol 52\" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:f8,0c,29,b0,f9,ad,de,36,f7,d3,70,d2,5d,d7,8a,e4,60,10,a4,f3,24,.. scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A675860E-9437-2D37-A317-B26952F7E2C7}] "abacpmoofdgilmcokehpgfjcljegakookh"=hex:61,61,00,00 "bbacpmoofdgilmcokeonglanofnejfgeebia"=hex:61,61,00,00 scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:æTorrent" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Tue 22 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Thu 7 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Wed 7 Apr 2004 22,528 A..H. --- "C:\Documents and Settings\Mike\My Documents\IVEY\HBA1\~WRL3543.tmp" Sat 2 Apr 2005 41,472 A..H. --- "C:\Documents and Settings\Mike\My Documents\IVEY\HBA2\Communications\~WRL3045.tmp" Mon 1 Nov 2004 41,984 A..H. --- "C:\Documents and Settings\Mike\My Documents\IVEY\HBA2\Entrepreneurial Finance\~WRL4072.tmp" Tue 25 Jan 2005 29,696 A..H. --- "C:\Documents and Settings\Mike\My Documents\IVEY\HBA2\Leading Change\~WRL0764.tmp" Wed 26 Jan 2005 30,720 A..H. --- "C:\Documents and Settings\Mike\My Documents\IVEY\HBA2\Leading Change\~WRL2862.tmp" Wed 26 Jan 2005 31,232 A..H. --- "C:\Documents and Settings\Mike\My Documents\IVEY\HBA2\Leading Change\~WRL3276.tmp" Thu 3 Mar 2005 30,208 A..H. --- "C:\Documents and Settings\Mike\My Documents\IVEY\HBA2\NVP\Presentation Handout\~WRL0001.tmp" Finished! and new DSS report: Deckard's System Scanner v20071014.68 Run by Mike on 2008-04-01 08:43:03 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 256 MiB (512 MiB recommended). -- HijackThis (run as Mike.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:43:13 AM, on 4/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\EzButton\CplBCL50.EXE C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Apoint2K\Apntex.exe C:\Documents and Settings\Mike\Desktop\dss.exe C:\DOCUME~1\Mike\MYDOCU~1\Mike.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theweathernetwork.com/weather/CAON0696 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CplBCL50] C:\Program Files\EzButton\CplBCL50.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103w.bay103.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136898693750 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bain.webex.com/client/T25L/webex/ieatgpc.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing) -- End of file - 6734 bytes -- Files created between 2008-03-01 and 2008-04-01 ----------------------------- 2008-04-01 08:16:40 0 d-------- C:\WINDOWS\ERUNT 2008-03-29 00:32:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-03-29 00:32:20 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-03-28 18:04:24 0 d-------- C:\cmdcons 2008-03-28 18:02:17 68096 --a------ C:\WINDOWS\system32\zip.exe 2008-03-28 18:02:17 98816 --a------ C:\WINDOWS\system32\sed.exe 2008-03-28 18:02:17 80412 --a------ C:\WINDOWS\system32\grep.exe 2008-03-28 18:02:17 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-03-26 21:50:36 0 d-------- C:\Program Files\RegVac Registry Cleaner 2008-03-26 21:07:30 0 d-------- C:\Program Files\Common Files\xing shared 2008-03-24 18:33:09 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-03-24 18:21:29 0 d-------- C:\WINDOWS\pss 2008-03-13 20:53:25 0 d---s---- C:\WINDOWS\system32\%SystemDrive% 2008-03-13 19:41:21 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-13 19:40:04 0 d-------- C:\Program Files\Windows Live 2008-03-13 19:38:33 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-13 17:52:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-03-12 23:18:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-03 23:32:19 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-03 23:31:03 0 d-------- C:\Program Files\Spyware Doctor 2008-03-03 19:08:30 0 d-------- C:\Documents and Settings\Mike\.housecall6.6 2008-03-02 23:58:27 691545 --a------ C:\WINDOWS\unins000.exe 2008-03-02 23:58:23 2536 --a------ C:\WINDOWS\unins000.dat -- Find3M Report --------------------------------------------------------------- 2008-04-01 08:07:33 0 d-------- C:\Documents and Settings\Mike\Application Data\uTorrent 2008-03-28 18:09:36 0 d-------- C:\Program Files\Common Files 2008-03-26 21:07:20 0 d-------- C:\Program Files\Common Files\Real 2008-03-26 21 28 0 d-------- C:\Program Files\Google2008-03-26 21 14 0 d-------- C:\Program Files\MSN Messenger2008-03-24 19:24:13 0 d-------- C:\Program Files\iTunes 2008-03-24 19:22:18 0 d-------- C:\Program Files\EzButton 2008-03-24 19:22:06 0 d-------- C:\Program Files\Easy CD-DA Extractor 9 2008-03-24 19:18:23 0 d-------- C:\Program Files\Apoint2K 2008-02-22 20:50:30 0 d-------- C:\Program Files\iPod 2008-02-19 00:49:33 0 d-------- C:\Documents and Settings\Mike\Application Data\vlc 2008-02-18 23:53:49 0 d-------- C:\Program Files\VideoLAN 2008-02-15 20:39:08 0 d-------- C:\Program Files\QuickTime 2008-02-13 00:56:03 0 d-------- C:\Program Files\LimeWire 2008-02-11 09:07:03 0 d-------- C:\Documents and