 |
 |
| Cannot connect to the internet |
| 
Nick Brough
New Member
Date Joined Nov 2008
Total Posts : 13
| Posted 11-30-2008 3:38 (GMT +1) |   | | Hi,
My daughters computer had a virus I ran spybot and installed AVG, now:-
1 When I try to connect to the internet I get a waiting for http:// dnspagefault.com/security flashing in the bottom left had corner.
2 a system alert: trojan-spy.win32@m click ballon to download antispyware fore windows message
3 an unhandled exception :invalid operation would you like to download the latest version of antivirus software message.
My daughter is going back to uni tonight and really needs her laptop to do any work so please help, but I am not that clever so please keep any instructions !!!!! proof and I will try not to prove a better !!!!! than you expected.
Thanks
Nick Post Edited (Touch) : 30-11-2008 16:29:31 GMT | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 11-30-2008 5:27 (GMT +1) | | Hello 
Let´s try this first -
Download malwarebyte
Or here:
Save the file as setup.exe
Run the setup.exe file
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.
Go into the Malware folder in through Program Files
Rename the mbam.exe or what not file to mab.exe and run it.
Do a full computer scan
Check all and remove/fix/delete them.
Post the log it produce.
NB. If you can´t download it from normal mode, try doing it from saf mode with network
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
Nick Brough
New Member
Date Joined Nov 2008
Total Posts : 13
| Posted 11-30-2008 7:11 (GMT +1) | | Hi,
Thanks for your help this is the logfile
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2
30/11/2008 17:54:15
mbam-log-2008-11-30 (17-54-03).txt
Scan type: Quick Scan
Objects scanned: 47264
Time elapsed: 5 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 5
Registry Data Items Infected: 14
Folders Infected: 3
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d28cfe58-12a1-4bd1-8af8-a4a6e7389857} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqpiffe (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d28cfe58-12a1-4bd1-8af8-a4a6e7389857} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\z444.z444mgr (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{030a0f33-5b99-482e-83f5-2eeb8457878b} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\z444.z444mgr.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{257f6f44-2c64-46bb-acb4-55f9b9e0ae08} (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati hotkey poller (ati hotkey poller) (Trojan.Proxy) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati hotkey poller (ati hotkey poller) (Trojan.Proxy) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati hotkey poller (ati hotkey poller) (Trojan.Proxy) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\advancedav (Rogue.AdvancedAntivirus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\virustriggerbin (Rogue.VirusTrigger) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{257f6f44-2c64-46bb-acb4-55f9b9e0ae08} (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.Antivirus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.Antivirus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysftray2 (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\virustriggerbin (Rogue.VirusTrigger) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> No action taken.
Folders Infected:
C:\Program Files\TinyProxy (Trojan.Proxy) -> No action taken.
C:\Program Files\AAV (Rogue.AdvancedAntivirus) -> No action taken.
C:\WINDOWS\system32\675873 (Trojan.BHO) -> No action taken.
Files Infected:
C:\WINDOWS\system32\ssqPiffe.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\675873\675873.dll (Trojan.BHO) -> No action taken.
C:\Program Files\TinyProxy\tinyproxy.exe (Trojan.Proxy) -> No action taken.
C:\Program Files\AAV\Uninstall.exe (Rogue.AdvancedAntivirus) -> No action taken.
C:\Program Files\AAV\AAV.cpl (Rogue.AdvancedAntivirus) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\tmark2.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\fmark2.dat (Malware.Trace) -> No action taken.
C:\Documents and Settings\Sarah Brough\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\Sarah Brough\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\Sarah Brough\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\Sarah Brough\My Documents\My Documents.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\All Users\Desktop\Antivirus Scan.url (Rogue.Link) -> No action taken. | | Back to Top | | |
|
Nick Brough
New Member
Date Joined Nov 2008
Total Posts : 13
| Posted 11-30-2008 7:45 (GMT +1) | | Hi,
Removed infected files but still get this problem when trying to connect to the internet.
When I try to connect to the internet I get a waiting for http:// dnspagefault.com/security flashing in the bottom left had corner. | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 12-1-2008 10:38 (GMT +1) | | | Ok.
Get this version of Hijackthis from http://danborg.org/spy/hjt/alternativ.exe
Save it in a permanent folder of your choice, such as C:\HJT\. To create this specific folder on your hard drive: Double click the 'My Computer' icon on your desktop, then under the category hard disk drives: double click Local Disk:, then select file->New -> Folder and name it HJT
Run hijackthis. (alternativ exe).
Choose the "Do a system scan and save a log file" option to perform your scan.
HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.
