|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-31-2008, 10:08 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 10
OS: XP Home
|
Need help getting started
I've been getting a pop-up message that states 'your computer is infected...' and my anti-virus does pick up various trojans. It doesn't seem to matter if I quarantine the trojans or delete them they either come back or never are properly taken care of to begin with. I have downloaded the RSIT file and tried to download the GMER Rootkit Scanner but the GMER won't open or do anything once I've downloaded it. Since the 'New Instuctions' has the GMER scan as the first item I'm hesitant to skip it and go on to the RSIT scan without prior approval that that is ok to do. I will hold off on doing anything until I get the proper advice about how to proceed safely (or as safe as possible). Thank you very much for your time & help.
|
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-03-2008, 09:28 AM
|
#2 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
Re: Need help getting started
Hi -
As I mentioned in your other topic Quote:
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
11-03-2008, 07:29 PM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 10
OS: XP Home
|
Re: Need help getting started
Sorry I missed that in the other post about skipping steps and moving on... Anyway the results of the RSIT scan are as follows:
Logfile of random's system information tool 1.04 (written by random/random) Run by Owner at 2008-11-03 21:18:41 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 52 GB (68%) free of 76 GB Total RAM: 1278 MB (66% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:18:58 PM, on 11/3/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\my documents\QTTask.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\Owner\Desktop\RSIT.exe C:\Program Files\trend micro\Owner.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [DXM6Patch_9904] C:\WINDOWS\p_9904.exe /Q:A O4 - HKLM\..\Run: [QuickTime Task] "C:\my documents\QTTask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user') O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk.disabled O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Search - ?p=ZJfox000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} - O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) - O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{61506D51-A6D7-44C1-9A35-FE1EAC198B34}: NameServer = 85.255.112.102;85.255.112.168 O20 - AppInit_DLLs: karna.dat O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe (file missing) O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6768 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar4.dll [2007-01-19 2403392] {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-06-21 155648] "HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-06-21 126976] "WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe [2001-10-05 24576] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2006-10-30 256576] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [2007-03-14 83608] "AdaptecDirectCD"=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe [2008-02-13 684032] "avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-07-19 266497] "DXM6Patch_9904"=C:\WINDOWS\p_9904.exe [1999-07-27 946448] "QuickTime Task"=C:\my documents\QTTask.exe [2008-05-27 413696] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360] "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-10-06 68856] "Aim6"= [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE C:\Documents and Settings\Owner\Start Menu\Programs\Startup RollerCoaster Tycoon 3 Registration.lnk.disabled - C:\Documents and Settings\Owner\Local Settings\Temp\{12B0A868-7006-4AAE-90A0-1D3F480BA253}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="karna.dat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxsrvc.dll [2005-06-21 348160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "NoDispScrSavPage"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 "ForceClassicControlPanel"=1 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL" "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL" "C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes" "C:\Program Files\Sierra On-Line\SIGSPat.exe"="C:\Program Files\Sierra On-Line\SIGSPat.exe:*:Enabled:SIGSPat" "C:\Program Files\Yahoo! Games\Magic Ball\MagicBall.exe"="C:\Program Files\Yahoo! Games\Magic Ball\MagicBall.exe:*:Enabled:MagicBall" "C:\Program Files\Comcast Rhapsody\rhapsody.exe"="C:\Program Files\Comcast Rhapsody\rhapsody.exe:*:Enabled:Rhapsody Media Player" "C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox" "C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer" "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire" "C:\Program Files\Steam\SteamApps\logan67835\counter-strike source\hl2.exe"="C:\Program Files\Steam\SteamApps\logan67835\counter-strike source\hl2.exe:*:Enabled:hl2" "C:\Program Files\Steam\SteamApps\logan67835\day of defeat source\hl2.exe"="C:\Program Files\Steam\SteamApps\logan67835\day of defeat source\hl2.exe:*:Disabled:hl2" "C:\Program Files\Atari\RollerCoaster Tycoon 3 Platinum\RCT3plus.exe"="C:\Program Files\Atari\RollerCoaster Tycoon 3 Platinum\RCT3plus.exe:*:Enabled:RollerCoaster Tycoon 3 Platinum" "C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Owner\My Documents\calebs cheats and games\tombraider\LimeWire\LimeWire.exe"="C:\Documents and Settings\Owner\My Documents\calebs cheats and games\tombraider\LimeWire\LimeWire.exe:*:Enabled:LimeWire" "C:\Documents and Settings\Owner\My Documents\data\BitDownload\BitDownload.exe"="C:\Documents and Settings\Owner\My Documents\data\BitDownload\BitDownload.exe:*:Enabled:Warez3" "C:\Program Files\MySpace\IM\MySpaceIM.exe"="C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger" "C:\Documents and Settings\Owner\My Documents\calebs cheats and games\cheats\stuff\LimeWire\LimeWire.exe"="C:\Documents and