Settings\Mike\Application Data\Adobe 2008-02-06 23:43:01 0 d-------- C:\Documents and Settings\Mike\Application Data\webex 2008-02-06 23:41:17 202827 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing> -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [11/19/2002 09:01 AM C:\WINDOWS\SOUNDMAN.EXE] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [12/18/2002 05:20 PM] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [] "ATIModeChange"="Ati2mdxx.exe" [09/04/2001 03:24 AM C:\WINDOWS\system32\Ati2mdxx.exe] "CplBCL50"="C:\Program Files\EzButton\CplBCL50.EXE" [01/29/2003 03:19 AM] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/20/2001 12:46 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM] "NWEReboot"="" [] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/12/2002 09:00 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [03/13/2008 09:08 PM] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "C:\Program Files\Winamp\winampa.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f340303-7b49-11db-92b0-00023fb8d11b}] AutoRun\command- G:\AUTORUN.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edfc12d2-e933-11da-925d-00023fb8d11b}] AutoRun\command- F:\RunGame.exe -- End of Deckard's System Scanner: finished at 2008-04-01 08:43:39 ------------ |
|
|
|
|
04-01-2008, 08:14 AM
|
#13 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,886
OS: WinXP and Vista
|
Re: Multiple Instances of iexplore.exe run on startup
Hi Mike,
Open notepad and copy/paste the text in the code box below into it: Code:
Driver::
Office Source Engine Help
Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A675860E-9437-2D37-A317-B26952F7E2C7}]
in the same location as ComboFix.exe  Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that here. How is the system behaving now? |
|
|
|
|
04-01-2008, 04:24 PM
|
#14 (permalink) |
|
Registered User
Join Date: Mar 2008
Posts: 9
OS: XP
|
Re: Multiple Instances of iexplore.exe run on startup
OK, I don't see anymore instances of iexplore running when I reboot! The SYSTEM process iexplore.exe is no longer there either. The problem appears to be gone. I have attached the combofix log below. Please let me know if there is anything else that I should do.
Thanks! Mike ComboFix 08-03-30.4 - Mike 2008-04-01 17:56:21.3 - NTFSx86 Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_OFFICE_SOURCE_ENGINE_HELP -------\Service_Office Source Engine Help ((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 ))))))))))))))))))))))))))))))) . 2008-04-01 08:16 . 2008-04-01 08:16 <DIR> d-------- C:\WINDOWS\ERUNT 2008-04-01 08:15 . 2008-04-01 08:41 <DIR> d-------- C:\SDFix 2008-03-29 00:32 . 2008-03-29 00:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-03-29 00:32 . 2008-03-29 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-03-26 21:50 . 2008-03-26 22:21 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner 2008-03-26 21:07 . 2008-03-26 21:07 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-03-24 18:37 . 2008-03-24 18:37 <DIR> d-------- C:\Deckard 2008-03-24 18:33 . 2008-03-26 21:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-03-24 18:33 . 2008-03-24 18:33 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-03-24 18:33 . 2008-03-24 18:33 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-03-24 18:33 . 2008-03-24 18:33 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-03-13 20:53 . 2008-03-13 20:53 <DIR> d---s---- C:\WINDOWS\system32\%SystemDrive% 2008-03-13 19:41 . 2008-03-26 21:05 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-13 19:40 . 2008-03-26 21:05 <DIR> d-------- C:\Program Files\Windows Live 2008-03-13 19:38 . 2008-03-13 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-13 17:52 . 2008-03-13 17:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-03-13 08:25 . 2008-03-31 18:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-13 08:25 . 2008-03-13 08:25 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-12 23:18 . 2008-03-12 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-03 23:32 . 2008-03-03 23:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-03 23:31 . 2008-03-04 00:14 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-03-03 19:08 . 2008-03-04 00:03 <DIR> d-------- C:\Documents and Settings\Mike\.housecall6.6 2008-03-02 23:58 . 2008-03-02 23:53 691,545 --a------ C:\WINDOWS\unins000.exe 2008-03-02 23:58 . 2008-03-02 23:58 2,536 --a------ C:\WINDOWS\unins000.