Open the text files containing the logs with a text editor and click Edit -> Select All, followed by Edit -> Copy.
From within the browser window and with the message body text box selected, click Edit -> Paste.
Post hijackthis log
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
Nick Brough
New Member
Date Joined Nov 2008
Total Posts : 13
| Posted 12-1-2008 9:42 (GMT +1) | | Hi,
Logfile as requested.
Logfile of HijackThis v1.99.1
Scan saved at 20:37:29, on 01/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\WebMediaViewer\qttask.exe
C:\Program Files\WebMediaViewer\hpmon.exe
C:\Program Files\WebMediaViewer\qttaskm.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\WebMediaViewer\hpmom.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\alternativ.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VirusTriggerBinWarningBHO Class - {096CBA44-4A4C-49f7-8903-1E75550ABCB7} - C:\Program Files\VirusTriggerBin\VirusTriggerBinWarning.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9458117B-3E11-4DA5-A170-5FF24465684B} - C:\WINDOWS\system32\fcCtSJAP.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Browser Toolbar - {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - C:\Program Files\WebMediaViewer\browseul.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysberay2] C:\windows\che6.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdyyl.exe] C:\WINDOWS\system32\kdyyl.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{339B950C-B658-499F-B92B-8BAA284718C3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F24369A-D2D3-497F-813C-D77514AF21C9}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 12-2-2008 6:55 (GMT +1) | | | It looks like you have two antivirus programs running, it´s not a good idea, they will conflict, use unnecessary recourses.
Let Me know which you want to keep ? Then we´ll remove the other
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
Nick Brough
New Member
Date Joined Nov 2008
Total Posts : 13
| Posted 12-2-2008 1:08 (GMT +1) | | Hi,
Which one would you recommend, if there is no difference then AVG.
Thanks
Nick | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 12-3-2008 9:34 (GMT +1) | | It is was mine computer, I would keep AVG 
Use this link to remove Norton:
Reboot.
See if you download combofix ->
Please download Combofix:
And save to the desktop. <<<<-- Save it as warrior exe
Close all other browser windows.
Please connect all your external hard drive/flash drive before running Combofix
Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".
Double-click on the combofix icon found on your desktop.
Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When finished, it will produce a logfile located at C:\combofix.txt.
Post the contents of that log in your next reply
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
Nick Brough
New Member
Date Joined Nov 2008
Total Posts : 13
| Posted 12-3-2008 11:22 (GMT +1) | | Hi,
This is the log
ComboFix 08-12-01.03 - Sarah Brough 2008-12-03 10:07:11.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.435 [GMT 0:00]
Running from: c:\documents and settings\Sarah Brough\Desktop\warrior.exe.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Tasks\mtjefolh.job
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.
2008-12-03 09:47 . 2008-12-03 09:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-01 20:35 . 2008-12-01 20:35 <DIR> d-------- C:\HJT
2008-11-30 17:39 . 2008-11-30 17:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 17:39 . 2008-11-30 17:39 <DIR> d-------- c:\documents and settings\Sarah Brough\Application Data\Malwarebytes
2008-11-30 17:39 . 2008-11-30 17:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 17:39 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 17:39 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-29 22:15 . 2008-11-29 22:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-29 22:14 . 2008-11-29 22:14 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-29 22:14 . 2008-11-29 22:14 <DIR> d-------- c:\documents and settings\Sarah Brough\Application Data\AVGTOOLBAR
2008-11-29 22:14 . 2008-11-29 22:14 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-29 22:14 . 2008-11-29 22:14 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-29 22:14 . 2008-11-29 22:14 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-29 16:45 . 2008-11-29 18:08 711 --a------ c:\windows\wininit.ini
2008-11-29 02:11 . 2008-11-29 02:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-29 02:11 . 2008-11-29 02:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-24 18:25 . 2008-11-24 18:25 <DIR> d-------- C:\QUARANTINE
2008-11-24 18:18 . 2008-11-24 18:18 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2008-11-24 18:18 . 2006-11-17 03:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2008-11-24 16:45 . 2008-11-24 16:45 <DIR> d-------- c:\documents and settings\Sarah Brough\Application Data\Uniblue
2008-11-24 16:42 . 2008-11-24 16:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-23 13:11 . 2008-11-23 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-11-15 18:10 . 2008-11-15 18:10 <DIR> d-------- c:\program files\AVG
2008-11-14 19:24 . 2008-11-14 19:24 <DIR> d-------- c:\windows\system32\512686
2008-11-14 19:24 . 2008-11-14 19:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 19:23 . 2008-11-14 19:23 <DIR> d-------- c:\program files\WebMediaViewer
