Don't Know the Name of the Infection, but There is Definitely a Pr, Computer running slow, freezing up, running way too many things in the |
Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.
  |
 Apr 15 2008, 05:21 PM
Post
#1
|
|
|
Member  Posts: 19 OS: Windows XP  |
My computer has been running much slower than usual, freezing up (not just when I use the Internet, but when I am using Office, or even playing Spider Solitaire) and an awful lot of processes seem to be running in the background & I don't know which ones to stop. I've followed *all* the procedures in the Malware Cleaning Guide (i.e. You Must Read This Before Posting A Hijackthis Log). I uninstalled my old antivirus software (BitDefender) and installed AVG, but AVG said there was still another antivirus program running on the computer???? I have no idea what other antivirus program could possibly be running, since BitDefender was the most recent one I ever installed (and I un-installed it before I installed AVG). Before BitDefender I had TrendMicro PC-Cillin (~ 3 years ago) but I un-installed that before I installed BitDefender. If you can also help me figure out what phantom antivirus program I'm apparently running, and how to un-install it, I'd be very grateful. Thanks in advance for your help. Below I am attaching various reports & logs which came up during the initial Malware Cleaning. Malwarebytes' Anti-Malware Log: Malwarebytes' Anti-Malware 1.11 Database version: 622 Scan type: Quick Scan Objects scanned: 29469 Time elapsed: 12 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 7 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Super AntiSpyware Scan Log: SUPERAntiSpyware Scan Log Generated 04/13/2008 at 09:17 PM Application Version : 3.6.1000 Core Rules Database Version : 3143 Trace Rules Database Version: 1159 Scan type : Complete Scan Total Scan Time : 00:12:32 Memory items scanned : 333 Memory threats detected : 0 Registry items scanned : 5263 Registry threats detected : 0 File items scanned : 4691 File threats detected : 0 Panda Activesan Report: ;******************************************************************************* ********************************************************************************* ******************* ANALYSIS: 2008-04-14 06:07:17 PROTECTIONS: 1 MALWARE: 5 SUSPECTS: 0 ;******************************************************************************* ********************************************************************************* ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================= =================== Bitdefender Antivirus 8.0 Yes Yes ;=============================================================================== ================================================================================= =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================= =================== 00032710 adware/transponder Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\abi-1 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Heather\Cookies\heather@casalemedia[1].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Heather\Cookies\heather@tribalfusion[1].txt 00248163 Adware/TopRebates Adware No 0 Yes No C:\WINDOWS\Downloaded Program Files\MyPointsPointAlert_InstallSilent.inf 00290182 adware/outerinfo Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\oin ;=============================================================================== ================================================================================= =================== SUSPECTS Sent Location . ;=============================================================================== ================================================================================= =================== ;=============================================================================== ================================================================================= =================== VULNERABILITIES Id Severity Description . ;=============================================================================== ================================================================================= =================== ;=============================================================================== ================================================================================= =================== Hijack This Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:03:47 PM, on 4/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\CTSvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Aida] C:\Program Files\rdso\eetu.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Aida] C:\Program Files\rdso\eetu.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: www.augusten.com O15 - Trusted Zone: www.d3football.com O15 - Trusted Zone: http://www.d3hoops.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axvers...ntquick1611.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE -- End of file - 7086 bytes Hijack This Uninstall List: Adobe Acrobat - Reader 6.0.2 Update Adobe Acrobat 5.0 Adobe Photoshop Album 2.0 Starter Edition Adobe Reader 6.0.1 Adobe Shockwave Player AOL Uninstaller (Choose which Products to Remove) AVG 7.5 Broadcom Management Programs Conexant D850 56K V.9x DFVc Modem Creative Jukebox Driver Creative MediaSource Creative MediaSource AudioSync Plugin Creative MediaSource NOMAD Jukebox 2/3/Zen Plugin Creative NOMAD Jukebox Zen Xtra Dell Digital Jukebox Driver Dell Driver Reset Tool Dell Support 5.0.0 (734) Google Toolbar for Internet Explorer HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) Intel® Extreme Graphics Driver Internet Explorer Default Page J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 7 J2SE Runtime Environment 5.0 Update 9 Jasc Paint Shop Photo Album Jasc Paint Shop Pro 8 Dell Edition Java™ SE Runtime Environment 6 Update 1 Macromedia Flash Player 8 Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Basic Edition 2003 Microsoft User-Mode Driver Framework Feature Pack 1.0 Modem Helper Netflix Movie Viewer OIN Panda ActiveScan 2.0 RealPlayer Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB941693) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB945553) Security Update for Windows XP (KB946026) Security Update for Windows XP (KB948590) Security Update for Windows XP (KB948881) Sonic DLA Sonic RecordNow! Sonic Update Manager SUPERAntiSpyware Free Edition Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Viewpoint Media Player Windows Defender Signatures Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 |
