Tech Support Forum banner
Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter · #1 ·
I found a virus on my laptop after allowing my wife and children to use it. I ran a scan (Norton) and spysweeper (Webroot Spy sweeper) and it found the virus and trojan horses and supposedly removed it, but it's still showing up. Please help me remove this virus so I can get back to work as I work from home. Thanks in advance.

Here are the contents of the DDS.txt file.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Michael at 18:01:08.34 on Sun 05/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1433 [GMT -4:00]

FW: ZoneAlarm Firewall *disabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\NavNT\rtvscan.exe
D:\oracle\ora92\bin\agntsrvc.exe
D:\oracle\ora92\BIN\TNSLSNR.exe
D:\oracle\ora92\bin\dbsnmp.exe
d:\oracle\ora92\bin\ORACLE.EXE
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Documents and Settings\Michael\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Plugin Class: {56cd20f0-7c09-11d5-a768-0050042307ce} - c:\playerie\playerIE.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] "c:\program files\dell\quickset\quickset.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [Document Manager] "c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe"
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"
mRun: [<NO NAME>]
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [vptray] "c:\program files\navnt\vptray.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235342277564
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: wxvault.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-25 29808]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-13 353680]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2002-6-7 17968]
R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2002-6-3 471040]
R2 OracleOraHome92Agent;OracleOraHome92Agent;d:\oracle\ora92\bin\agntsrvc.exe [2003-2-28 28944]
R2 OracleServiceC11;OracleServiceC11;d:\oracle\ora92\bin\oracle.exe c11 --> d:\oracle\ora92\bin\ORACLE.EXE C11 [?]
R2 SAPC11_00;SAPC11_00;d:\usr\sap\c11\sys\exe\run\sapstartsrv.exe pf=d:\usr\sap\c11\sys\profile\start_dvebmgs00_systech-lap --> d:\usr\sap\c11\sys\exe\run\sapstartsrv.exe pf=d:\usr\sap\c11\sys\profile\START_DVEBMGS00_systech-lap [?]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-2 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-4-18 1181040]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [2007-3-22 92288]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [2007-3-22 92288]
S2 SAPOSCOL;SAPOSCOL;d:\usr\sap\c11\sys\exe\run\saposcol.exe service --> d:\usr\sap\c11\sys\exe\run\SAPOSCOL.EXE service [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;d:\oracle\ora92\bin\encsvc.exe [2003-2-28 165265]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;d:\oracle\ora92\bin\agntsvc.exe [2003-2-28 216143]

=============== Created Last 30 ================

2009-04-29 10:30 <DIR> --d----- c:\program files\Raxco
2009-04-29 10:03 53 a------- c:\windows\Frigate3.ini
2009-04-29 10:01 <DIR> --d----- c:\program files\StartMan
2009-04-25 21:12 <DIR> --d----- c:\windows\system32\Settings
2009-04-25 14:57 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-25 13:34 <DIR> --d----- c:\documents and settings\michael\.housecall6.6
2009-04-18 19:35 <DIR> --d----- c:\program files\MSSOAP
2009-04-18 19:30 1,563,008 a------- c:\windows\WRSetup.dll
2009-04-18 19:30 <DIR> --d----- c:\program files\Webroot
2009-04-18 19:30 <DIR> --d----- c:\docume~1\michael\applic~1\Webroot
2009-04-18 19:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-04-08 12:11 62 a------- c:\windows\dcmvwr.INI

==================== Find3M ====================

2009-04-02 14:30 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 14:30 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 14:30 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-04-01 14:34 231,176 a------- c:\windows\system32\PDBoot.exe
2009-03-06 10:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-22 18:44 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 06:01 728,576 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:01 617,984 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:01 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:01 715,264 a------- c:\windows\system32\ntdll.dll
2009-02-06 06:29 2,142,720 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:22 110,592 a------- c:\windows\system32\services.exe
2009-02-06 05:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:49 2,020,864 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 16:08 55,808 a------- c:\windows\system32\secur32.dll

============= FINISH: 18:01:31.65 ===============
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
 

·
Registered
Joined
·
2 Posts
Discussion Starter · #3 ·
Thanks chemist for replying to my post. Here are the results of the combofix.exe run (i.e. combo-log.txt):

