Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

Spyguard 2008 and Fake window security window

This is a discussion on Spyguard 2008 and Fake window security window within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. I have windows XP running service pack 2. I am having a problem with Spyguard 2008 which starts from the


 
 
Thread Tools Search this Thread
Old 12-26-2008, 11:05 AM   #1
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



I have windows XP running service pack 2. I am having a problem with Spyguard 2008 which starts from the window security window. Also, I use Firefox and when I use google and the hits for my search are redirects to some other site.

Here is my hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:52 AM, on 12/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\digi96.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\winscenter.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,[email protected]
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [RMETray] digi96.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBDFCF07-C0B2-432F-A775-4B1726B31B25}: NameServer = 68.87.85.98,68.87.69.146
O21 - SSODL: ieModule - {637457F7-FE9A-41CD-B29A-B4CEBC34769A} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll (file missing)
O21 - SSODL: InternetConnection - {379454B2-AC08-44A5-8F24-1C70BAC28550} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\frumhqzqsc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7596 bytes

Can anyone help me?
THanks!
padrick is offline  
Sponsored Links
Advertisement
 
Old 12-27-2008, 04:51 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

If you're not receiving help elsewhere and still require assistance for this issue, please follow the process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post/attach as instructed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-28-2008, 04:21 AM   #3
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



Thanks Chemist for the reply.

I will read the instructions today and run thru them.

Thank you.

Patrick
padrick is offline  
Sponsored Links
Advertisement
 
Old 12-28-2008, 07:15 AM   #4
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



My problem is I have spyware guard 2008 virus which looks like it is launched from a fake windows security center. Also, when I use google search all the links are redirects to some other page then the url listed below the link in google search. I do not use IE and only use Mozilla firefox.

Problems:
Spyware2008
fake windows security center
Google links redirects to another page then the one that came up in google search.

gmer.exe it would not run. I tried renaming it, put it in a different directroy and still couldn't run it. My attached file does not contain the output from gmer.exe.

Thank you!!!!

----------------------------------------------------------------


DDS (Version 1.1.0) - NTFSx86
Run by Owner at 5:45:44.27 on Sun 12/28/2008
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.270 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\digi96.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\system32\winscenter.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.emachines.com/
uSearch Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CHotkey] zHotkey.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,[email protected]
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [RMETray] digi96.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AlcFDMonitor] c:\windows\ALCFDRTM.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Mixersel] c:\program files\realtek\installshield\mixersel.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
TCP: {DBDFCF07-C0B2-432F-A775-4B1726B31B25} = 68.87.85.98,68.87.69.146
Notify: igfxcui - igfxsrvc.dll
SSODL: ieModule - {637457F7-FE9A-41CD-B29A-B4CEBC34769A} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll
SSODL: InternetConnection - {379454B2-AC08-44A5-8F24-1C70BAC28550} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\frumhqzqsc.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\or8vwshm.default\
FF - prefs.js: browser.startup.homepage - hxxp://by106w.bay106.mail.live.com/mail/TodayLight.aspx?&n=900505035&gs=true
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\or8vwshm.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 Asapi;Asapi;c:\windows\system32\drivers\Asapi.sys [2008-11-6 11264]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-8-18 58464]
R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2007-7-20 557056]
R2 digi96;digi96;c:\windows\system32\drivers\digi96.sys [2008-11-6 47360]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe /ServiceStart [2006-8-18 102463]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\mcdetect.exe [2008-1-9 126976]
R2 McShield;Network Associates McShield;"c:\program files\network associates\virusscan\Mcshield.exe" [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;"c:\program files\network associates\virusscan\VsTskMgr.exe" [2004-9-22 28672]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2008-1-9 122368]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-8-18 108480]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-8-24 245760]