 |
 
|
|
Apr 20 2008, 04:10 PM
Post
#2
|
|
 Malware Expert  Posts: 15,811 From: New York OS: Windows 98, XP, Vista, Mac OS X |
Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
Download SmitfraudFix at http://siri.urz.free.fr/Fix/SmitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop. Open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #1 - Search by typing 1 and press Enter. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 or any other option until you are directed to do so! NOTE: process.exe is detected by some antivirus programs as a Risk Tool. It is not a virus. If you get this detected, ignore it. |
|
|
|
|
Apr 23 2008, 06:53 PM
Post
#3
|
|
|
Member Posts: 19 OS: Windows XP |
ComboFix Log:
ComboFix 08-04-22.5 - Heather 2008-04-23 20:34:12.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.55 [GMT -4:00] Running from: C:\Documents and Settings\Heather\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Heather\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML . ---- Previous Run ------- . C:\Program Files\Common Files\uninstall information C:\WINDOWS\system32\drivers\fad.sys . ((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 ))))))))))))))))))))))))))))))) . 2008-04-15 19:03 . 2008-04-15 19:03 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-14 20:12 . 2008-04-14 20:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-04-14 20:12 . 2008-04-23 08:00 <DIR> d-------- C:\Documents and Settings\Heather\Application Data\AVG7 2008-04-14 20:11 . 2008-04-14 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-04-14 20:11 . 2008-04-15 07:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-04-13 21:02 . 2008-04-14 19:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-04-13 21:02 . 2008-04-13 21:02 <DIR> d-------- C:\Documents and Settings\Heather\Application Data\SUPERAntiSpyware.com 2008-04-13 21:02 . 2008-04-13 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-04-13 21:01 . 2008-04-13 21:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-04-13 20:28 . 2008-04-13 20:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-04-13 20:28 . 2008-04-13 20:28 <DIR> d-------- C:\Documents and Settings\Heather\Application Data\Malwarebytes 2008-04-13 20:28 . 2008-04-13 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-04-13 20:27 . 2008-04-13 20:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys 2008-03-10 17:46 --------- d-----w C:\Documents and Settings\Heather\Application Data\Move Networks 2008-03-04 12:03 --------- d-----w C:\Documents and Settings\Heather\Application Data\AdobeUM 2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll 2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe 2008-02-25 17:08 --------- d-----w C:\Program Files\Java 2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll 2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll 2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll 2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll 2008-02-19 02:02 81,984 ----a-w C:\WINDOWS\SYSTEM32\bdod.bin 2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll 2005-05-07 00:08 336,896 -c--a-w C:\Documents and Settings\Heather\remote.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 21:47 68856] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-14 19:22 1481968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04 122933] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 07:16 579584] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Aida"="C:\Program Files\rdso\eetu.exe" [ ] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-14 20:12 219136] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-14 19:22 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= jl_mjpg2.drv [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper] C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] C:\Program Files\Dell\Media Experience\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2004-09-13 18:45 77824 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] --a------ 2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys [] S3 Otis;Audible Otis Service;C:\WINDOWS\system32\Drivers\OtisPlay.sys [2004-09-16 15:32] S3 PortRst;PortRst;C:\WINDOWS\system32\DRIVERS\PortRst.sys [2002-01-29 17:33] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ scan . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-23 20:38:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-04-23 20:41:36 ComboFix-quarantined-files.txt 2008-04-24 00:41:17 Pre-Run: 25,509,736,448 bytes free Post-Run: 25,564,712,960 bytes free 116 --- E O F --- 2008-04-09 07:25:04 Smitfraud Fix Report: SmitFraudFix v2.317 Scan done at 20:47:28.89, Wed 04/23/2008 Run from C:\Documents and Settings\Heather\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\CTSvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Heather »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Heather\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Heather\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix !!!Attention, following keys are not inevitably infected!!! 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport DNS Server Search Order: 192.168.1.1 DNS Server Search Order: 192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{8C9CDC9F-FF63-4A8D-BF41-501A7AB5A1CF}: DhcpNameServer=192.168.1.1 192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{8C9CDC9F-FF63-4A8D-BF41-501A7AB5A1CF}: DhcpNameServer=192.168.1.1 192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{8C9CDC9F-FF63-4A8D-BF41-501A7AB5A1CF}: DhcpNameServer=192.168.1.1 192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End |
|
|
|
|
Apr 23 2008, 08:35 PM
Post
#4
|
|
|
Malware Expert Posts: 15,811 From: New York OS: Windows 98, XP, Vista, Mac OS X |
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:
QUOTE Folder:: C:\Program Files\rdso\ Registry:: [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Aida"=- Save this as CFScript.txt in the same location as the ComboFix.exe tool. Drag the CFScript.txt into ComboFix.exe Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not click on combofix's window while it's running. That may cause it to stall. How is the computer running so far? What problems remain? |
|
|
|
|
Apr 27 2008, 08:12 AM
Post
#5
|
|
|
Member Posts: 19 OS: Windows XP |
Computer is running better, but still freezing up from time to time. There always seem to be more processes running (even when I'm not using it.)