Settings\Owner\My Documents\calebs cheats and games\cheats\stuff\LimeWire\LimeWire.exe:*:Enabled:LimeWire" "C:\WINDOWS\system32\dxdiag.exe"="C:\WINDOWS\system32\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool" "C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server" "C:\Program Files\Red Storm Entertainment\Rogue Spear\UrbanOperations.exe"="C:\Program Files\Red Storm Entertainment\Rogue Spear\UrbanOperations.exe:*:Enabled:UrbanOperations" "C:\Program Files\WarCommander\WarCommander.exe"="C:\Program Files\WarCommander\WarCommander.exe:*:Enabled:WarCommander" "C:\Program Files\Red Storm Entertainment\Force 21\Force21.exe"="C:\Program Files\Red Storm Entertainment\Force 21\Force21.exe:*:Enabled:Force21" "C:\Program Files\Sierra\Empire Earth II\EE2.exe"="C:\Program Files\Sierra\Empire Earth II\EE2.exe:*:Enabled:Empire Earth II" "C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager" "C:\Nexon\Combat Arms\CombatArms.exe"="C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe" "C:\Nexon\Combat Arms\Engine.exe"="C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe" "C:\Program Files\GameSpy Arcade\Aphex.exe"="C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade" "C:\Program Files\Red Storm Entertainment\Rogue Spear\RogueSpear.exe"="C:\Program Files\Red Storm Entertainment\Rogue Spear\RogueSpear.exe:*:Enabled:RogueSpear" "C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader" "C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM" "C:\Program Files\ZyXEL\ZyXEL G-220 v2 Wireless Adapter Utility\ZyXEL G-220 v2.exe"="C:\Program Files\ZyXEL\ZyXEL G-220 v2 Wireless Adapter Utility\ZyXEL G-220 v2.exe:*:Enabled:ZyXEL G-220 v2 Wireless Adapter Utility" "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Owner\My Documents\atcp2log\atcp2log.exe"="C:\Documents and Settings\Owner\My Documents\atcp2log\atcp2log.exe:*:Enabled:TCP protocol monitoring tool" "C:\Documents and Settings\Other People\My Documents\My Pictures\Empire Earth II\ABLogs\GamePace\playback\savegame_MP\headquaters\LimeWire\LimeWire.exe"="C:\Documents and Settings\Other People\My Documents\My Pictures\Empire Earth II\ABLogs\GamePace\playback\savegame_MP\headquaters\LimeWire\LimeWire.exe:*:Enabled:LimeWire" "C:\Documents and Settings\Owner\My Documents\Misc\Downloads,files,installs\LimeWire\LimeWire.exe"="C:\Documents and Settings\Owner\My Documents\Misc\Downloads,files,installs\LimeWire\LimeWire.exe:*:Enabled:LimeWire" "C:\Documents and Settings\Other People\My Documents\LimeWire\LimeWire.exe"="C:\Documents and Settings\Other People\My Documents\LimeWire\LimeWire.exe:*:Enabled:LimeWire" "C:\Documents and Settings\Other People\My Documents\My Music\iTunes\Album Artwork\Local\My Pictures\Empire Earth II\ABLogs\GamePace\playback\savegame_MP\headquaters\LimeWire\LimeWire.exe"="C:\Documents and Settings\Other People\My Documents\My Music\iTunes\Album Artwork\Local\My Pictures\Empire Earth II\ABLogs\GamePace\playback\savegame_MP\headquaters\LimeWire\LimeWire.exe:*:Enabled:LimeWire" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL" "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL" "C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\Nexon\Combat Arms\CombatArms.exe"="C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe" "C:\Nexon\Combat Arms\Engine.exe"="C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73722e53-03de-11dd-82cb-0008a11ee0ee}] shell\AutoRun\command - E:\RCAMemoryMgr.exe shell\Manage your videos\command - E:\RCAMemoryMgr.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bf62ac2-20ef-11db-81ad-806d6172696f}] shell\AutoRun\command - D:\AutoRun.EXE ======List of files/folders created in the last 1 months====== 2008-11-03 21:18:42 ----D---- C:\Program Files\trend micro 2008-11-03 21:18:41 ----D---- C:\rsit 2008-10-29 16:13:15 ----A---- C:\WINDOWS\brastk.exe 2008-10-29 16:11:13 ----A---- C:\WINDOWS\system32\delself.bat 2008-10-29 16:11:13 ----A---- C:\WINDOWS\system32\brastk.exe 2008-10-26 18:09:02 ----A---- C:\WINDOWS\ymym.bat 2008-10-26 18:09:02 ----A---- C:\WINDOWS\system32\dywumap.com 2008-10-26 18:09:01 ----A---- C:\WINDOWS\codutaruq.vbs 2008-10-26 18:09:01 ----A---- C:\WINDOWS\akifonuh.com 2008-10-26 18:09:01 ----A---- C:\Program Files\Common Files\pesykacu.exe 2008-10-26 18:08:25 ----D---- C:\Program Files\AntiSpywareXP2009 2008-10-26 13:43:46 ----D---- C:\Program Files\Enigma Software Group 2008-10-26 08:16:57 ----D---- C:\Program Files\Common Files\Download Manager 2008-10-25 11:15:17 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy) 2008-10-25 10:53:03 ----D---- C:\Program Files\Common Files\Wise Installation Wizard 2008-10-25 10:52:57 ----D---- C:\Program Files\Spybot - Search & Destroy 2008-10-25 10:32:05 ----RSHD---- C:\resycled 2008-10-24 21:35:09 ----D---- C:\Program Files\filehippo.com 2008-10-24 16:27:06 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$ 2008-10-24 16:08:03 ----A---- C:\WINDOWS\system32\SET1E.tmp 2008-10-23 06:45:21 ----A---- C:\WINDOWS\system32\wini108015.exe 2008-10-15 02:04:40 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$ 2008-10-15 02:04:32 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$ 2008-10-15 02:04:23 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$ 2008-10-15 02:03:41 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$ 2008-10-15 02:03:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$ 2008-10-08 22:54:28 ----D---- C:\Documents and Settings\Owner\Application Data\Viewpoint ======List of files/folders modified in the last 1 months====== 2008-11-03 21:18:42 ----AD---- C:\Program Files 2008-11-03 21:08:02 ----D---- C:\WINDOWS\Prefetch 2008-11-03 21  56 ----D---- C:\WINDOWS\Temp2008-11-03 20:03:26 ----D---- C:\Program Files\Mozilla Firefox 2008-11-03 17:36:19 ----D---- C:\WINDOWS 2008-11-03 17:33:45 ----D---- C:\WINDOWS\system32\CatRoot2 2008-11-03 17:33:42 ----D---- C:\WINDOWS\system32\drivers 2008-11-03 17:33:17 ----RSHDC---- C:\WINDOWS\system32\dllcache 2008-11-03 