2008-11-12 16:16 . 2008-11-12 16:16 <DIR> d-------- c:\windows\system32\367770
2008-11-12 16:16 . 2008-11-12 16:16 24,064 ---h----- c:\windows\che4.exe
2008-11-12 16:16 . 2008-11-29 14:45 1 ---h----- c:\windows\f49f4daa.dat
2008-11-12 16:16 . 2008-11-12 16:16 1 ---h----- c:\windows\bemark2.dat
2008-11-12 16:16 . 2008-11-29 14:44 1 ---h----- c:\windows\be49f4daa.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-15 17:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-10 17:05 --------- d-----w c:\program files\iTunes
2008-10-10 17:05 --------- d-----w c:\program files\iPod
2008-10-10 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-09 22:20 --------- d-----w c:\program files\Tripleplay
2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C}]
2008-12-03 10:12 32139 --a------ c:\program files\WebMediaViewer\hpmun.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 53248]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2006-04-27 151552]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-14 598016]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-17 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QuickTime Task"="c:\program files\WebMediaViewer\qttask.exe" [2008-11-29 56127]
"VMware hptray"="c:\program files\WebMediaViewer\hpmon.exe" [2008-11-29 73844]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-03-27 45056]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-10 525664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= c:\progra~1\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001 | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 12-3-2008 11:40 (GMT +1) | | |
Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript
and Save it on the desktop
Killall::
Snapshot::
File::
c:\windows\che4.exe
c:\windows\f49f4daa.dat
c:\windows\bemark2.dat
c:\windows\be49f4daa.dat
Folder::
c:\program files\WebMediaViewer
Domains::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QuickTime Task"=-
"VMware hptray"=-
Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
Nick Brough
New Member
Date Joined Nov 2008
Total Posts : 13
| Posted 12-3-2008 1:57 (GMT +1) | | ComboFix 08-12-01.03 - Sarah Brough 2008-12-03 12:51:12.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.450 [GMT 0:00]
Running from: c:\documents and settings\Sarah Brough\Desktop\warrior.exe.exe
Command switches used :: c:\documents and settings\Sarah Brough\Desktop\CFScript.doc
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.
2008-12-03 09:47 . 2008-12-03 09:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-01 20:35 . 2008-12-01 20:35 <DIR> d-------- C:\HJT
2008-11-30 17:39 . 2008-11-30 17:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 17:39 . 2008-11-30 17:39 <DIR> d-------- c:\documents and settings\Sarah Brough\Application Data\Malwarebytes
2008-11-30 17:39 . 2008-11-30 17:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 17:39 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 17:39 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-29 22:15 . 2008-11-29 22:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-29 22:14 . 2008-11-29 22:14 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-29 22:14 . 2008-11-29 22:14 <DIR> d-------- c:\documents and settings\Sarah Brough\Application Data\AVGTOOLBAR
2008-11-29 22:14 . 2008-11-29 22:14 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-29 22:14 . 2008-11-29 22:14 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-29 22:14 . 2008-11-29 22:14 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-29 16:45 . 2008-11-29 18:08 711 --a------ c:\windows\wininit.ini
2008-11-29 02:11 . 2008-11-29 02:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-29 02:11 . 2008-11-29 02:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-24 18:25 . 2008-11-24 18:25 <DIR> d-------- C:\QUARANTINE
2008-11-24 18:18 . 2008-11-24 18:18 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2008-11-24 18:18 . 2006-11-17 03:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2008-11-24 16:45 . 2008-11-24 16:45 <DIR> d-------- c:\documents and settings\Sarah Brough\Application Data\Uniblue
2008-11-24 16:42 . 2008-11-24 16:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-23 13:11 . 2008-11-23 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-11-15 18:10 . 2008-11-15 18:10 <DIR> d-------- c:\program files\AVG
2008-11-14 19:24 . 2008-11-14 19:24 <DIR> d-------- c:\windows\system32\512686
2008-11-14 19:24 . 2008-11-14 19:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 19:23 . 2008-11-14 19:23 <DIR> d-------- c:\program files\WebMediaViewer
2008-11-12 16:16 . 2008-11-12 16:16 <DIR> d-------- c:\windows\system32\367770
2008-11-12 16:16 . 2008-11-12 16:16 24,064 ---h----- c:\windows\che4.exe
2008-11-12 16:16 . 2008-11-29 14:45 1 ---h----- c:\windows\f49f4daa.dat
2008-11-12 16:16 . 2008-11-12 16:16 1 ---h----- c:\windows\bemark2.dat
2008-11-12 16:16 . 2008-11-29 14:44 1 ---h----- c:\windows\be49f4daa.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 17:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-10 17:05 --------- d-----w c:\program files\iTunes
2008-10-10 17:05 --------- d-----w c:\program files\iPod
2008-10-10 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-09 22:20 --------- d-----w c:\program files\Tripleplay
2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
.