=============== Created Last 30 ================

2008-12-27 04:58 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2008-12-27 04:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-27 04:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 04:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 04:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 04:12 2,539,168 a------- C:\mbam-setup.exe
2008-12-27 04:03 1,660,532 a------- C:\SmitfraudFix.exe
2008-12-27 03:52 384,000 a------- c:\windows\system32\winscenter.exe
2008-12-26 06:40 <DIR> --d----- c:\program files\Trend Micro
2008-12-26 05:53 146,432 ac------ c:\windows\system32\dllcache\regedit.exe
2008-12-26 05:53 146,432 a------- c:\windows\regedit.exe
2008-12-25 05:04 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2008-12-25 05:03 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2008-12-25 05:03 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2008-12-25 05:03 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2008-12-25 05:03 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2008-12-25 05:03 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2008-12-25 05:03 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2008-12-25 05:03 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2008-12-25 05:03 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2008-12-25 05:03 19,200 ac------ c:\windows\system32\dllcache\wstcodec.sys
2008-12-25 05:03 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2008-12-25 05:03 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2008-12-25 05:01 64,605 ac------ c:\windows\system32\dllcache\vvoice.sys
2008-12-25 05:00 69,632 ac------ c:\windows\system32\dllcache\umaxu12.dll
2008-12-25 04:59 230,912 ac------ c:\windows\system32\dllcache\tosdvd03.sys
2008-12-25 04:58 41,472 ac------ c:\windows\system32\dllcache\sw_effct.dll
2008-12-25 04:57 147,200 ac------ c:\windows\system32\dllcache\smidispb.dll
2008-12-25 04:56 101,760 ac------ c:\windows\system32\dllcache\sis300ip.sys
2008-12-25 04:55 198,400 ac------ c:\windows\system32\dllcache\s3sav4.dll
2008-12-25 04:54 714,762 ac------ c:\windows\system32\dllcache\r2mdmkxx.sys
2008-12-25 04:53 105,984 ac------ c:\windows\system32\dllcache\phdsext.ax
2008-12-25 04:52 43,689 ac------ c:\windows\system32\dllcache\otceth5.sys
2008-12-25 04:51 27,936 ac------ c:\windows\system32\dllcache\n9i3d.sys
2008-12-25 04:50 16,128 ac------ c:\windows\system32\dllcache\modemcsa.sys
2008-12-25 04:49 34,688 ac------ c:\windows\system32\dllcache\lbrtfdc.sys
2008-12-25 04:48 19,456 ac------ c:\windows\system32\dllcache\iiscrmap.dll
2008-12-25 04:47 391,199 ac------ c:\windows\system32\dllcache\hsf_k56k.sys
2008-12-25 04:46 17,408 ac------ c:\windows\system32\dllcache\gpr400.sys
2008-12-25 04:45 63,360 ac------ c:\windows\system32\dllcache\ess.sys
2008-12-25 04:44 28,062 ac------ c:\windows\system32\dllcache\dp83820.sys
2008-12-25 04:43 72,832 ac------ c:\windows\system32\dllcache\cwbwdm.sys
2008-12-25 04:42 195,618 ac------ c:\windows\system32\dllcache\c_10002.nls
2008-12-25 04:41 7,168 ac------ c:\windows\system32\dllcache\wamregps.dll
2008-12-25 04:41 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2008-12-25 04:41 19,968 ac------ c:\windows\system32\dllcache\inetsloc.dll
2008-12-25 04:41 7,680 ac------ c:\windows\system32\dllcache\inetmgr.exe
2008-12-25 04:41 169,984 ac------ c:\windows\system32\dllcache\iisui.dll
2008-12-25 04:41 5,632 ac------ c:\windows\system32\dllcache\iisrstap.dll
2008-12-25 04:41 14,336 ac------ c:\windows\system32\dllcache\iisreset.exe
2008-12-25 04:41 6,144 ac------ c:\windows\system32\dllcache\ftpsapi2.dll
2008-12-25 04:41 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx
2008-12-19 07:31 29,701 a------- c:\docume~1\alluse~1\applic~1\svhost.exe
2008-12-18 05:18 <DIR> --d----- C:\quarantine
2008-12-02 06:15 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-02 06:15 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2008-12-16 18:37 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-11-07 11:46 27,724 a------- c:\windows\unins000.dat
2008-11-07 11:46 678,746 a------- c:\windows\unins000.exe
2008-11-07 11:30 6,475,776 a------- c:\windows\system32\PSP VintageWarmer2.dll
2008-10-23 05:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-15 18:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-03 03:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-02-11 04:42 458 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2006-04-05 18:53 860,160 a------- c:\program files\md5summer.exe
2008-02-04 14:55 88 ---shr-- c:\windows\system32\D3D3892426.sys

============= FINISH: 5:46:34.93 ===============
Attached Files
File Type: zip Attach.zip (4.8 KB, 18 views)
padrick is offline  
Old 12-28-2008, 07:51 AM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello padrick.

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

https://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-28-2008, 01:09 PM   #6
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



Thanks Chemist.

I DL'ed combo fix. I installed Microsoft Windows Recovery Console. During installation it could not connect to MS for updates. Think this is being blocked by the virus. The Microsoft Windows Recovery Console installed correctly and I rebooted the PC. I selected the " Microsoft Windows Recovery Console" option at reboot and a black screen came up with a blinking white underscore on the left side of first line.