ComboFix 09-05-04.09 - Michael 05/05/2009 7:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1432 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2026-08-19 21:50 . 2026-08-20 15:13 -------- d-----w C:\SAPinst ORACLE SAPINST
2026-08-19 01:43 . 2001-08-17 17:53 4992 -c--a-w c:\windows\system32\dllcache\loop.sys
2026-08-19 01:43 . 2001-08-17 17:53 4992 ----a-w c:\windows\system32\drivers\loop.sys
2026-08-18 00:59 . 2026-08-18 00:59 -------- d-----w C:\oracle
2026-08-17 15:45 . 2026-08-17 15:45 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2026-08-16 17:33 . 2026-08-16 17:33 -------- d-----w c:\documents and settings\Michael\Local Settings\Application Data\Symantec
2026-08-16 17:32 . 2006-10-25 14:05 58224 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2026-08-16 17:32 . 2006-10-25 14:05 36864 ----a-w c:\windows\system32\S32EVNT1.DLL
2026-08-16 17:32 . 2006-10-25 14:05 4032 ----a-w c:\windows\system32\SYMEVNT1.DLL
2026-08-16 17:32 . 2026-08-16 17:33 -------- d-----w c:\program files\Symantec
2026-08-16 17:32 . 2008-08-17 16:51 -------- d-----w c:\program files\Common Files\Symantec Shared
2026-08-16 17:32 . 2009-05-01 12:42 -------- d-----w c:\program files\NavNT
2026-08-16 16:43 . 2001-08-08 05:53 306688 ----a-w c:\windows\IsUninst.exe
2026-08-16 16:10 . 2026-08-16 16:22 -------- d-----w c:\windows\SxsCaPendDel
2026-08-16 05:15 . 2003-02-24 20:23 61523 ----a-w c:\windows\system32\sapmmcinf.dll
2026-08-16 05:15 . 2003-02-24 20:24 53331 ----a-w c:\windows\system32\sapmmcdb6.dll
2026-08-16 05:15 . 2003-02-24 20:23 57427 ----a-w c:\windows\system32\sapmmcada.dll
2026-08-16 02:55 . 2003-02-26 20:36 7835720 ----a-w c:\windows\system32\librfc32u.dll
2026-08-16 02:55 . 2003-02-26 20:25 106571 ----a-w c:\windows\system32\saprcex.dll
2026-08-16 02:55 . 2003-02-26 20:25 344137 ----a-w c:\windows\system32\saprc.dll
2026-08-16 02:55 . 2003-02-26 20:14 7483462 ----a-w c:\windows\system32\librfc32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 15:23 . 2009-05-01 15:17 -------- d-----w c:\program files\RegCure
2009-04-29 14:38 . 2009-04-29 14:30 -------- d-----w c:\program files\Raxco
2009-04-29 14:01 . 2009-04-29 14:01 -------- d-----w c:\program files\StartMan
2009-04-18 23:35 . 2009-04-18 23:35 -------- d-----w c:\program files\MSSOAP
2009-04-18 23:30 . 2009-04-18 23:33 34304 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-18 23:30 . 2009-04-18 23:30 -------- d-----w c:\program files\Webroot
2009-04-18 19:33 . 2009-04-18 23:15 834048 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-04-09 10:55 . 2009-03-04 11:54 3207487 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-04-06 17:32 . 2009-04-18 23:30 1563008 ----a-w c:\windows\WRSetup.dll
2009-04-02 18:30 . 2009-02-25 19:24 176752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 18:30 . 2009-02-25 19:24 23152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-02 18:30 . 2009-02-25 19:24 29808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-04-01 18:34 . 2009-04-01 18:34 231176 ----a-w c:\windows\system32\PDBoot.exe
2009-03-06 14:00 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-22 22:44 . 2008-08-14 00:45 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-02-20 18:09 . 2004-08-04 10:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:19 . 2004-08-04 10:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2004-08-04 10:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 10:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 10:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2005-03-30 01:21 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2005-03-30 01:01 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-01 65536]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"vptray"="c:\program files\NavNT\vptray.exe" [2002-06-03 73728]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-04-06 6345840]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\SAPinst ORACLE SAPINST\\sapinst.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/25/2009 3:24 PM 29808]
R2 OracleOraHome92Agent;OracleOraHome92Agent;d:\oracle\ora92\bin\agntsrvc.exe [2/28/2003 10:55 AM 28944]
R2 OracleServiceC11;OracleServiceC11;d:\oracle\ora92\bin\ORACLE.EXE C11 --> d:\oracle\ora92\bin\ORACLE.EXE C11 [?]
R2 SAPC11_00;SAPC11_00;d:\usr\sap\C11\SYS\exe\run\SAPSTARTSRV.EXE pf=d:\usr\sap\C11\SYS\profile\START_DVEBMGS00_systech-lap --> d:\usr\sap\C11\SYS\exe\run\SAPSTARTSRV.EXE pf=d:\usr\sap\C11\SYS\profile\START_DVEBMGS00_systech-lap [?]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/4/2004 6:00 AM 5120]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [4/18/2009 7:36 PM 1181040]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [3/22/2007 2:12 PM 92288]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [3/22/2007 2:12 PM 92288]
S2 SAPOSCOL;SAPOSCOL;d:\usr\sap\C11\SYS\exe\run\SAPOSCOL.EXE service --> d:\usr\sap\C11\SYS\exe\run\SAPOSCOL.EXE service [?]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;d:\oracle\ora92\bin\encsvc.exe [2/28/2003 10:55 AM 165265]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;d:\oracle\ora92\bin\agntsvc.exe [2/28/2003 10:55 AM 216143]
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]

2009-05-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]

2009-04-30 c:\windows\Tasks\wrSpySweeper_L21FEA4D798C84B398C998BBC362ADEC0.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-18 17:32]

2009-04-30 c:\windows\Tasks\wrSpySweeper_L21FEA4D798C84B398C998BBC362ADEC0.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-18 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 08:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="d:\oracle\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\NavNT\rtvscan.exe
d:\oracle\ora92\bin\TNSLSNR.EXE
d:\oracle\ora92\bin\oracle.exe
d:\oracle\ora92\bin\dbsnmp.exe
c:\windows\system32\MSGSYS.EXE
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
d:\usr\sap\C11\SYS\exe\run\sapstartsrv.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-05 8:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 12:03

Pre-Run: 14,834,524,160 bytes free
Post-Run: 14,808,780,800 bytes free

196 --- E O F --- 2009-04-26 01:40
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, smittyplace. Nothing is showing in your logs. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:


Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 13 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click Continue The page will refresh.
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
    • Delete jre-6u13-windows-i586-p.exe from your desktop.
------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior
 

·
Premium Member
Joined
·
29,790 Posts
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top