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-01 12:07 --------- d-----w C:\Documents and Settings\Mike\Application Data\uTorrent 2008-03-27 01:07 --------- d-----w C:\Program Files\Common Files\Real 2008-03-27 01:06 --------- d-----w C:\Program Files\MSN Messenger 2008-03-27 01:06 --------- d-----w C:\Program Files\Google 2008-03-24 23:24 --------- d-----w C:\Program Files\iTunes 2008-03-24 23:22 --------- d-----w C:\Program Files\EzButton 2008-03-24 23:22 --------- d-----w C:\Program Files\Easy CD-DA Extractor 9 2008-03-24 23:18 --------- d-----w C:\Program Files\Apoint2K 2008-03-03 13:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-03-03 13:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-02-23 00:50 --------- d-----w C:\Program Files\iPod 2008-02-19 04:49 --------- d-----w C:\Documents and Settings\Mike\Application Data\vlc 2008-02-19 03:53 --------- d-----w C:\Program Files\VideoLAN 2008-02-16 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2008-02-16 00:39 --------- d-----w C:\Program Files\QuickTime 2008-02-13 04:56 --------- d-----w C:\Program Files\LimeWire 2008-02-07 03:43 --------- d-----w C:\Documents and Settings\Mike\Application Data\webex 2008-02-07 03:41 51,304 ----a-w C:\WINDOWS\system32\drivers\atnt40k.sys . ((((((((((((((((((((((((((((( snapshot@2008-03-28_18.22.57.32 ))))))))))))))))))))))))))))))))))))))))) . + 2008-04-01 14:56:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-04-01 12:17:12 7,913,472 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-04-01 12:17:13 487,424 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-04-01 14:56:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-04-01 12:16:56 7,913,472 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2008-04-01 12:16:57 487,424 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat + 2007-03-06 01:22:34 22,752 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spcustom.dll + 2007-03-06 01:22:36 14,048 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spmsg.dll + 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst.exe + 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll + 2007-03-06 01:22:59 716,000 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\update.exe + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\updspapi.dll + 2007-08-13 22:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll - 2007-08-13 22:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll + 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll + 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 21:08 68856] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2002-11-19 09:01 46592 C:\WINDOWS\SOUNDMAN.EXE] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 17:20 86016] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 03:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe] "CplBCL50"="C:\Program Files\EzButton\CplBCL50.EXE" [2003-01-29 03:19 163840] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2001-10-20 00:46 118784] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "NWEReboot"="" [] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-10-12 21:00 294912] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] C:\Program Files\BitTorrent\bittorrent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] --------- 2005-05-19 20:38 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-10-10 01:28 36352 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\utorrent\\utorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "17872:TCP"= 17872:TCP:BitComet 17872 TCP "17872:UDP"= 17872:UDP:BitComet 17872 UDP S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 22:01] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f340303-7b49-11db-92b0-00023fb8d11b}] \Shell\AutoRun\command - G:\AUTORUN.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edfc12d2-e933-11da-925d-00023fb8d11b}] \Shell\AutoRun\command - F:\RunGame.exe . Contents of the 'Scheduled Tasks' folder "2008-03-28 23:22:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-01 18:04:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe . ************************************************************************** . Completion time: 2008-04-01 18:11:07 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-01 22:11:01 ComboFix2.txt 2008-03-31 22:05:42 ComboFix3.txt 2008-03-28 22:23:27 Pre-Run: 25,394,339,840 bytes free Post-Run: 25,384,804,352 bytes free . 2008-03-28 22:31:57 --- E O F --- |
|
|
|
|
04-01-2008, 07:27 PM
|
#15 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,886
OS: WinXP and Vista
|
Re: Multiple Instances of iexplore.exe run on startup
Glad to hear it, Mike.
 One more folder to delete, and my apologies on that--I forgot about this guy. Using 'My Computer', navigate to and delete the following Folder C:\Program Files\NetMeeting **If the folder resists deletion, boot into Safe Mode to it by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. -------------------------------------------------------------------- Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. **Kindly respond one more time and let me know if we may consider this thread resolved. |
|
|
|
|
04-01-2008, 07:55 PM
|
#16 (permalink) |
|
Registered User
Join Date: Mar 2008
Posts: 9
OS: XP
|
Re: Multiple Instances of iexplore.exe run on startup
I was able to delete the NetMeeting folder in Safe Mode. Everything is still running well and I'd like to thank you again! I believe my problem has been resolved.
Mike |
|
|
|
| Thread Tools | |
|
|
