Tech Support Forum banner
Cancel

Help! I cant use anti spyware, or visit anti virus sites.

Jump to Latest Follow
Status
Not open for further replies.
1 - 5 of 5 Posts
T

· Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
My computer is working fine with one major exception - it wont allow me to run any anti spyware or antivirus. I try to run Adaware and the the program is instantly closed. I try to access a website relating to virus scanning/protection, and it closes. Pandasoft is the only thing that's worked, and that must be because its online. Here is the report it kicked out - (I installed 007spy on my own computer to better understand it).

Incident Status Location

Potentially unwanted tool:Application/007Spy Not disinfected C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\sophiel\Application Data\Mozilla\Firefox\Profiles\gud8dfes.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\sophiel\Application Data\Mozilla\Firefox\Profiles\gud8dfes.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\sophiel\Application Data\Mozilla\Firefox\Profiles\gud8dfes.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\sophiel\Application Data\Mozilla\Firefox\Profiles\gud8dfes.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\sophiel\Application Data\Mozilla\Firefox\Profiles\gud8dfes.default\cookies.txt[.overture.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\sophiel\Application Data\Mozilla\Firefox\Profiles\gud8dfes.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\sophiel\Application Data\Mozilla\Firefox\Profiles\gud8dfes.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\sophiel\Application Data\Mozilla\Firefox\Profiles\gud8dfes.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Mozilla\Firefox\Profiles\ihtdbvj1.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Mozilla\Firefox\Profiles\ihtdbvj1.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Mozilla\Firefox\Profiles\ihtdbvj1.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Mozilla\Firefox\Profiles\ihtdbvj1.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Mozilla\Firefox\Profiles\ihtdbvj1.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Mozilla\Firefox\Profiles\ihtdbvj1.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Cookies\[email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Cookies\[email protected][2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\travisk.RICHMONDCOMPANY\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/007Spy Not disinfected C:\winrisk\007ssinstall.exe
To add to this already long email, here is the DSS report as well. Any ideas?

Deckard's System Scanner v20071014.68
Run by travisk on 2007-11-08 10:39:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 91% (more than 75%).


-- HijackThis (run as travisk.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:39:20, on 08/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
G:\dss.exe
G:\COMPUT~1\SPYWAR~1\travisk.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com/us/en/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://richmondlondon/connectcomputer/nshelp.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RichmondandCo.local
O17 - HKLM\Software\..\Telephony: DomainName = RichmondandCo.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RichmondandCo.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe


-- Files created between 2007-10-08 and 2007-11-08 -----------------------------

2007-11-07 18:04:00 0 d-------- C:\WINDOWS\LastGood
2007-11-07 15:20:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-11-07 15:19:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-11-07 15:19:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-11-07 15:18:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\Teleca
2007-11-07 15:18:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson
2007-11-07 15:12:37 0 d-------- C:\Documents and Settings\Administrator.RICHMONDCOMPANY\Application Data\Teleca
2007-11-07 15:12:31 0 d-------- C:\Documents and Settings\Administrator.RICHMONDCOMPANY\Application Data\Sony Ericsson
2007-11-07 15:05:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 14:28:03 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-18 10:44:30 0 d-------- C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Help
2007-10-18 09:35:24 0 d-------- C:\EphPod
2007-10-18 09:21:21 0 d-------- C:\Program Files\EphPod
2007-10-15 16:56:38 0 d-------- C:\Program Files\Common Files\xing shared
2007-10-15 16:56:29 0 d-------- C:\Program Files\Common Files\Real
2007-10-15 16:56:28 0 d-------- C:\Program Files\Real
2007-10-15 16:56:02 0 d-------- C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Real


-- Find3M Report ---------------------------------------------------------------

2007-11-08 09:12:22 0 d-------- C:\Program Files\iTunes
2007-11-08 09:08:28 0 d-------- C:\Program Files\Common Files\Teleca Shared
2007-11-08 09:08:21 0 d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-11-07 15:25:15 0 d-------- C:\Program Files\Multimedia Center for Think Offerings
2007-11-07 15:23:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-07 15:23:31 0 d-------- C:\Program Files\Common Files
2007-11-05 09:10:14 5427 --a------ C:\WINDOWS\system32\EGATHDRV.SYS <Not Verified; IBM Corporation; IBM eGatherer>
2007-11-02 16:58:58 0 d-------- C:\Program Files\Ivy Video Converter
2007-10-26 15:54:23 0 d-------- C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Skype
2007-10-15 16:57:52 1302 --a------ C:\WINDOWS\mozver.dat
2007-10-08 10:40:02 0 d-------- C:\Program Files\Java
2007-09-20 15:53:21 0 d-------- C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Teleca
2007-09-20 15:52:51 0 d-------- C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Sony Ericsson
2007-09-20 15:50:07 0 d-------- C:\Program Files\Sony Ericsson


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/06/2005 18:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/06/2005 17:59]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [08/06/2005 18:03]
"Mouse Suite 98 Daemon"="ICO.EXE" [13/04/2005 21:34 C:\WINDOWS\system32\ico.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [20/05/2005 16:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [06/05/2005 22:06]
"suScheduler"="C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe" [02/08/2005 00:32]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [27/07/2004 23:50]
"ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [27/07/2004 23:50]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [08/09/2005 08:01]
"cssauth"="C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [03/08/2005 01:52]
"PDService.exe"="C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [07/07/2005 22:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 19:51]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 05:24]
"Windows LSASS Service"="C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe" [22/05/2006 11:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/07/2007 08:18]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/01/2007 12:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli csspwntfy




-- End of Deckard's System Scanner: finished at 2007-11-08 10:39:34 ------------
 
Pancake

· Security Team (ret.)
Joined
·
7,403 Posts
#2 ·
For the moment I can only see one Trojan to come out..


Please download Combofix from HERE or HERE

Save ComboFix to the desktop.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad* and copy/paste the text in the quotebox below into it:


KillAll::

File::
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
Click to expand...
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
 
T

· Registered
Joined
·
3 Posts
Discussion Starter · #3 ·
Thanks for your response. I've done as you've suggested and the results are below. Sorry for the time delay, Im fully back with the computer now.

Results from ComboFix -

ComboFix 07-11-08.1 - travisk 2007-11-12 9:46:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.646 [GMT 0:00]
Running from: C:\Documents and Settings\travisk.RICHMONDCOMPANY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\travisk.RICHMONDCOMPANY\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-12 09:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 18:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-07 17:44 <DIR> d-------- C:\Deckard
2007-11-07 15:24 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-07 15:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-11-07 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Teleca
2007-11-07 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson
2007-11-07 15:12 <DIR> d-------- C:\Documents and Settings\Administrator.RICHMONDCOMPANY\Application Data\Teleca
2007-11-07 15:12 <DIR> d-------- C:\Documents and Settings\Administrator.RICHMONDCOMPANY\Application Data\Sony Ericsson
2007-11-07 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 14:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-18 09:35 <DIR> d-------- C:\EphPod
2007-10-18 09:21 <DIR> d-------- C:\Program Files\EphPod
2007-10-15 16:56 <DIR> d-------- C:\Program Files\Real
2007-10-15 16:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-15 16:56 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 09:11 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
2007-11-08 09:12 --------- d-----w C:\Program Files\iTunes
2007-11-08 09:08 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-11-08 09:08 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-11-07 15:25 --------- d-----w C:\Program Files\Multimedia Center for Think Offerings
2007-11-07 15:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 16:58 --------- d-----w C:\Program Files\Ivy Video Converter
2007-10-26 15:54 --------- d-----w C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Skype
2007-10-09 10:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-08 10:40 --------- d-----w C:\Program Files\Java
2007-09-20 15:53 --------- d-----w C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Teleca
2007-09-20 15:52 --------- d-----w C:\Documents and Settings\travisk.RICHMONDCOMPANY\Application Data\Sony Ericsson
2007-09-20 15:50 --------- d-----w C:\Program Files\Sony Ericsson
2007-09-20 15:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-09-20 15:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-09-12 12:47 --------- d-----w C:\Documents and Settings\sophiel\Application Data\Talkback
2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-08 18:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 17:59]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 18:03]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 21:34 C:\WINDOWS\system32\ico.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 16:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 22:06]
"suScheduler"="C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 00:32]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 23:50]
"ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 23:50]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2005-09-08 08:01]
"cssauth"="C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-08-03 01:52]
"PDService.exe"="C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-07-07 22:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 12:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli csspwntfy

R2 ibmfilter;ibmfilter;\??\C:\WINDOWS\system32\drivers\ibmfilter.sys
R2 PrivateDisk;PrivateDisk;\??\C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys
R2 smi2;smi2;\??\C:\Program Files\SMI2\smi2.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys
R3 TPM12;NSC Integrated Trusted Platform Module 1.2;C:\WINDOWS\system32\DRIVERS\nsctpm12.sys
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 09:46:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 9:47:10
C:\ComboFix2.txt ... 2007-11-12 09:37
.
--- E O F ---


Results from Hijack this -

Logfile of HijackThis v1.99.1
Scan saved at 09:52, on 2007-11-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
G:\Computers and IT\Spyware killers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com/us/en/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://richmondlondon/connectcomputer/nshelp.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RichmondandCo.local
O17 - HKLM\Software\..\Telephony: DomainName = RichmondandCo.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RichmondandCo.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
 
T

· Registered
Joined
·
3 Posts
Discussion Starter · #4 ·
Computer now appears to be working completely normally. I can use the antivirus and malware software now. Thanks very much for your help.

Kind regards,

Travis Kononen
 
1 - 5 of 5 Posts
Status
Not open for further replies.
About this Discussion
4 Replies
2 Participants
Last post:
Pancake
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top