17:32:23 ----D---- C:\WINDOWS\system32 2008-11-02 14:19:03 ----D---- C:\WINDOWS\Drivers 2008-10-30 14:22:11 ----D---- C:\Documents and Settings\Owner\Application Data\spam drive copy 2008-10-29 20:10:33 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-29 18:56:46 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-29 16:11:46 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-10-26 18:09:01 ----D---- C:\Program Files\Common Files 2008-10-26 08:37:02 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-25 20:46:37 ----SHD---- C:\RECYCLER 2008-10-25 12:31:09 ----A---- C:\WINDOWS\wininit.ini 2008-10-25 10:58:39 ----HD---- C:\WINDOWS\inf 2008-10-25 10:58:36 ----D---- C:\WINDOWS\system32\CatRoot 2008-10-24 16:26:19 ----HD---- C:\WINDOWS\$hf_mig$ 2008-10-23 15:21:01 ----A---- C:\WINDOWS\photoimpression.ini 2008-10-23 15:13:05 ----HD---- C:\Program Files\InstallShield Installation Information 2008-10-23 15:13:05 ----D---- C:\Program Files\Philips 2008-10-23 15 26 ----D---- C:\Nexon2008-10-23 15 01 ----D---- C:\Program Files\Atari2008-10-23 15:03:22 ----D---- C:\Program Files\Red Storm Entertainment 2008-10-23 15:03:00 ----D---- C:\Program Files\GameSpy Arcade 2008-10-23 15:01:24 ----SHD---- C:\WINDOWS\Installer 2008-10-23 15:01:15 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft 2008-10-23 15:01:07 ----D---- C:\Program Files\Common Files\Microsoft Shared 2008-10-23 14:56:06 ----D---- C:\Program Files\Sierra 2008-10-23 13:26:42 ----D---- C:\Program Files\eMachineShop 2008-10-17 22:58:21 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft 2008-10-15 15:04:20 ----D---- C:\WINDOWS\Debug 2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll 2008-10-15 02:04:09 ----D---- C:\Program Files\Internet Explorer 2008-10-07 14:19:40 ----A---- C:\WINDOWS\system32\MRT.exe ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys [] R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-07-19 75072] R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2008-07-23 9336] R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2008-07-23 9464] R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2008-02-13 241280] R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-05-14 10368] R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2008-02-13 144250] R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352] R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856] R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2008-02-13 206464] R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-10-18 8552] R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\fallback.sys [2001-11-05 310899] R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\fsksnt.sys [2001-11-05 127405] R2 K56;K56; C:\WINDOWS\System32\DRIVERS\k56nt.sys [2001-11-05 426783] R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2007-12-17 8413] R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\faxnt.sys [2001-11-05 217019] R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\tonesnt.sys [2001-11-05 56607] R2 V124;V124; C:\WINDOWS\System32\DRIVERS\v124nt.sys [2001-11-05 534125] R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\ZDCNDIS5.sys [] R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys [] R3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\basic2.sys [2001-11-05 77426] R3 DM9102;DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver; C:\WINDOWS\System32\DRIVERS\DM9PCI5.SYS [2001-08-17 29696] R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664] R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-06-21 807998] R3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2008-02-13 30662] R3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\rksample.sys [2001-11-05 67654] R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-18 5888] R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-04-04 459944] R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;USB Root Hub (usbport); C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608] R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2001-11-05 584336] S1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-04-24 88320] S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592] S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-04-24 69472] S3 BRGSp50;BRGSp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\BRGSp50.sys [2006-08-17 20608] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024] S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2008-02-13 25930] S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys [] S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248] S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880] S3 Ndisprot;ArcNet NDIS Protocol Driver; \??\C:\WINDOWS\system32\drivers\Ndisprot.sys [] S3 QCDonner;Logitech QuickCam Express; C:\WINDOWS\system32\DRIVERS\OVCD.sys [2001-08-17 28032] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232] S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S3 ZDPSp50;ZDPSp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\ZDPSp50.sys [2006-08-17 17664] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336] R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-24 68865] R2 AntiVirService;AntiVir PersonalEdition Classic Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-24 151297] R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2006-10-30 492608] S2 MyWebSearchService;My Web Search Service; C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe [] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-06 138168] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336] -----------------EOF----------------- |
|
|
|
|
11-03-2008, 08:16 PM
|
#4 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
Re: Need help getting started
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-07-2008, 09:53 AM
|
#5 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
Re: Need help getting started
Still with me, vinnie1543?
I generally unsubscribe from threads after 7 days of inactivity. If I don't receive a reply from you within 3 days of this post, this topic will be closed.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-09-2008, 04:24 PM
|
#6 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 10
OS: XP Home
|
Re: Need help getting started
yes, I'm still here. I've was sicker than a dog for a couple of days and had a death in the family to deal with. I was just looking at what I needed to post back as far as scans and stuff but if you need to close this I understand and will try to pick back up in a few days otherwise I will get the results posted very shortly. Thanks again.
|
|
|
|
|
11-09-2008, 04:54 PM
|
#7 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 10
OS: XP Home
|
Re: Need help getting started
When I first went to run combofix it got to the point where is said it was generating report and then hung up there. I'm not sure what exactly happened but I re-ran it and here are the results (I'll put the latest hijack this results in a different post.):
ComboFix 08-11-04.02 - Owner 2008-11-04 21:10:47.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.916 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\Other People\Cookies\butodix.inf c:\documents and settings\Other People\Cookies\yhymojur.vbs c:\documents and settings\Other People\Start Menu\Programs\AntiSpywareXP2009 c:\documents and settings\Other People\Start Menu\Programs\AntiSpywareXP2009\AntiSpywareXP2009.lnk c:\documents and settings\Other People\Start Menu\Programs\AntiSpywareXP2009\Uninstall.lnk c:\documents and settings\Owner\Cookies\fycuhuh.inf c:\program files\AntiSpywareXP2009 c:\program files\AntiSpywareXP2009\AntiSpywareXP2009.cfg c:\program files\AntiSpywareXP2009\AntiSpywareXP2009.exe c:\program files\AntiSpywareXP2009\data\daily.cvd c:\program files\AntiSpywareXP2009\htmlayout.dll c:\program files\AntiSpywareXP2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest c:\program files\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcm80.dll c:\program files\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcp80.dll c:\program files\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcr80.dll c:\program files\AntiSpywareXP2009\pthreadVC2.dll c:\program files\AntiSpywareXP2009\Uninstall.exe c:\program files\Internet Explorer\msimg32.dll C:\resycled c:\windows\brastk.exe c:\windows\system32\_desktop.ini c:\windows\system32\brastk.exe c:\windows\system32\cpmsky-uninst.exe c:\windows\system32\DelSelf.bat c:\windows\system32\drivers\_desktop.ini c:\windows\system32\drivers\TDSSifqw.sys c:\windows\system32\f3PSSavr.scr c:\windows\system32\TDSSarjc.dll c:\windows\system32\TDSSghim.dll c:\windows\system32\TDSSklfy.dll c:\windows\system32\TDSSlonv.dat c:\windows\system32\TDSSlxhc.dll c:\windows\system32\TDSSnjpt.dll c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSntbr.log c:\windows\system32\TDSSoiqh.dll c:\windows\system32\TDSSoiwg.dll c:\windows\system32\TDSSvubg.log c:\windows\system32\TDSSwrln.dll c:\windows\system32\wini108015.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Service_TDSSSERV.SYS) -------\Legacy_TDSSSERV.SYS) -------\Legacy_MYWEBSEARCHSERVICE -------\Service_MyWebSearchService ((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 ))))))))))))))))))))))))))))))) . 2008-11-03 21:18 . 2008-11-03 21:41 <DIR> d-------- C:\rsit 2008-11-03 21:18 . 2008-11-03 21:18 <DIR> d-------- c:\program files\trend micro 2008-10-26 18:09 . 2008-10-26 18:09 19,380 --a------ c:\windows\fugenit.reg 2008-10-26 18:09 . 2008-10-26 18:09 19,349 --a------ c:\documents and settings\All Users\Application Data\isoluwav.bin 2008-10-26 18:09 . 2008-10-26 18:09 18,904 --a------ c:\windows\enys.bin 2008-10-26 18:09 . 2008-10-26 18:09 18,887 --a------ c:\program files\Common Files\ififezoxo.sys 2008-10-26 18:09 . 2008-10-26 18:09 18,203 --a------ c:\windows\kulybiqi.pif 2008-10-26 18:09 . 2008-10-26 18:09 17,625 --a------ c:\program files\Common Files\pesykacu.exe 2008-10-26 18:09 . 2008-10-26 18:09 17,110 --a------ c:\windows\ymym.bat 2008-10-26 18:09 . 2008-10-26 18:09 16,138 --a------ c:\windows\kozizoha._dl 2008-10-26 18:09 . 2008-10-26 18:09 15,369 --a------ c:\windows\system32\dywumap.com 2008-10-26 18:09 . 2008-10-26 18:09 14,491 --a------ c:\windows\system32\nolukywoje.pif 2008-10-26 18:09 . 2008-10-26 18:09 14,388 --a------ c:\windows\system32\muribud.scr 2008-10-26 18:09 . 2008-10-26 18:09 14,254 --a------ c:\windows\akifonuh.com 2008-10-26 18:09 . 2008-10-26 18:09 14,014 --a------ c:\windows\codutaruq.vbs 2008-10-26 18:09 . 2008-10-26 18:09 10,138 --a------ c:\windows\ytegico.scr 2008-10-26 13:43 . 2008-10-26 20:25 <DIR> d-------- c:\program files\Enigma Software Group 2008-10-26 08:16 . 2008-10-26 08:16 <DIR> d-------- c:\program files\Common Files\Download Manager 2008-10-25 20:57 . 2008-11-03 20:46 <DIR> d-------- c:\documents and settings\Other People\Incomplete 2008-10-25 11:15 . 2008-10-25 11:15 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-10-25 10:53 . 2008-10-25 10:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-10-25 10:52 . 2008-10-25 11:23 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-10-25 10:32 . 2008-10-25 10:32 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys 2008-10-24 21:35 . 2008-10-24 21:35 <DIR> d-------- c:\program files\filehippo.com 2008-10-24 16:08 . 2008-10-15 11:34 337,408 --a------ c:\windows\system32\SET1E.tmp 2008-10-24 16:08 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-24 16:06 . 2008-10-24 16:06 19,968 --a------ c:\windows\system32\nalymi.lib 2008-10-24 16:06 . 2008-10-24 16:06 18,479 --a------ c:\documents and settings\All Users\Application Data\ramyxy.bin 2008-10-24 16:06 . 2008-10-24 16:06 17,853 --a------ c:\windows\qidybylo.bin 2008-10-24 16:06 . 2008-10-24 16:06 17,190 --a------ c:\windows\system32\fivacevo.lib 2008-10-24 16:06 . 2008-10-24 16:06 15,624 --a------ c:\windows\agaloxyl.reg 2008-10-24 16:06 . 2008-10-24 16:06 14,784 --a------ c:\program files\Common Files\cylulimy.bin 2008-10-24 16:06 . 2008-10-24 16:06 14,364 --a------ c:\windows\vipyxewubi._sy 2008-10-24 16:06 . 2008-10-24 16:06 12,899 --a------ c:\windows\izegip.bin 2008-10-24 16:06 . 2008-10-24 16:06 11,954 --a------ c:\windows\ziveqy.bin 2008-10-14 15:26 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-10-14 15:26 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-10-14 15:25 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-14 15:25 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-14 15:25 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-14 15:25 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-11 13:46 . 2008-10-11 13:48 587 --a------ c:\windows\system32\runrefog.lnk 2008-10-08 22:54 . 2008-10-08 22:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Viewpoint 2008-10-07 05:12 . 2006-07-05 06:56 113,065 --a------ c:\windows\system32\msjava32.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-05 02:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-03 21:57 --------- d-----w c:\documents and settings\Other People\Application Data\Apple Computer 2008-10-30 19:22 --------- d-----w c:\documents and settings\Owner\Application Data\spam drive copy 2008-10-26 23:09 18,841 ----a-w c:\program files\Common Files\gyfijydo.db 2008-10-26 13:37 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-10-24 21:06 11,028 ----a-w c:\program files\Common Files\cadimi._sy 2008-10-23 20:13 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-23 20:13 --------- d-----w c:\program files\Philips 2008-10-23 20:06 --------- d-----w c:\program files\Atari 2008-10-23 20:03 --------- d-----w c:\program files\Red Storm Entertainment 2008-10-23 20:03 --------- d-----w c:\program files\GameSpy Arcade 2008-10-23 19:56 --------- d-----w c:\program files\Sierra 2008-10-23 18:26 --------- d-----w c:\program files\eMachineShop 2008-10-20 20:37 30 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat 2008-09-24 23:43 --------- d-----w c:\program files\Acoustic Labs Audio Editor (Demo) 2008-09-23 22:20 --------- d-----w c:\program files\MSECache 2008-09-23 21:22 --------- d-----w c:\program files\Ascentive 2008-09-23 21:20 --------- d-----w c:\documents and settings\All Users\Application Data\SKL 2008-09-23 21:17 --------- d-----w c:\program files\Common Files\Sony Shared 2008-09-23 07:00 --------- d-----w c:\program files\MSXML 4.0 2008-09-22 14:36 --------- d-----w c:\program files\HP PhotoSmart Printers 2008-09-22 00:59 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP 2008-09-22 00:58 --------- d-----w c:\documents and settings\Owner\Application Data\acccore 2008-09-22 00:57 --------- d-----w c:\program files\Viewpoint 2008-09-22 00:57 --------- d-----w c:\program files\AIM6 2008-09-22 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2008-09-22 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\acccore 2008-09-22 00:56 --------- d-----w c:\program files\Common Files\AOL 2008-09-22 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys 2008-08-26 17:57 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe 2007-06-11 16:37 374 ----a-w c:\documents and settings\Owner\Application Data\internaldb6334.dat 2007-06-10 23:24 538 ----a-w c:\documents and settings\Owner\Application Data\internaldb8467.dat 2007-06-10 23:24 18,432 ----a-w c:\documents and settings\Owner\Application Data\internaldb41.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-06 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976] "WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-02-13 684032] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497] "DXM6Patch_9904"="c:\windows\p_9904.exe" [1999-07-27 946448] "QuickTime Task"="c:\my documents\QTTask.exe" [2008-05-27 413696] c:\documents and settings\Owner\Start Menu\Programs\Startup\ RollerCoaster Tycoon 3 Registration.lnk.disabled [2008-03-08 1478] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.MJPG"= m3jpeg32.dll "vidc.dmb1"= m3jpeg32.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Sierra On-Line\\SIGSPat.exe"= "c:\\Program Files\\Comcast Rhapsody\\rhapsody.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Atari\\RollerCoaster Tycoon 3 Platinum\\RCT3plus.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= "c:\\WINDOWS\\system32\\dxdiag.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "c:\\Program Files\\WarCommander\\WarCommander.exe"= "c:\\Program Files\\Red Storm Entertainment\\Force 21\\Force21.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "%windir%\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9420:TCP"= 9420:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCNDIS5.sys [2006-08-17 19072] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2006-08-17 20608] S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\Ndisprot.sys [2008-10-25 27904] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73722e53-03de-11dd-82cb-0008a11ee0ee}] \Shell\AutoRun\command - E:\RCAMemoryMgr.exe \Shell\Manage your videos\command - E:\RCAMemoryMgr.exe . Contents of the 'Scheduled Tasks' folder 2008-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Aim6 - (no file) HKU-Default-Run-brastk - c:\windows\system32\brastk.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3ou6t0z9.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.verizon.net/central/vzc.portal . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-04 21:12:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-11-04 21:14:21 ComboFix-quarantined-files.txt 2008-11-05 02:14:15 Pre-Run: 53,382,979,584 bytes free Post-Run: 53,370,261,504 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 244 --- E O F --- 2008-10-15 07:04:43 |
|
|
|
|
11-09-2008, 05:05 PM
|
#8 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 10
OS: XP Home
|
Re: Need help getting started
Here's the hijack this result as an attachment since it said it was too long to post in this reply. Thanks for all your help.
Logfile of random's system information tool 1.04 (written by random/random) Run by Owner at 2002-07-25 21:05:04 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 51 GB (67%) free of 76 GB Total RAM: 1278 MB (67% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:05:09 PM, on 7/25/2002 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Owner\Desktop\RSIT.exe C:\Program Files\trend micro\Owner.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [DXM6Patch_9904] C:\WINDOWS\p_9904.exe /Q:A O4 - HKLM\..\Run: [QuickTime Task] "C:\my documents\QTTask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk.disabled O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Search - ?p=ZJfox000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} - O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) - O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) - O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6256 bytes Last edited by tetonbob; 11-09-2008 at 06:46 PM. |
|
|
|
|
11-09-2008, 06:57 PM
|
#9 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
Re: Need help getting started
Hi vinnie1543 -
I'm sorry for your loss, and hope you're feeling better. I should think the machine is starting to. We have more work to do. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
11-12-2008, 02:59 AM
|
#10 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 10
OS: XP Home
|
Re: Need help getting started
Thanks for the nice thoughts and for your time and help (I don't think I can say thanks enough). The combo fix said it was successfully submitted for analysis
ComboFix 08-11-11.01 - Owner 2008-11-12 4:41:23.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.886 [GMT -5:00] Running from: C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point FILE :: c:\documents and settings\All Users\Application Data\isoluwav.bin c:\documents and settings\All Users\Application Data\ramyxy.bin c:\Program Files\Common Files\cadimi._sy c:\Program Files\Common Files\cylulimy.bin c:\Program Files\Common Files\gyfijydo.db c:\Program Files\Common Files\ififezoxo.sys c:\Program Files\Common Files\pesykacu.exe c:\windows\agaloxyl.reg c:\windows\akifonuh.com c:\windows\codutaruq.vbs c:\windows\enys.bin c:\windows\fugenit.reg c:\windows\izegip.bin c:\windows\kozizoha._dl c:\windows\kulybiqi.pif c:\windows\qidybylo.bin c:\windows\system32\dywumap.com c:\windows\system32\fivacevo.lib c:\windows\system32\muribud.scr c:\windows\system32\nalymi.lib c:\windows\system32\nolukywoje.pif c:\windows\system32\runrefog.lnk c:\windows\vipyxewubi._sy c:\windows\ymym.bat c:\windows\ytegico.scr c:\windows\ziveqy.bin . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\isoluwav.bin c:\documents and settings\All Users\Application Data\ramyxy.bin c:\documents and settings\Owner\Application Data\spam drive copy c:\Program Files\Common Files\cadimi._sy c:\Program Files\Common Files\cylulimy.bin c:\Program Files\Common Files\gyfijydo.db c:\Program Files\Common Files\ififezoxo.sys c:\Program Files\Common Files\pesykacu.exe c:\windows\agaloxyl.reg c:\windows\akifonuh.com c:\windows\codutaruq.vbs c:\windows\enys.bin c:\windows\fugenit.reg c:\windows\izegip.bin c:\windows\kozizoha._dl c:\windows\kulybiqi.pif c:\windows\qidybylo.bin c:\windows\system32\dywumap.com c:\windows\system32\fivacevo.lib c:\windows\system32\muribud.scr c:\windows\system32\nalymi.lib c:\windows\system32\nolukywoje.pif c:\windows\system32\runrefog.lnk c:\windows\vipyxewubi._sy c:\windows\ymym.bat c:\windows\ytegico.scr c:\windows\ziveqy.bin . ((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 ))))))))))))))))))))))))))))))) . 2008-11-03 21:18 . 2008-11-03 21:41 <DIR> d-------- C:\rsit 2008-11-03 21:18 . 2002-07-25 20:05 <DIR> d-------- C:\Program Files\trend micro 2008-10-26 13:43 . 2008-10-26 20:25 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-10-26 08:16 . 2008-10-26 08:16 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-10-25 20:57 . 2008-11-03 20:46 <DIR> d-------- C:\Documents and Settings\Other People\Incomplete 2008-10-25 11:15 . 2008-10-25 11:15 <DIR> d-------- C:\Program Files\SDHelper (Spybot - Search & Destroy) 2008-10-25 10:53 . 2008-10-25 10:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-10-25 10:52 . 2008-10-25 11:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-10-25 10:32 . 2008-10-25 10:32 27,904 --a------ C:\WINDOWS\system32\drivers\ndisprot.sys 2008-10-24 21:35 . 2008-10-24 21:35 <DIR> d-------- C:\Program Files\filehippo.com 2008-10-24 16:08 . 2008-10-15 11:34 337,408 --a------ C:\WINDOWS\system32\SET1E.tmp 2008-10-24 16:08 . 2008-10-15 11:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll 2008-10-14 15:26 . 2008-09-15 07:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys 2008-10-14 15:26 . 2008-09-08 05:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys 2008-10-14 15:25 . 2008-08-14 05:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-10-14 15:25 . 2008-08-14 05:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-10-14 15:25 . 2008-08-14 04:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-10-14 15:25 . 2008-08-14 04:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-29 02:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire 2008-11-03 21:57 --------- d-----w C:\Documents and Settings\Other People\Application Data\Apple Computer 2008-10-26 13:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-23 20:13 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-10-23 20:13 --------- d-----w C:\Program Files\Philips 2008-10-23 20:06 --------- d-----w C:\Program Files\Atari 2008-10-23 20:03 --------- d-----w C:\Program Files\Red Storm Entertainment 2008-10-23 20:03 --------- d-----w C:\Program Files\GameSpy Arcade 2008-10-23 19:56 --------- d-----w C:\Program Files\Sierra 2008-10-23 18:26 --------- d-----w C:\Program Files\eMachineShop 2008-10-16 18:13 202,776 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-10-16 18:13 1,809,944 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-10-16 18:12 561,688 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-10-16 18:12 323,608 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-10-16 18:09 92,696 ----a-w C:\WINDOWS\system32\cdm.dll 2008-10-16 18:09 51,224 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-10-16 18:09 43,544 ----a-w C:\WINDOWS\system32\wups2.dll 2008-10-16 18:08 34,328 ----a-w C:\WINDOWS\system32\wups.dll 2008-10-16 18:06 268,648 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-10-16 18:06 208,744 ----a-w C:\WINDOWS\system32\muweb.dll 2008-10-09 03:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\Viewpoint 2008-09-24 23:43 --------- d-----w C:\Program Files\Acoustic Labs Audio Editor (Demo) 2008-09-23 22:20 --------- d-----w C:\Program Files\MSECache 2008-09-23 21:22 --------- d-----w C:\Program Files\Ascentive 2008-09-23 21:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SKL 2008-09-23 21:17 --------- d-----w C:\Program Files\Common Files\Sony Shared 2008-09-23 07:00 --------- d-----w C:\Program Files\MSXML 4.0 2008-09-22 14:36 --------- d-----w C:\Program Files\HP PhotoSmart Printers 2008-09-22 00:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP 2008-09-22 00:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore 2008-09-22 00:57 --------- d-----w C:\Program Files\Viewpoint 2008-09-22 00:57 --------- d-----w C:\Program Files\AIM6 2008-09-22 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-09-22 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\acccore 2008-09-22 00:56 --------- d-----w C:\Program Files\Common Files\AOL 2008-09-22 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys 2008-08-26 17:57 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2007-06-11 16:37 374 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat 2007-06-10 23:24 538 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8467.dat 2007-06-10 23:24 18,432 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb41.dat 2002-07-25 23:10 30 ----a-w C:\Documents and Settings\Owner\jagex_runescape_preferences.dat . ((((((((((((((((((((((((((((( snapshot@2008-11-04_21.13.48.01 ))))))))))))))))))))))))))))))))))))))))) . - 2008-10-20 20:36:51 315,392 ----a-w C:\WINDOWS\.file_store_32\runescape\jogl.dll + 2002-07-25 23:09:44 315,392 ----a-w C:\WINDOWS\.file_store_32\runescape\jogl.dll - 2008-10-20 20:36:51 20,480 ----a-w C:\WINDOWS\.file_store_32\runescape\jogl_awt.dll + 2002-07-25 23:09:44 20,480 ----a-w C:\WINDOWS\.file_store_32\runescape\jogl_awt.dll + 2008-11-28 23:11:51 11,346 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{F4E1D174-05F4-4DDF-99D1-68E431AD60D4}.bin - 2008-07-19 02:10:48 94,920 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll + 2008-10-16 18:09:44 92,696 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll - 2008-07-19 02:09:44 563,912 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll + 2008-10-16 18:12:20 561,688 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll - 2008-07-19 02:10:42 53,448 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe + 2008-10-16 18:09:44 51,224 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe - 2008-07-19 02:09:42 1,811,656 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll + 2008-10-16 18:13:40 1,809,944 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll - 2008-07-19 02:09:46 325,832 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll + 2008-10-16 18:12:22 323,608 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll - 2008-07-19 02:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll + 2008-10-16 18:08:58 34,328 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll - 2008-07-19 02:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll + 2008-10-16 18:13:40 202,776 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll - 2008-11-05 02:08:04 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat + 2002-07-25 05 54 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat- 2008-11-05 02:08:04 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat + 2002-07-25 05 54 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat+ 2008-10-16 18:08:58 34,328 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll + 2008-10-16 18:09:44 43,544 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 19:12 1695232] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-06 22:55 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 15:48 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 15:44 126976] "WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 19:34 24576] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608] "AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-02-13 22:25 684032] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 11:24 266497] "DXM6Patch_9904"="C:\WINDOWS\p_9904.exe" [1999-07-27 16:42 946448] "QuickTime Task"="C:\my documents\QTTask.exe" [2008-05-27 09:50 413696] C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ RollerCoaster Tycoon 3 Registration.lnk.disabled [2008-03-08 20:26:47 1478] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.MJPG"= m3jpeg32.dll "vidc.dmb1"= m3jpeg32.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"= "C:\\Program Files\\Comcast Rhapsody\\rhapsody.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Atari\\RollerCoaster Tycoon 3 Platinum\\RCT3plus.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= "C:\\WINDOWS\\system32\\dxdiag.exe"= "C:\\WINDOWS\\system32\\dpnsvr.exe"= "C:\\Program Files\\WarCommander\\WarCommander.exe"= "C:\\Program Files\\Red Storm Entertainment\\Force 21\\Force21.exe"= "C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "%windir%\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9420:TCP"= 9420:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38 24652] R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\ZDCNDIS5.sys [2006-08-17 10:03 19072] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2006-08-17 10:03 20608] S3 Ndisprot;ArcNet NDIS Protocol Driver;C:\WINDOWS\system32\drivers\Ndisprot.sys [2008-10-25 10:32 27904] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73722e53-03de-11dd-82cb-0008a11ee0ee}] \Shell\AutoRun\command - E:\RCAMemoryMgr.exe \Shell\Manage your videos\command - E:\RCAMemoryMgr.exe *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-11-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-12 04:43:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-11-12 4:45:33 ComboFix-quarantined-files.txt 2008-11-12 09:45:30 ComboFix2.txt 2008-11-05 02:14:22 Pre-Run: 53,718,937,600 bytes free Post-Run: 53,706,039,296 bytes free 245 --- E O F --- 2008-10-15 07:04:43 and here is the latest hijack this scan. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:54:13 AM, on 11/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Program Files\trend micro\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [DXM6Patch_9904] C:\WINDOWS\p_9904.exe /Q:A O4 - HKLM\..\Run: [QuickTime Task] "C:\my documents\QTTask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk.disabled O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Search - ?p=ZJfox000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 5632 bytes Last edited by tetonbob; 11-12-2008 at 07:59 AM. |
|
|
|
|
11-12-2008, 08:02 AM
|
#11 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
Re: Need help getting started
Thanks for uploading the file.
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Viewpoint Manager<<<this is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Read this article: http://www.clickz.com/news/article.php/3561546 Additional info: http://vil.nai.com/vil/content/v_137262.htm --------------------------------------------------------------------------------------------- Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
--------------------------------------------------------------------------------------------- Go here to run an online scannner from ESET.
Also post a new HijackThis log.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-16-2008, 06:56 AM
|
#12 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 10
OS: XP Home
|
Re: Need help getting started
Okay, sorry for the lag in response time again but I've been struggling the past day and a half with IE. I would go to the ESET site but it wouldn't let me scan. I don't use IE all that often(mostly its firefox) so I thought it may be something with the settings. I was just about to post on here and let you know it wouldn't work and I tried one last time and it worked. Also, I had disabled my anti-virus but in the midst of the IE problems I rebooted my computer and forgot to disable again so when I scanned with ESET it was active. Thanks again. Here are the results:
# version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3615 (20081115) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=d5a068465bfbc34888b546f25a7cf4ef # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-11-16 01:44:32 # local_time=2008-11-16 08:44:32 (-0500, Eastern Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=175746 # found=4 # scan_time=5565 C:\Qoobox\Quarantine\C\Program Files\AntiSpywareXP2009\AntiSpywareXP2009.exe.vir a variant of Win32/Adware.XPSecurityCenter application 1BA8C7FB3A29695E8AB4C364D103D469 C:\Qoobox\Quarantine\C\Program Files\AntiSpywareXP2009\Uninstall.exe.vir Win32/Adware.XPAntiSpyware.AA application F4E71CC4B735455F1515563F5C4443E1 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSklfy.dll.vir Win32/Agent.ODG trojan 09C625013B8D1693626EDCB13CBC4D83 C:\Qoobox\Quarantine\C\WINDOWS\system32\wini108015.exe.vir Win32/Adware.XPAntiSpyware.AA application F4E71CC4B735455F1515563F5C4443E1 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:54:39 AM, on 11/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\trend micro\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/vzc.portal R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [DXM6Patch_9904] C:\WINDOWS\p_9904.exe /Q:A O4 - HKLM\..\Run: [QuickTime Task] "C:\my documents\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk.disabled O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Search - ?p=ZJfox000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 6003 bytes |
|
|
|
|
11-16-2008, 07:48 AM
|
#13 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 10
OS: XP Home
|
Re: Need help getting started
I also meant to add that the computer is working much better. No more pop up message about spyware. Everything seems pretty good although toward the end of the ESET scan my antivirus did show an alert for a trojan. One quick change of subject question - where would I go/post to find out more info (if this is even a realistic possibility) about how to become certified/trained/educated to help out here. I'd love to be able to donate large sums of money to help keep sites like this going but thats not an option at this time, but if I could help solve problems others are having I'd love to find out more about how to go about it. Thanks for all your help.
|
|
|
|
|
11-16-2008, 08:56 AM
|
#14 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
Re: Need help getting started
Hi again -
Good job of persistence. Eset has found only items in ComboFix quarantine, which will by removed by uninstalling ComboFix as instructed below. Quote:
There are several malware removal training facilities at forums. We have one here; space is limited. See: http://www.techsupportforum.com/secu...n-academy.html =========================================== Your logs appear clean.You should be good to go. We still have a few items to address. Go to  -> Run -> copy/paste in the following single line command & click OKcombofix /u  This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety.
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
11-21-2008, 07:31 PM
|
#15 (permalink) |
|
Registered User
Join Date: Oct 2008
Posts: 10
OS: XP Home
|
Re: Need help getting started
Thank you again for all your tremendous help. I've already recommended this sight to a couple of friends and will continue to do so. I also will do anything I can to help sustain the positive aspect of owning a computer that you guys (and gals) provide for all of us that come here for help-whether it be financially or by other means. Thanks again and you all deserve some well earned thanks and kudos...
|
|
|
|
|
11-21-2008, 07:43 PM
|
#16 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
Re: Need help getting started
Glad to have helped, vinnie1543.
One of the best ways to help is to teach others how to protect their own machines. Prevention is always better than cure. Show them the links I've provided, make sure they stay away from dodgy sites, don't open suspect emails, their machines have current AntiVirus protection, and Windows Updates are current. Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