Here is the log: ComboFix 08-04-22.5 - Heather 2008-04-27 9:43:47.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.98 [GMT -4:00] Running from: C:\Documents and Settings\Heather\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Heather\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\rdso\ . ((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 ))))))))))))))))))))))))))))))) . 2008-04-23 20:47 . 2008-04-23 20:46 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe 2008-04-23 20:47 . 2008-04-23 20:46 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe 2008-04-23 20:47 . 2008-04-23 20:46 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe 2008-04-23 20:47 . 2008-04-23 20:46 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-04-23 20:47 . 2008-04-23 20:46 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe 2008-04-23 20:47 . 2008-04-23 20:46 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe 2008-04-23 20:47 . 2008-04-23 20:46 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe 2008-04-23 20:47 . 2008-04-23 20:46 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe 2008-04-23 20:47 . 2008-04-23 20:47 1,514 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-04-15 19:03 . 2008-04-15 19:03 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-14 20:12 . 2008-04-14 20:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-04-14 20:12 . 2008-04-27 08:00 <DIR> d-------- C:\Documents and Settings\Heather\Application Data\AVG7 2008-04-14 20:11 . 2008-04-14 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-04-14 20:11 . 2008-04-15 07:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-04-13 21:02 . 2008-04-14 19:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-04-13 21:02 . 2008-04-13 21:02 <DIR> d-------- C:\Documents and Settings\Heather\Application Data\SUPERAntiSpyware.com 2008-04-13 21:02 . 2008-04-13 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-04-13 21:01 . 2008-04-13 21:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-04-13 20:28 . 2008-04-13 20:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-04-13 20:28 . 2008-04-13 20:28 <DIR> d-------- C:\Documents and Settings\Heather\Application Data\Malwarebytes 2008-04-13 20:28 . 2008-04-13 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-04-13 20:27 . 2008-04-13 20:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-10 17:46 --------- d-----w C:\Documents and Settings\Heather\Application Data\Move Networks 2008-03-04 12:03 --------- d-----w C:\Documents and Settings\Heather\Application Data\AdobeUM 2005-05-07 00:08 336,896 -c--a-w C:\Documents and Settings\Heather\remote.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 21:47 68856] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-14 19:22 1481968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04 122933] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 07:16 579584] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-14 20:12 219136] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-14 19:22 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= jl_mjpg2.drv [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper] C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] C:\Program Files\Dell\Media Experience\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2004-09-13 18:45 77824 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] --a------ 2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys [] S3 Otis;Audible Otis Service;C:\WINDOWS\system32\Drivers\OtisPlay.sys [2004-09-16 15:32] S3 PortRst;PortRst;C:\WINDOWS\system32\DRIVERS\PortRst.sys [2002-01-29 17:33] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ scan . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-27 09:49:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-04-27 9:53:09 ComboFix-quarantined-files.txt 2008-04-27 13:52:57 ComboFix2.txt 2008-04-24 00:41:37 Pre-Run: 25,447,268,352 bytes free Post-Run: 25,478,033,408 bytes free 108 --- E O F --- 2008-04-09 07:25:04 |
|
|
|
|
Apr 27 2008, 08:31 AM
Post
#6
|
|
|
Malware Expert Posts: 15,811 From: New York OS: Windows 98, XP, Vista, Mac OS X |
Uninstall Viewpoint and OIN via your Add/Remove programs panel if found.
We can try disabling programs from startup to see if it helps. Post a new HijackThis log here. |
|
|
|
|
Apr 30 2008, 05:20 PM
Post
#7
|
|
|
Member Posts: 19 OS: Windows XP |
I have uninstalled Viewpoint & OIN. I ran a new Hijack This log. Here it is: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:17:48 PM, on 4/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\CTSvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: www.augusten.com O15 - Trusted Zone: www.d3football.com O15 - Trusted Zone: http://www.d3hoops.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axvers...ntquick1611.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - |