Tech Support Forum banner
Cancel

[SOLVED] Trojans, Pop ups and System update failed

Jump to Latest Follow
Status
Not open for further replies.
1 - 17 of 17 Posts
M

· Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
Please help me. My son was on my mother's computer looking up video games and infested her computer with some nasty stuff. We had someone come in and clean up a lot of issues, but the occassional pop-up remained. The occassional pop-up is now back to a pop up every couple of key strokes while online and we have a yellow triangle with an ! that pops up letting us know that the microsoft needs to be updated. I followed the "first steps" and the microsoft service pack 3 failed. Her system is Windows XP, Home Edition, Version 2002, Service Pack 2, Dell Dimension DIM4600, Pentium 4 CPU 2.80GHz, 2.79 GHz, 512MB of Ram.

Also, I am using Logmein to work on her computer which you will see. If anyone can help I would be eternally greatful!


Deckard's System Scanner v20071014.68
Run by Tracy Family on 2008-05-29 12:41:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-05-29 18:41:50 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Tracy Family.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:25 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Tracy Family\Application Data\lmobf.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tracy Family\Local Settings\Temporary Internet Files\Content.IE5\CYJIFMK0\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Tracy Family.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Messenger\ycomp.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\Peachw\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Tracy Family\Application Data\lmobf.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1762485873-4128382013-2737386939-1011\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\pvsw\bin\w3dbsmgr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6267 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080325-113515-138 O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
backup-20080325-113515-160 O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
backup-20080325-113515-202 O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
backup-20080325-113515-228 O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
backup-20080325-113515-251 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id==
backup-20080325-113515-280 O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
backup-20080325-113515-283 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
backup-20080325-113515-435 O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
backup-20080325-113515-460 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
backup-20080325-113515-471 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tpid=10244&ttid=104
backup-20080325-113515-473 O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
backup-20080325-113515-480 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080325-113515-488 O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
backup-20080325-113515-492 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
backup-20080325-113515-550 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q==
backup-20080325-113515-612 O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
backup-20080325-113515-625 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
backup-20080325-113515-646 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id==
backup-20080325-113515-778 O4 - Global Startup: Digital Line Detect.lnk = ?
backup-20080325-113515-811 O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
backup-20080325-113515-918 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
backup-20080325-113515-965 O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
backup-20080325-113516-905 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
backup-20080325-113517-201 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20080325-113518-660 O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
backup-20080325-113519-234 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080325-113519-620 O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
backup-20080325-113519-659 O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
backup-20080325-113519-733 O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080325-113519-883 O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
backup-20080325-113519-945 O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
backup-20080325-113519-958 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080327-114921-783 O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
backup-20080327-114922-176 O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll (file missing)
backup-20080327-114922-554 O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
backup-20080327-114922-593 O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesau.dll
backup-20080327-114922-711 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20080327-114922-712 O2 - BHO: {ad6a3fe5-04d0-b31b-eb34-9d0bec3957b4} - {4b7593ce-b0d9-43be-b13b-0d405ef3a6da} - C:\WINDOWS\system32\vysnchbo.dll
backup-20080327-114922-763 O2 - BHO: (no name) - {F0DFC3ED-30BD-4E34-84E5-3B8DA531210A} - C:\WINDOWS\system32\khhgd.dll
backup-20080327-114922-839 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
backup-20080327-114922-845 O4 - HKLM\..\Run: [505c1ff3] rundll32.exe "C:\WINDOWS\system32\kaardawt.dll",b
backup-20080327-114922-949 O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - C:\WINDOWS\system32\efcbxvv.dll
backup-20080327-114922-978 O2 - BHO: (no name) - {FF23E19A-C34E-4126-9257-7BD018E8203D} - C:\Program Files\Windows NT\bugamu89104.dll (file missing)
backup-20080327-114928-110 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080327-114928-151 O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesau.dll
backup-20080327-114929-433 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080327-114930-743 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
backup-20080327-114934-818 O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.30/uploader2.cab
backup-20080327-114938-885 O20 - Winlogon Notify: efcbxvv - C:\WINDOWS\SYSTEM32\efcbxvv.dll
backup-20080327-140947-162 O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - C:\WINDOWS\system32\efcbxvv.dll (file missing)
backup-20080327-140948-437 O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
backup-20080327-140948-470 O2 - BHO: (no name) - {F0DFC3ED-30BD-4E34-84E5-3B8DA531210A} - C:\WINDOWS\system32\khhgd.dll (file missing)
backup-20080327-140948-650 O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
backup-20080327-140948-703 O20 - Winlogon Notify: efcbxvv - efcbxvv.dll (file missing)
backup-20080327-140948-770 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 pcii - c:\windows\system32\drivers\pcii.sys

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 MEMSWEEP2 - c:\windows\system32\e.tmp (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-29 12:21:42 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-29 10:41:52 0 d-------- C:\Program Files\Panda Security
2008-05-29 10:11:32 0 d-------- C:\WINDOWS\LastGood
2008-05-27 17:18:19 14336 --a------ C:\Documents and Settings\Tracy Family\Application Data\lmobf.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-29 12:24:13 33 --a------ C:\Documents and Settings\Tracy Family\Application Data\install.ini
2008-05-29 08:40:07 0 d-------- C:\Documents and Settings\Tracy Family\Application Data\AVG7
2008-05-29 05:29:54 0 d-------- C:\Program Files\LogMeIn
2008-04-17 18:49:10 0 d-------- C:\Program Files\Common Files\Peach
2008-04-02 17:46:52 0 d-------- C:\Documents and Settings\Tracy Family\Application Data\U3
2008-04-02 17:32:28 0 d-------- C:\Program Files\Common Files
2008-04-02 17:32:28 0 d-------- C:\Program Files\Common Files\Pervasive Software Shared
2008-03-31 17:37:22 0 d-------- C:\Documents and Settings\Tracy Family\Application Data\Intuit
2008-03-27 13:55:02 396553 --ahs---- C:\WINDOWS\system32\dghhk.ini2
2008-03-25 20:16:45 561224 --a------ C:\BAK325.reg
2008-03-19 03:47:00 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/06/2003 11:19 PM]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [08/13/2003 09:27 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [04/11/2004 07:15 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [03/15/2004 12:04 AM]
"PeachtreePrefetcher.exe"="C:\Peachw\PeachtreePrefetcher.exe" [09/24/2007 07:44 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [08/03/2007 03:09 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/15/2008 08:35 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/24/2006 02:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07/16/2007 03:17 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"Microsoft Windows Adapter 5.1.3214"="C:\Documents and Settings\Tracy Family\Application Data\lmobf.exe" [05/27/2008 05:16 PM]

C:\Documents and Settings\Tracy Family\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 8:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 8:00:00 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [12/15/2005 11:40:44 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [12/15/2005 1:00:54 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 9:05:56 PM]
Pervasive.SQL Workgroup Engine.lnk - C:\pvsw\bin\w3dbsmgr.exe [1/6/2008 8:59:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 06:46 PM 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khhgd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM536f2c6f]
Rundll32.exe "C:\WINDOWS\system32\ssyjicxq.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-05-29 12:47:44 ------------
 

Attachments

G

· Premium Member
Joined
·
14,317 Posts
#2 ·
Re: Trojans, Pop ups and System update failed

Welcome to TSF.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Download OTMoveIt2 at http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: 
C:\Documents and Settings\Tracy Family\Application Data\lmobf.exe
C:\WINDOWS\system32\dghhk.ini2
C:\BAK325.reg
C:\WINDOWS\system32\ssyjicxq.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM536f2c6f
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Windows Adapter 5.1.3214
* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
 
Save Share
M

· Registered
Joined
·
9 Posts
Discussion Starter · #3 ·
Re: Trojans, Pop ups and System update failed

I was able to do all above steps and ran combofix, see below log. I did receive a message ragarding the recovery console not being installed, all though I did it step by step above. I am also still receiving pop-ups at this time. Many thanks, sorry it took so long. I was having trouble running combofix through logmein; it kept disconnecting.

ComboFix 08-05-29.1 - Tracy Family 2008-06-02 16:23:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.185 [GMT -6:00]
Running from: C:\Documents and Settings\Tracy Family\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Buzz\Favorites\Online Security Test.url
C:\Documents and Settings\Tracy Family\Local Settings\Temporary Internet Files\CPV.stt
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
---- Previous Run -------
.
C:\Program Files\CPV
C:\Program Files\JavaCore
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\ssembl~1
C:\Program Files\Temporary
C:\Program Files\tsks~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\BM536f2c6f.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\SYSTEM32\dghhk.ini
C:\WINDOWS\system32\e5
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\twadraak.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER


((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-02 16:27 . 2008-06-02 16:27 <DIR> d-------- C:\temp\tn3
2008-05-30 09:42 . 2008-05-30 09:42 <DIR> d-------- C:\_OTMoveIt
2008-05-29 12:41 . 2008-05-29 12:41 <DIR> d-------- C:\Deckard
2008-05-29 12:21 . 2008-05-29 12:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-05-29 10:41 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 22:27 167,976 ------w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-06-02 14:43 --------- d-----w C:\Documents and Settings\Tracy Family\Application Data\AVG7
2008-06-02 11:29 --------- d-----w C:\Program Files\LogMeIn
2008-05-31 00:19 --------- d-----w C:\Documents and Settings\Tracy Family\Application Data\U3
2008-05-17 18:56 --------- d-----w C:\Documents and Settings\Buzz\Application Data\AVG7
2008-04-18 00:49 --------- d-----w C:\Program Files\Common Files\Peach
2008-04-02 23:32 --------- d-----w C:\Program Files\Common Files\Pervasive Software Shared
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-25 17:01 6,029,648 ----a-w C:\Firefox Setup 2.0.0.12.exe
2008-03-25 16:15 582,000 ----a-w C:\MCPR.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-02 00:36 3,591,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2005-07-26 23:49 1,914 ----a-w C:\Program Files\LDS Home Information 7.0.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 23:19 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 09:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"PeachtreePrefetcher.exe"="C:\Peachw\PeachtreePrefetcher.exe" [2007-09-24 19:44 32768]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:35 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 02:24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-27 10:20 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 13:00:54 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Pervasive.SQL Workgroup Engine.lnk - C:\pvsw\bin\w3dbsmgr.exe [2008-01-06 20:59:32 106546]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NSVI"= NSVIDEO.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LogMeIn Rescue Calling Card\\CallingCard.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\pvsw\\bin\\w3dbsmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:*:Disabled:pervasive DBEngine
"3351:TCP"= 3351:TCP:*:Disabled:pervasive DBEngine

R1 pcii;pcii;C:\WINDOWS\system32\drivers\pcii.sys [2008-03-17 14:50]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\E.tmp []
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]
S4 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;C:\WINDOWS\system32\srvany.exe [2007-08-29 02:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 16:28:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\E.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-06-02 16:34:25 - machine was rebooted [Tracy Family]
ComboFix-quarantined-files.txt 2008-06-02 22:34:20

Pre-Run: 26,614,718,464 bytes free
Post-Run: 26,598,326,272 bytes free

172 --- E O F --- 2008-05-28 09:00:46
 
G

· Premium Member
Joined
·
14,317 Posts
#4 ·
Re: Trojans, Pop ups and System update failed

If someone in front of the computer can follow the instructions, it would be best. Otherwise, you might run into more disconnect issues.

Try to delete the following file:

C:\WINDOWS\system32\drivers\core.cache.dsk

If it's giving you problems, try to delete it from Safe Mode.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
Driver::
MEMSWEEP2
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
Folder::
C:\temp\tn3
Click to expand...
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
 
Save Share
M

· Registered
Joined
·
9 Posts
Discussion Starter · #5 ·
Re: Trojans, Pop ups and System update failed

We were able to remove Core.cache.dsk in Safe mode and then followed the rest of the directions. Thanks!


ComboFix 08-05-29.1 - Tracy Family 2008-06-07 19:35:58.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.380 [GMT -6:00]
Running from: C:\Documents and Settings\Tracy Family\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tracy Family\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\core.cashe.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-07 19:41 . 2008-06-07 19:41 <DIR> d-------- C:\temp\tn3
2008-06-07 19:40 . 2008-06-07 19:40 167,976 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-06-02 16:38 . 2008-06-02 16:38 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-30 09:42 . 2008-05-30 09:42 <DIR> d-------- C:\_OTMoveIt
2008-05-29 12:41 . 2008-05-29 12:41 <DIR> d-------- C:\Deckard
2008-05-29 12:21 . 2008-05-29 12:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-05-29 10:41 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 14:42 --------- d-----w C:\Documents and Settings\Tracy Family\Application Data\AVG7
2008-06-07 11:29 --------- d-----w C:\Program Files\LogMeIn
2008-05-31 00:19 --------- d-----w C:\Documents and Settings\Tracy Family\Application Data\U3
2008-05-17 18:56 --------- d-----w C:\Documents and Settings\Buzz\Application Data\AVG7
2008-04-18 00:49 --------- d-----w C:\Program Files\Common Files\Peach
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-25 17:01 6,029,648 ----a-w C:\Firefox Setup 2.0.0.12.exe
2008-03-25 16:15 582,000 ----a-w C:\MCPR.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2005-07-26 23:49 1,914 ----a-w C:\Program Files\LDS Home Information 7.0.lnk
.

((((((((((((((((((((((((((((( [email protected]_16.34.05.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-02 22:27:19 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-08 01:41:03 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 23:19 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 09:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"PeachtreePrefetcher.exe"="C:\Peachw\PeachtreePrefetcher.exe" [2007-09-24 19:44 32768]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:35 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 02:24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-27 10:20 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 13:00:54 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Pervasive.SQL Workgroup Engine.lnk - C:\pvsw\bin\w3dbsmgr.exe [2008-01-06 20:59:32 106546]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NSVI"= NSVIDEO.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LogMeIn Rescue Calling Card\\CallingCard.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\pvsw\\bin\\w3dbsmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:*:Disabled:pervasive DBEngine
"3351:TCP"= 3351:TCP:*:Disabled:pervasive DBEngine

R1 pcii;pcii;C:\WINDOWS\system32\drivers\pcii.sys [2008-03-17 14:50]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 19:42:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [184] 0x81EE9DA0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-06-07 19:48:14 - machine was rebooted [Tracy Family]
ComboFix-quarantined-files.txt 2008-06-08 01:48:10
ComboFix2.txt 2008-06-02 22:34:26

Pre-Run: 27,000,852,480 bytes free
Post-Run: 26,450,120,704 bytes free

151 --- E O F --- 2008-05-28 09:00:46
 
G

· Premium Member
Joined
·
14,317 Posts
#6 ·
Re: Trojans, Pop ups and System update failed

Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Try deleting these two in Safe Mode if it gives you problems removing them from Normal Mode:

C:\temp\tn3
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk

Run a new Combofix scan in Normal Mode and post the log here.
 
Save Share
M

· Registered
Joined
·
9 Posts
Discussion Starter · #7 · (Edited)
Re: Trojans, Pop ups and System update failed

MBAM Log:
Malwarebytes' Anti-Malware 1.17
Database version: 849

8:12:04 AM 6/12/2008
mbam-log-6-12-2008 (08-12-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 108073
Time elapsed: 30 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\pcii.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\Tracy Family\Local Settings\temp\rasesnet.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tracy Family\Local Settings\temp\yazzsnet.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tracy Family\Local Settings\Temporary Internet Files\Content.IE5\9VTGEYEO\rasesnet[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tracy Family\Local Settings\Temporary Internet Files\Content.IE5\CYJIFMK0\17PHolmes[1].cmt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tracy Family\Local Settings\Temporary Internet Files\Content.IE5\OV9Y2BDA\yazzsnet[1].exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\JavaCore\UnInstall.exe.vir (Adware.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000068.exe (Adware.Insider) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\1039a\wtrdinac.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bLM\sipiroot.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\GTK\tuxderr.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\SGI\otUIDll.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\Documents and Settings\Tracy Family\Local Settings\temp\snapsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.

I will give you the combofix log in seperate reply. I received a message stating that I had 72 images in my message and could not post.

OK I tried to submit the combofix log and was told that all 72 images are found in that log and I am unable to have more then 25. Please let me know what I need to do to get you the information. Thanks!
 
tetonbob

· TSF Security Manager, Emeritus
Joined
·
51,795 Posts
#8 ·
Re: Trojans, Pop ups and System update failed

OK I tried to submit the combofix log and was told that all 72 images are found in that log and I am unable to have more then 25. Please let me know what I need to do to get you the information. Thanks!
Click to expand...
Tick "Disable Smileys in text" in the reply window.

Back to you, GK!
 
M

· Registered
Joined
·
9 Posts
Discussion Starter · #9 ·
Re: Trojans, Pop ups and System update failed

ComboFix 08-06-10.5 - Tracy Family 2008-06-12 8:34:50.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.175 [GMT -6:00]
Running from: C:\Documents and Settings\Tracy Family\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 06:39 . 2008-06-12 08:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\SGI
2008-06-12 06:39 . 2008-06-12 06:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\netrax01
2008-06-12 06:39 . 2008-06-12 08:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\GTK
2008-06-12 06:39 . 2008-06-12 08:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\bLM
2008-06-12 06:39 . 2008-06-12 08:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\1039a
2008-06-12 06:39 . 2008-06-12 06:39 <DIR> d-------- C:\temp\itmp4
2008-06-12 06:36 . 2008-06-12 06:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 06:36 . 2008-06-12 06:36 <DIR> d-------- C:\Documents and Settings\Tracy Family\Application Data\Malwarebytes
2008-06-12 06:36 . 2008-06-12 06:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-12 06:36 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-12 06:36 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-07 20:13 . 2008-06-07 20:13 32,768 --a------ C:\WINDOWS\SYSTEM32\netrax01\netrax011065.exe
2008-06-02 16:38 . 2008-06-02 16:38 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-30 09:42 . 2008-05-30 09:42 <DIR> d-------- C:\_OTMoveIt
2008-05-29 12:41 . 2008-05-29 12:41 <DIR> d-------- C:\Deckard
2008-05-29 12:21 . 2008-05-29 12:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-05-29 10:41 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 14:00 --------- d-----w C:\Documents and Settings\Tracy Family\Application Data\AVG7
2008-06-12 08:32 --------- d-----w C:\Program Files\LogMeIn
2008-05-31 00:19 --------- d-----w C:\Documents and Settings\Tracy Family\Application Data\U3
2008-05-17 18:56 --------- d-----w C:\Documents and Settings\Buzz\Application Data\AVG7
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-24 04:16 3,591,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-04-18 00:49 --------- d-----w C:\Program Files\Common Files\Peach
2008-04-14 11:01 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 11:01 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-25 17:01 6,029,648 ----a-w C:\Firefox Setup 2.0.0.12.exe
2008-03-25 16:15 582,000 ----a-w C:\MCPR.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2005-07-26 23:49 1,914 ----a-w C:\Program Files\LDS Home Information 7.0.lnk
.

((((((((((((((((((((((((((((( [email protected]_16.34.05.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-07 04:55:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:04:15 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\updspapi.dll
- 2008-06-02 22:27:19 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-12 14:14:06 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\I386\bthport.sys
+ 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-02 00:36:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
- 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
+ 2008-04-23 04:16:28 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
- 2008-03-01 13:06:21 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
+ 2008-04-23 04:16:28 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
- 2008-03-01 13:06:21 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
- 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
- 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
- 2008-03-01 13:06:25 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
- 2008-03-01 13:06:25 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
- 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2008-03-01 13:06:28 478,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-04-23 04:16:28 193,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
- 2008-03-01 13:06:29 671,232 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
+ 2008-04-23 04:16:28 671,232 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
- 2008-03-01 13:06:29 102,912 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
+ 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
- 2008-03-01 13:06:29 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
+ 2008-04-23 04:16:28 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
- 2008-03-01 13:06:30 1,159,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
- 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
- 2008-03-01 13:06:31 826,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-04-23 04:16:29 826,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
- 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\SYSTEM32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\SYSTEM32\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\SYSTEM32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\SYSTEM32\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\SYSTEM32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\SYSTEM32\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\SYSTEM32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\SYSTEM32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\SYSTEM32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\SYSTEM32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\SYSTEM32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\iernonce.dll
- 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
- 2008-03-02 00:36:30 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-04-24 04:16:30 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\SYSTEM32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\SYSTEM32\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2008-03-20 20:41:20 14,640 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
- 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 23:19 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 09:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"PeachtreePrefetcher.exe"="C:\Peachw\PeachtreePrefetcher.exe" [2007-09-24 19:44 32768]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:35 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 02:24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-27 10:20 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 13:00:54 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Pervasive.SQL Workgroup Engine.lnk - C:\pvsw\bin\w3dbsmgr.exe [2008-01-06 20:59:32 106546]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NSVI"= NSVIDEO.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LogMeIn Rescue Calling Card\\CallingCard.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\pvsw\\bin\\w3dbsmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:*:Disabled:pervasive DBEngine
"3351:TCP"= 3351:TCP:*:Disabled:pervasive DBEngine

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
S1 pcii;pcii;C:\WINDOWS\system32\drivers\pcii.sys []
S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]
S4 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;C:\WINDOWS\system32\srvany.exe [2007-08-29 02:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 08:37:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-12 8:39:28
ComboFix-quarantined-files.txt 2008-06-12 14:39:05
ComboFix2.txt 2008-06-08 01:48:14
ComboFix3.txt 2008-06-02 22:34:26

Pre-Run: 26,078,953,472 bytes free
Post-Run: 26,075,213,824 bytes free

305 --- E O F --- 2008-06-11 09:03:16
 
G

· Premium Member
Joined
·
14,317 Posts
#10 ·
Re: Trojans, Pop ups and System update failed

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
Driver::
pcii
Folder::
C:\WINDOWS\SYSTEM32\SGI
C:\WINDOWS\SYSTEM32\netrax01
C:\WINDOWS\SYSTEM32\GTK
C:\WINDOWS\SYSTEM32\bLM
C:\WINDOWS\SYSTEM32\1039a
C:\temp\itmp4
C:\WINDOWS\SYSTEM32\netrax01\
Click to expand...
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
 
Save Share
M

· Registered
Joined
·
9 Posts
Discussion Starter · #11 ·
Re: Trojans, Pop ups and System update failed

ComboFix 08-06-10.5 - Tracy Family 2008-06-12 8:34:50.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.175 [GMT -6:00]
Running from: C:\Documents and Settings\Tracy Family\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 06:39 . 2008-06-12 08:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\SGI
2008-06-12 06:39 . 2008-06-12 06:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\netrax01
2008-06-12 06:39 . 2008-06-12 08:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\GTK
2008-06-12 06:39 . 2008-06-12 08:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\bLM
2008-06-12 06:39 . 2008-06-12 08:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\1039a
2008-06-12 06:39 . 2008-06-12 06:39 <DIR> d-------- C:\temp\itmp4
2008-06-12 06:36 . 2008-06-12 06:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 06:36 . 2008-06-12 06:36 <DIR> d-------- C:\Documents and Settings\Tracy Family\Application Data\Malwarebytes
2008-06-12 06:36 . 2008-06-12 06:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-12 06:36 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-12 06:36 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-07 20:13 . 2008-06-07 20:13 32,768 --a------ C:\WINDOWS\SYSTEM32\netrax01\netrax011065.exe
2008-06-02 16:38 . 2008-06-02 16:38 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-30 09:42 . 2008-05-30 09:42 <DIR> d-------- C:\_OTMoveIt
2008-05-29 12:41 . 2008-05-29 12:41 <DIR> d-------- C:\Deckard
2008-05-29 12:21 . 2008-05-29 12:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-05-29 10:41 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 14:00 --------- d-----w C:\Documents and Settings\Tracy Family\Application Data\AVG7
2008-06-12 08:32 --------- d-----w C:\Program Files\LogMeIn
2008-05-31 00:19 --------- d-----w C:\Documents and Settings\Tracy Family\Application Data\U3
2008-05-17 18:56 --------- d-----w C:\Documents and Settings\Buzz\Application Data\AVG7
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-24 04:16 3,591,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-04-18 00:49 --------- d-----w C:\Program Files\Common Files\Peach
2008-04-14 11:01 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 11:01 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-25 17:01 6,029,648 ----a-w C:\Firefox Setup 2.0.0.12.exe
2008-03-25 16:15 582,000 ----a-w C:\MCPR.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2005-07-26 23:49 1,914 ----a-w C:\Program Files\LDS Home Information 7.0.lnk
.

((((((((((((((((((((((((((((( [email protected]_16.34.05.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-07 04:55:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:04:15 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\updspapi.dll
- 2008-06-02 22:27:19 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-12 14:14:06 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\I386\bthport.sys
+ 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-02 00:36:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
- 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
+ 2008-04-23 04:16:28 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
- 2008-03-01 13:06:21 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
+ 2008-04-23 04:16:28 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
- 2008-03-01 13:06:21 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
- 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
- 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
- 2008-03-01 13:06:25 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
- 2008-03-01 13:06:25 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
- 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2008-03-01 13:06:28 478,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-04-23 04:16:28 193,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
- 2008-03-01 13:06:29 671,232 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
+ 2008-04-23 04:16:28 671,232 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
- 2008-03-01 13:06:29 102,912 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
+ 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
- 2008-03-01 13:06:29 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
+ 2008-04-23 04:16:28 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
- 2008-03-01 13:06:30 1,159,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
- 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
- 2008-03-01 13:06:31 826,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-04-23 04:16:29 826,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
- 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\SYSTEM32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\SYSTEM32\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\SYSTEM32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\SYSTEM32\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\SYSTEM32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\SYSTEM32\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\SYSTEM32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\SYSTEM32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\SYSTEM32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\SYSTEM32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\SYSTEM32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\iernonce.dll
- 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
- 2008-03-02 00:36:30 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-04-24 04:16:30 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\SYSTEM32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\SYSTEM32\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2008-03-20 20:41:20 14,640 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
- 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\SYSTEM32\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 23:19 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 09:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"PeachtreePrefetcher.exe"="C:\Peachw\PeachtreePrefetcher.exe" [2007-09-24 19:44 32768]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:35 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 02:24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-27 10:20 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 13:00:54 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Pervasive.SQL Workgroup Engine.lnk - C:\pvsw\bin\w3dbsmgr.exe [2008-01-06 20:59:32 106546]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NSVI"= NSVIDEO.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LogMeIn Rescue Calling Card\\CallingCard.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\pvsw\\bin\\w3dbsmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:*:Disabled:pervasive DBEngine
"3351:TCP"= 3351:TCP:*:Disabled:pervasive DBEngine

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
S1 pcii;pcii;C:\WINDOWS\system32\drivers\pcii.sys []
S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]
S4 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;C:\WINDOWS\system32\srvany.exe [2007-08-29 02:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 08:37:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-12 8:39:28
ComboFix-quarantined-files.txt 2008-06-12 14:39:05
ComboFix2.txt 2008-06-08 01:48:14
ComboFix3.txt 2008-06-02 22:34:26

Pre-Run: 26,078,953,472 bytes free
Post-Run: 26,075,213,824 bytes free

305 --- E O F --- 2008-06-11 09:03:16
 
G

· Premium Member
Joined
·
14,317 Posts
#12 ·
Re: Trojans, Pop ups and System update failed

Please follow my previous instructions on how to run CFScript.txt again. I want you to create that notepad file and drag/drop it into Combofix. Do NOT double-click on Combofix for this particular fix.
 
Save Share
M

· Registered
Joined
·
9 Posts
Discussion Starter · #13 ·
Re: Trojans, Pop ups and System update failed

Ok, I did it again. I created CFScript.txt on my desktop. I then dragged and dropped into the combofix.exe also on the desktop. I did not run it at this time.
 
G

· Premium Member
Joined
·
14,317 Posts
#14 ·
Re: Trojans, Pop ups and System update failed

Combofix didn't run automatically? Download Combofix again but rename it first to CFmustangdebbie.exe before saving it to your desktop. Try dragging and dropping the CFScript into that file now.
 
Save Share
M

· Registered
Joined
·
9 Posts
Discussion Starter · #15 ·
Re: Trojans, Pop ups and System update failed

Ok I downloaded Combo fix again and named it as above. I dragged and dropped CFScript into it and then had a prompt to run. I ran combofix and this is it's log. At this point I would also like to say that all signs of pop-ups are gone from the computer.


ComboFix 08-06-15.4 - Tracy Family 2008-06-16 15:33:06.6 - NTFSx86
Running from: C:\Documents and Settings\Tracy Family\Desktop\CFmustangdebbie.exe
Command switches used :: C:\Documents and Settings\Tracy Family\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-15 10:33 . 2008-06-15 10:33 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-12 06:36 . 2008-06-12 06:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 06:36 . 2008-06-12 06:36 <DIR> d-------- C:\Documents and Settings\Tracy Family\Application Data\Malwarebytes
2008-06-12 06:36 . 2008-06-12 06:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-12 06:36 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-12 06:36 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-02 16:38 . 2008-06-02 16:38 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-30 09:42 . 2008-05-30 09:42 <DIR> d-------- C:\_OTMoveIt
2008-05-29 12:41 . 2008-05-29 12:41 <DIR> d-------- C:\Deckard
2008-05-29 12:21 . 2008-05-29 12:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-05-29 10:41 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 14:44 --------- d-----w C:\Documents and Settings\Tracy Family\Application Data\AVG7
2008-06-16 11:30 --------- d-----w C:\Program Files\LogMeIn
2008-06-13 03:13 --------- d-----w C:\Program Files\Common Files\Peach
2008-05-31 00:19 --------- d-----w C:\Documents and Settings\Tracy Family\Application Data\U3
2008-05-17 18:56 --------- d-----w C:\Documents and Settings\Buzz\Application Data\AVG7
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-24 04:16 3,591,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-04-14 11:01 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-25 17:01 6,029,648 ----a-w C:\Firefox Setup 2.0.0.12.exe
2008-03-25 16:15 582,000 ----a-w C:\MCPR.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2005-07-26 23:49 1,914 ----a-w C:\Program Files\LDS Home Information 7.0.lnk
.

((((((((((((((((((((((((((((( snapshot_2008-06-12_ 8.38.49.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-12 14:14:06 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-13 16:43:01 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-02-28 21:30:06 71,248 ----a-w C:\WINDOWS\Downloaded Program Files\LMIProxyHelper.exe
+ 2008-05-19 20:57:06 2,774,344 ----a-w C:\WINDOWS\Downloaded Program Files\RACtrl.dll
+ 2008-02-28 21:33:50 245,408 ----a-w C:\WINDOWS\Downloaded Program Files\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 23:19 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 09:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"PeachtreePrefetcher.exe"="C:\Peachw\PeachtreePrefetcher.exe" [2007-09-24 19:44 32768]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:35 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 02:24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-27 10:20 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 13:00:54 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Pervasive.SQL Workgroup Engine.lnk - C:\pvsw\bin\w3dbsmgr.exe [2008-01-06 20:59:32 106546]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NSVI"= NSVIDEO.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LogMeIn Rescue Calling Card\\CallingCard.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\pvsw\\bin\\w3dbsmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:*:Disabled:pervasive DBEngine
"3351:TCP"= 3351:TCP:*:Disabled:pervasive DBEngine

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]
S4 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;C:\WINDOWS\system32\srvany.exe [2007-08-29 02:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 15:35:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-16 15:38:04
ComboFix-quarantined-files.txt 2008-06-16 21:37:44
ComboFix2.txt 2008-06-13 16:50:05
ComboFix3.txt 2008-06-12 14:39:29
ComboFix4.txt 2008-06-08 01:48:14
ComboFix5.txt 2008-06-02 22:34:26

Pre-Run: 25,874,804,736 bytes free
Post-Run: 25,874,223,104 bytes free

145 --- E O F --- 2008-06-11 09:03:16
 
G

· Premium Member
Joined
·
14,317 Posts
#16 ·
Re: Trojans, Pop ups and System update failed

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
 
Save Share
M

· Registered
Joined
·
9 Posts
Discussion Starter · #17 ·
Re: Trojans, Pop ups and System update failed

Thank you so much! You guys are truly a blessing! We will be making a donation as soon as we set up a Pay Pal account. Thank you so much for your quick responses and knowledge of computers! I am sure you will here from me again...my son has all ready attacked my computer at home. I will start a new thread and hope for the best! Again Many Thanks!
Debbie
 
1 - 17 of 17 Posts
Status
Not open for further replies.
About this Discussion
16 Replies
3 Participants
Last post:
mustangdebbie
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top