((((((((((((((((((((((((((((( snapshot@2008-12-03_10.15.26.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 14:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 14:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 12-3-2008 2:13 (GMT +1) | | | Try again.
You are supposed to use Notepad, and save the file as a txt file. Not as a doc file
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
Nick Brough
New Member
Date Joined Nov 2008
Total Posts : 13
| Posted 12-3-2008 7:07 (GMT +1) | | Sorry, 2nd attempt
ComboFix 08-12-01.03 - Sarah Brough 2008-12-03 17:53:26.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.477 [GMT 0:00]
Running from: c:\documents and settings\Sarah Brough\Desktop\warrior.exe.exe
Command switches used :: F:\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\be49f4daa.dat
c:\windows\bemark2.dat
c:\windows\che4.exe
c:\windows\f49f4daa.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\WebMediaViewer
c:\program files\WebMediaViewer\browseu.exe
c:\program files\WebMediaViewer\browseul.dll
c:\program files\WebMediaViewer\hpmom.exe
c:\program files\WebMediaViewer\hpmon.exe
c:\program files\WebMediaViewer\hpmun.dll
c:\program files\WebMediaViewer\hpmun.exe
c:\program files\WebMediaViewer\myd.ico
c:\program files\WebMediaViewer\mym.ico
c:\program files\WebMediaViewer\myp.ico
c:\program files\WebMediaViewer\myv.ico
c:\program files\WebMediaViewer\ot.ico
c:\program files\WebMediaViewer\qttask.exe
c:\program files\WebMediaViewer\qttaskm.exe
c:\program files\WebMediaViewer\qttasku.exe
c:\program files\WebMediaViewer\ts.ico
c:\windows\be49f4daa.dat
c:\windows\bemark2.dat
c:\windows\che4.exe
c:\windows\f49f4daa.dat
.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.
2008-12-03 09:47 . 2008-12-03 09:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-01 20:35 . 2008-12-01 20:35 <DIR> d-------- C:\HJT
2008-11-30 17:39 . 2008-11-30 17:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 17:39 . 2008-11-30 17:39 <DIR> d-------- c:\documents and settings\Sarah Brough\Application Data\Malwarebytes
2008-11-30 17:39 . 2008-11-30 17:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 17:39 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 17:39 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-29 22:15 . 2008-11-29 22:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-29 22:14 . 2008-11-29 22:14 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-29 22:14 . 2008-11-29 22:14 <DIR> d-------- c:\documents and settings\Sarah Brough\Application Data\AVGTOOLBAR
2008-11-29 22:14 . 2008-11-29 22:14 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-29 22:14 . 2008-11-29 22:14 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-29 22:14 . 2008-11-29 22:14 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-29 16:45 . 2008-11-29 18:08 711 --a------ c:\windows\wininit.ini
2008-11-29 02:11 . 2008-11-29 02:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-29 02:11 . 2008-11-29 02:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-24 18:25 . 2008-11-24 18:25 <DIR> d-------- C:\QUARANTINE
2008-11-24 18:18 . 2008-11-24 18:18 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2008-11-24 18:18 . 2006-11-17 03:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2008-11-24 16:45 . 2008-11-24 16:45 <DIR> d-------- c:\documents and settings\Sarah Brough\Application Data\Uniblue
2008-11-24 16:42 . 2008-11-24 16:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-23 13:11 . 2008-11-23 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-11-15 18:10 . 2008-11-15 18:10 <DIR> d-------- c:\program files\AVG
2008-11-14 19:24 . 2008-11-14 19:24 <DIR> d-------- c:\windows\system32\512686
2008-11-14 19:24 . 2008-11-14 19:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 16:16 . 2008-11-12 16:16 <DIR> d-------- c:\windows\system32\367770
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 17:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-10 17:05 --------- d-----w c:\program files\iTunes
2008-10-10 17:05 --------- d-----w c:\program files\iPod
2008-10-10 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-09 22:20 --------- d-----w c:\program files\Tripleplay
2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 53248]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2006-04-27 151552]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-14 598016]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-17 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-03-27 45056]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-10 525664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= c:\progra~1\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-29 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-29 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-29 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-29 76040]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b88810c4-8bca-11dd-b0e1-0016d412d3b9}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2007-08-09 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
2008-12-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2008-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - (no file)
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 17:58:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\TEMP\18bdb680-b161-4dcf-9407-dd7fdaf54fae.tmp 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > | |
| |