Do I go to MS and DL another MS Setup disks?
NOt sure how to find out what service pact I have?
would it be Microsoft Windows XP Professional service pact 2 DL?

Thanks again.


Padrick
padrick is offline  
Old 12-28-2008, 01:19 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Quote:
4. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.
Please follow the instructions exactly. Reboot your computer and continue with the instructions:

Quote:
We are almost ready to start ComboFix, ...
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-28-2008, 01:54 PM   #8
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



Sorry chemist, struggling with this.

I ran sysdm.cpl and I have MS media center with Service pact 3.

I went to MS and DL'ed the "If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download."

I Dragged the "WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe" on top of combofix.exe and it did not start the Microsoft Windows Recovery Console.

I tried to follow the directions exactly. Not sure if I did something wrong.

Thanks!
padrick is offline  
Old 12-28-2008, 02:04 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Haven't you already installed the Recovery Console?

Quote:
The Microsoft Windows Recovery Console installed correctly and I rebooted the PC. I selected the " Microsoft Windows Recovery Console" option at reboot
Close any browsers. Disable your antivirus real-time protection.

Double-click ComboFix.exe and follow the prompts.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-28-2008, 02:20 PM   #10
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



Hi chemist, Sorry that I am struggling.

I rebooted the PC then selected normal windows. Turned off Mcafee and the firewall.

I closed all windows. When I double click on ComboFix.exe is does not start. It was on the desktop so I moved it to C:\ and tried to run it and it didn't run. THen I renamed it and tried to run it and it won't run.

Thanks!

Padrick
padrick is offline  
Old 12-28-2008, 02:26 PM   #11
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



Chemist I tried running spybot and it won't run. It seems certain .exe are disabled from my pc. Not sure if this is the spyware.
padrick is offline  
Old 12-28-2008, 02:46 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Move ComboFix.exe back to your desktop. Try renaming ComboFix.exe to ComboFix.com and double-click it.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-28-2008, 02:48 PM   #13
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



Quote:
Originally Posted by chemist View Post
Move ComboFix.exe back to your desktop. Try renaming ComboFix.exe to ComboFix.com and double-click it.
I moved it back to the desktop and renamed it to ComboFix.com. WHen I double click nothing happens. Bummer!

Thanks!

-P
padrick is offline  
Old 12-28-2008, 03:12 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Go to Start > Run and copy/paste the following single-line command into the Run box (including the quotation marks):

"%userprofile%\Desktop\ComboFix.com" /killall

If that doesn't work, try double-clicking ComboFix.com in Safe Mode.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-28-2008, 04:15 PM   #15
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



I copy and pasted the "%userprofile%\Desktop\ComboFix.com" /killall in run and it would not launch the application.

Rebooted in safe mode and double clicked ComboFix.com and it will not launch the application.

Checked properties for comboxfix and it was DL today and is listed as an application and the filesize seems right.

Thanks!
padrick is offline  
Old 12-28-2008, 04:58 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Delete ComboFix.com from your desktop.

Download Combo-Fix.exe and save it to your desktop.

Double-click Combo-Fix.exe to run it. Follow the prompts.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-29-2008, 08:07 AM   #17
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



Hey chemist, thanks for being patient with me.

The new DL combo-fix.exe worked and here is the output of combofix

thanks again
---------------------------------------------------------------------

ComboFix 08-12-28.03 - Owner 2008-12-29 8:54:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.565 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users\Application Data\svhost.exe
c:\windows\system32\winscenter.exe
D:\Autorun.inf
K:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-27 04:58 . 2008-12-27 04:58 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-27 04:51 . 2008-12-27 04:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 04:51 . 2008-12-27 04:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 04:51 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 04:51 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-27 04:12 . 2008-12-22 13:48 2,539,168 --a------ C:\mbam-setup.exe
2008-12-27 04:03 . 2008-12-22 13:47 1,660,532 --a------ C:\SmitfraudFix.exe
2008-12-26 06:40 . 2008-12-26 06:40 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 05:53 . 2008-04-13 17:12 146,432 --a--c--- c:\windows\system32\dllcache\regedit.exe
2008-12-26 05:53 . 2008-04-13 17:12 146,432 --a------ c:\windows\regedit.exe
2008-12-25 05:04 . 2008-04-13 18:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2008-12-25 05:03 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2008-12-25 05:03 . 2004-08-10 12:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2008-12-25 05:03 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2008-12-25 05:03 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2008-12-25 05:03 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2008-12-25 05:03 . 2008-04-13 12:46 19,200 --a--c--- c:\windows\system32\dllcache\wstcodec.sys
2008-12-25 05:03 . 2008-04-13 18:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2008-12-25 05:03 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2008-12-25 05:03 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2008-12-25 05:03 . 2008-04-13 18:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-12-25 05:03 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2008-12-25 05:01 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2008-12-25 05:00 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2008-12-25 04:59 . 2001-08-17 14:01 241,664 --a--c--- c:\windows\system32\dllcache\tosdvd02.sys
2008-12-25 04:58 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2008-12-25 04:57 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2008-12-25 04:56 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2008-12-25 04:55 . 2001-08-17 14:56 210,496 --a--c--- c:\windows\system32\dllcache\s3mvirge.dll
2008-12-25 04:54 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2008-12-25 04:53 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2008-12-25 04:52 . 2001-08-17 12:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys
2008-12-25 04:51 . 2004-08-10 12:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2008-12-25 04:50 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys
2008-12-25 04:49 . 2004-08-10 12:00 1,158,818 --a--c--- c:\windows\system32\dllcache\korwbrkr.lex
2008-12-25 04:48 . 2004-08-10 12:00 10,129,408 --a--c--- c:\windows\system32\dllcache\hwxkor.dll
2008-12-25 04:47 . 2001-08-17 13:28 907,456 --a--c--- c:\windows\system32\dllcache\hcf_msft.sys
2008-12-25 04:46 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2008-12-25 04:45 . 2001-08-17 13:28 634,134 --a--c--- c:\windows\system32\dllcache\el656ct5.sys
2008-12-25 04:44 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys
2008-12-25 04:43 . 2004-08-10 12:00 1,677,824 --a--c--- c:\windows\system32\dllcache\chsbrkr.dll
2008-12-25 04:42 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2008-12-25 04:41 . 2004-08-10 12:00 169,984 --a--c--- c:\windows\system32\dllcache\iisui.dll
2008-12-25 04:41 . 2004-08-10 12:00 94,720 --a--c--- c:\windows\system32\dllcache\certmap.ocx
2008-12-25 04:41 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll
2008-12-25 04:41 . 2004-08-10 12:00 19,968 --a--c--- c:\windows\system32\dllcache\inetsloc.dll
2008-12-25 04:41 . 2004-08-10 12:00 14,336 --a--c--- c:\windows\system32\dllcache\iisreset.exe
2008-12-25 04:41 . 2004-08-10 12:00 7,680 --a--c--- c:\windows\system32\dllcache\inetmgr.exe
2008-12-25 04:41 . 2004-08-10 12:00 7,168 --a--c--- c:\windows\system32\dllcache\wamregps.dll
2008-12-25 04:41 . 2004-08-10 12:00 6,144 --a--c--- c:\windows\system32\dllcache\ftpsapi2.dll
2008-12-25 04:41 . 2004-08-10 12:00 5,632 --a--c--- c:\windows\system32\dllcache\iisrstap.dll
2008-12-18 05:18 . 2008-12-19 07:31 <DIR> d-------- C:\quarantine
2008-12-02 06:15 . 2008-12-28 15:26 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-02 06:15 . 2008-12-02 06:15 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 13:02 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-12-27 02:02 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-26 12:36 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2008-12-25 00:26 --------- d-----w c:\program files\Lx_cats
2008-12-17 01:38 --------- d-----w c:\documents and settings\Owner\Application Data\Corel
2008-11-30 00:49 --------- d-----w c:\documents and settings\Owner\Application Data\foobar2000
2008-11-30 00:25 --------- d-----w c:\program files\foobar2000
2008-11-22 19:48 --------- d-----w c:\documents and settings\Owner\Application Data\AccurateRip
2008-11-22 19:47 --------- d-----w c:\program files\Exact Audio Copy
2008-11-22 19:09 --------- d-----w c:\documents and settings\Owner\Application Data\AD ON Multimedia
2008-11-10 16:21 --------- d-----w c:\program files\Michael K. Weise
2008-11-10 15:48 --------- d-----w c:\program files\Trader's Little Helper
2008-11-09 15:47 --------- d-----w c:\program files\Common Files\Corel
2008-11-09 15:46 --------- d-----w c:\program files\Corel
2008-11-07 19:09 --------- d-----w c:\program files\Waves
2008-11-07 19:09 --------- d-----w c:\program files\BBE Sonic Maximizer 2.0 Full
2008-11-07 19:05 --------- d-----w c:\documents and settings\Owner\Application Data\Waves Audio
2008-11-07 18:55 --------- d-----w c:\program files\Nomad Factory
2008-11-07 18:46 678,746 ----a-w c:\windows\unins000.exe
2008-11-07 18:46 --------- d-----w c:\program files\Sonalksis
2008-11-07 18:31 --------- d-----w c:\program files\PSPaudioware
2008-11-07 18:31 --------- d-----w c:\program files\Common Files\Digidesign
2008-11-06 22:55 --------- d-----w c:\program files\iZotope
2008-11-06 22:55 --------- d-----w c:\program files\Common Files\iZotope
2008-11-06 22:02 --------- d-----w c:\documents and settings\All Users\Application Data\Pinnacle
2008-11-06 21:59 --------- d-----w c:\program files\VOB
2008-11-06 21:57 --------- d-----w c:\program files\Steinberg
2008-11-06 21:46 --------- d-----w c:\program files\music
2008-02-11 11:42 458 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2006-04-06 01:53 860,160 ----a-w c:\program files\md5summer.exe
2008-02-04 21:55 88 --sh--r c:\windows\system32\D3D3892426.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-01 126976]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-04-27 69632]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"AlcFDMonitor"="c:\windows\ALCFDRTM.EXE" [2007-09-24 73728]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-05-04 200704]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-05-03 299008]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-06-08 94208]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"CHotkey"="zHotkey.exe" [2005-05-03 c:\windows\zHotkey.exe]
"RMETray"="digi96.exe" [2002-06-03 c:\windows\system32\digi96.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-12 c:\windows\ALCWZRD.EXE]
"SoundMan"="SOUNDMAN.EXE" [2005-05-12 c:\windows\SoundMan.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-08-24 1742384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"= digi96.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\lxcgcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 Asapi;Asapi;c:\windows\system32\drivers\Asapi.sys [2008-11-06 11264]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-08-18 58464]
R2 digi96;digi96;c:\windows\system32\DRIVERS\digi96.sys [2008-11-06 47360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - ENTDRV51
*Newly Created Service* - TDSSSERV.SYS
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Mixersel - c:\program files\Realtek\InstallShield\mixersel.exe
MSConfigStartUp-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.emachines.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {DBDFCF07-C0B2-432F-A775-4B1726B31B25} = 68.87.85.98,68.87.69.146
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\or8vwshm.default\
FF - prefs.js: browser.startup.homepage - hxxp://by106w.bay106.mail.live.com/mail/TodayLight.aspx?&n=900505035&gs=true
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\or8vwshm.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-12-29 09:02:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\PSIService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\lxcgcoms.exe
.
**************************************************************************
.
Completion time: 2008-12-29 9:03:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 16:03:56

Pre-Run: 96,156,737,536 bytes free
Post-Run: 98,632,331,264 bytes free

237 --- E O F --- 2008-12-18 10:01:01
padrick is offline  
Old 12-29-2008, 11:49 AM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, padrick. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please see if gmer will run and attach its log to your next reply. Thanks.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 11 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click Continue The page will refresh.
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
    • Delete jre-6u11-windows-i586-p.exe from your desktop.
------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

attached gmer log
Kaspersky report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-29-2008, 03:50 PM   #19
Guest
 
Join Date: Dec 2008
Posts: 11
OS:



Hey chemist, thanks for the help. Appreciate it.

You asked how the PC is Running?
It is running great. It boots quickly, loads windows fast. Open programs quickly. Seems like a fast machine for its age. THANK YOU.

I followed the above instructions and uninstalled Java, Installed new java, cleared cache. All went well.

Then went to Kaspersky Online Scanner, the Accept button would not highlight. It stated I had to load a new java. So I installed the new java and the accept button still would not highlight. I turned off my virus scan like they asked me too.

Then when I tried to go back to Kaspersky Online Scanner, the browser would not load and said done.

I went to java and checked the version and it was one of the ones listed as the one to delete. SO I unconnected from the internet and then I re-followed the above instructions and uninstalled Java, Installed new java, cleared cache. All went well.

Now I am ready to go back to Kaspersky Online Scanner, but want to ask you what I have to do to get the Accept button to turn on. Do I DL there java version?

Thanks again.

-p
padrick is offline  
Old 12-29-2008, 05:56 PM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello padrick.

See if this helps >> https://smg.photobucket.com/albums/v6...y_Java-err.gif
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:05 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts