ATF can't get report [RESOLVED]
#1
Posted 30 January 2008 - 07:49 AM
#2
Posted 30 January 2008 - 08:08 AM
Go ahead and post a Hijack log and do the following
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
#3
Posted 30 January 2008 - 08:31 AM
Also, i'm a novice and don't know how to find out what is running on my computer or how to turn it off. i'm on a home network. i have norton antivirus. i have aol which may be running macafee but i'm not sure. plus whatever is running from the "before you send the hijackthis report" instructions.
i am currently using a laptop to communicate with you and sitting next to the infected computer which is very slow and loaded with popups. i shut it down last night after running AVG twice and getting no report. should i start it in safe mode or normal?
#4
Posted 30 January 2008 - 09:15 AM
#5
Posted 30 January 2008 - 09:18 AM
Lets start with this, so I can see exactly whats going on, and take it from there
Click here to download HJTInstall.exe
- Save HJTInstall.exe to your desktop.
- Doubleclick on the HJTInstall.exe icon on your desktop.
- By default it will install to C:\Program Files\Trend Micro\HijackThis .
- Click on Install.
- It will create a HijackThis icon on the desktop.
- Once installed, it will launch Hijackthis.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
#6
Posted 30 January 2008 - 09:42 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:23 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\dlcfcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1190234924\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SXG Advisor - {8FC29A8D-F29D-477E-B428-0F942E23A960} - C:\WINDOWS\dpvtporfgp.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: The elfwgps - {27A4FA11-A0B1-4AB7-9A78-BD411FDEAA0D} - C:\WINDOWS\elfwgps.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1190234924\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai...ol/SymDlBrg.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: bqxomdo - {A45B4858-241E-4B3A-998C-B8F55D62CE1B} - C:\WINDOWS\bqxomdo.dll
O21 - SSODL: aswmklt - {825480E9-66A1-4F37-9EE1-6E4ED64544FD} - C:\WINDOWS\aswmklt.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: dlcf_device - - C:\WINDOWS\System32\dlcfcoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 11594 bytes
#7
Posted 30 January 2008 - 09:52 AM
This shouldnt take but a few post so lets get going You can ignore the part about disabling the AV and anti spyware
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
#8
Posted 30 January 2008 - 10:18 AM
completed combofix. screen is now white and plain instead of red with warnings. there were three shields that were supposedly links to protection sites that are now gone. here is my combofix log:
ComboFix 08-01-30.6 - Drew Angus 2008-01-30 11:00:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126 [GMT -5:00]
Running from: C:\Documents and Settings\Drew Angus\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Drew Angus\Desktop\Error Cleaner.url
C:\Documents and Settings\Drew Angus\Desktop\Privacy Protector.url
C:\Documents and Settings\Drew Angus\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Drew Angus\Favorites\Error Cleaner.url
C:\Documents and Settings\Drew Angus\Favorites\Privacy Protector.url
C:\Documents and Settings\Drew Angus\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
----- BITS: Possible infected sites -----
hxxp://softworldnetwork.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-30 10:32 . 2008-01-30 10:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 20:18 . 2008-01-29 20:18 <DIR> d--hs---- C:\found.000
2008-01-29 20:06 . 2008-01-29 20:06 <DIR> d-------- C:\Documents and Settings\Drew Angus\Application Data\Grisoft
2008-01-29 20:05 . 2008-01-29 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-29 20:05 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-24 16:12 . 2008-01-24 14:50 307,200 --a------ C:\WINDOWS\dpvtporfgp.dll
2008-01-24 16:12 . 2008-01-24 14:50 307,200 --a------ C:\WINDOWS\bqxomdo.dll
2008-01-24 16:12 . 2008-01-24 14:50 217,088 --a------ C:\WINDOWS\aswmklt.dll
2008-01-24 16:12 . 2008-01-24 14:50 172,032 --a------ C:\WINDOWS\elfwgps.dll
2008-01-24 16:12 . 2008-01-24 14:50 81,920 --a------ C:\WINDOWS\fvqkfsp.exe
2008-01-20 15:57 . 2008-01-20 16:38 <DIR> d-------- C:\Program Files\Project64 1.6
2008-01-19 21:27 . 2008-01-19 21:27 <DIR> d-------- C:\Program Files\DivX
2008-01-17 15:28 . 2006-10-04 09:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-17 15:28 . 2006-10-04 09:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-17 15:28 . 2006-10-04 09:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-17 15:27 . 2008-01-17 15:27 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-17 15:24 . 2008-01-17 15:24 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-17 15:24 . 2008-01-17 15:25 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-12 22:12 . 2008-01-12 22:12 <DIR> d-------- C:\Documents and Settings\Drew Angus\Application Data\dvdcss
2008-01-09 17:00 . 2008-01-09 17:00 <DIR> d-------- C:\Program Files\FolderShare
2007-12-24 21:09 . 2007-12-27 15:35 <DIR> d-------- C:\DOOMS
2007-12-23 14:42 . 2007-12-23 14:43 <DIR> d-------- C:\Program Files\iTunes
2007-12-23 14:42 . 2007-12-23 14:42 <DIR> d-------- C:\Program Files\iPod
2007-12-23 14:35 . 2007-12-23 14:35 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-14 17:48 . 2007-12-14 17:48 <DIR> d-------- C:\Program Files\BitPim
2007-12-14 17:33 . 2007-12-14 17:33 <DIR> d-------- C:\Documents and Settings\Drew Angus\.thumbnails
2007-12-14 17:30 . 2007-12-14 17:30 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-12-14 17:30 . 2008-01-17 17:51 <DIR> d-------- C:\Documents and Settings\Drew Angus\.gimp-2.4
2007-12-14 16:53 . 2008-01-24 15:16 <DIR> d-------- C:\Program Files\Avanquest update
2007-12-14 16:52 . 2007-12-14 16:59 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2007-12-14 16:52 . 2007-12-14 16:52 <DIR> d-------- C:\Documents and Settings\Drew Angus\Application Data\InstallShield
2007-12-14 16:52 . 2007-12-14 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-14 16:36 . 2007-12-14 16:36 <DIR> d-------- C:\Program Files\WIBUKEY
2007-12-14 16:36 . 2007-12-14 16:36 <DIR> d-------- C:\Program Files\WIBU-SYSTEMS
2007-12-14 16:36 . 2001-12-27 10:59 716,800 --a------ C:\WINDOWS\system32\Wibuke32.cpl
2007-12-14 16:36 . 2001-12-27 10:59 139,264 --a------ C:\WINDOWS\system32\WkWin32.dll
2007-12-14 16:36 . 2004-03-08 10:18 77,895 --a------ C:\WINDOWS\system32\unibus_tcutil.dll
2007-12-14 16:36 . 2001-12-27 10:59 67,072 --a------ C:\WINDOWS\system32\drivers\Wibukey.sys
2007-12-14 16:36 . 2001-12-27 10:59 57,552 --a------ C:\WINDOWS\system32\WKDOS.EXE
2007-12-14 16:36 . 2001-12-27 10:59 52,736 --a------ C:\WINDOWS\system\WkWin.dll
2007-12-14 16:36 . 2004-03-01 18:53 37,760 --a------ C:\WINDOWS\system32\drivers\P2k.sys
2007-12-14 16:36 . 2001-12-27 10:59 29,696 --a------ C:\WINDOWS\system32\drivers\Wibukey2.sys
2007-12-14 16:35 . 2007-12-15 04:14 <DIR> d-------- C:\Program Files\Motorola
2007-12-14 16:25 . 2007-12-14 16:25 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-14 16:25 . 2007-12-14 16:25 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-12-14 16:24 . 2006-11-13 15:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-12-14 16:24 . 2006-12-14 11:27 40,832 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2007-12-14 16:24 . 2007-04-02 22:13 21,632 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-12-14 16:22 . 2007-12-14 16:22 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-07 18:36 . 2007-12-07 18:42 <DIR> d-------- C:\Program Files\Cheat Engine
2007-12-07 18:36 . 2005-09-03 23:48 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2007-12-07 18:36 . 2005-09-03 23:48 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 15:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 00:57 --------- d-----w C:\Documents and Settings\Drew Angus\Application Data\Skype
2008-01-25 02:05 --------- d-----w C:\Documents and Settings\Drew Angus\Application Data\.purple
2008-01-25 01:11 --------- d-----w C:\Program Files\Norton Internet Security
2008-01-21 22:37 --------- d-----w C:\Documents and Settings\Drew Angus\Application Data\gtk-2.0
2008-01-13 19:45 --------- d-----w C:\Program Files\dl_Cats
2008-01-11 02:10 --------- d-----w C:\Documents and Settings\Drew Angus\Application Data\Azureus
2008-01-09 01:21 --------- d-----w C:\Program Files\Azureus
2007-12-23 19:39 --------- d-----w C:\Program Files\QuickTime
2007-12-15 08:16 --------- d-----w C:\Documents and Settings\Drew Angus\Application Data\X-Chat 2
2007-12-14 21:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-30 22:44 --------- d-----w C:\Program Files\LSoft Technologies
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-11 06:13 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-11 02:20 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2003-11-18 18:37 241,664 ----a-w C:\Program Files\npmusicn.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FC29A8D-F29D-477E-B428-0F942E23A960}]
2008-01-24 14:50 307200 --a------ C:\WINDOWS\dpvtporfgp.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}
{C4069E3A-68F1-403E-B40E-20066696354B}
{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}
{DE9C389F-3316-41A7-809B-AA305ED9D922}
{27A4FA11-A0B1-4AB7-9A78-BD411FDEAA0D}
[HKEY_CLASSES_ROOT\clsid\{27a4fa11-a0b1-4ab7-9a78-bd411fdeaa0d}]
[HKEY_CLASSES_ROOT\elfwgps.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{B45B9F9A-BA41-405F-B99B-3A846DB7E9BE}]
[HKEY_CLASSES_ROOT\elfwgps.ToolBar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"FolderShare"="C:\Program Files\FolderShare\FolderShare.exe" [2005-10-30 22:12 851968]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.exe" [2007-04-18 01:49 50736]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-09-24 17:32 5033984]
"nwiz"="nwiz.exe" [2003-09-24 17:32 741376 C:\WINDOWS\system32\nwiz.exe]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 17:48 73728]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"HostManager"="C:\Program Files\Common Files\AOL\1190234924\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Monitor Apache Servers.lnk - C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-01-09 23:20:44 41041]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bqxomdo"= {A45B4858-241E-4B3A-998C-B8F55D62CE1B} - C:\WINDOWS\bqxomdo.dll [2008-01-24 14:50 307200]
"aswmklt"= {825480E9-66A1-4F37-9EE1-6E4ED64544FD} - C:\WINDOWS\aswmklt.dll [2008-01-24 14:50 217088]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iSyncTunes]
--a------ 2006-11-01 21:08 339131 C:\Program Files\iSyncTunes\ISyncTunes.exe
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;C:\WINDOWS\system32\DRIVERS\WMP11V27.sys [2002-07-30 16:22]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 14:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 11:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-04-02 22:13]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 12:31]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 14:05]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-19 23:05:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-19 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Drew Angus.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 11:05:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-30 11:07:08
ComboFix-quarantined-files.txt 2008-01-30 16:06:58
.
2008-01-18 08:01:54 --- E O F ---
#9
Posted 30 January 2008 - 11:09 AM
Open notepad and copy/paste the text in RED below into it:
File::
C:\WINDOWS\dpvtporfgp.dll
C:\WINDOWS\bqxomdo.dll
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\elfwgps.dll
C:\WINDOWS\fvqkfsp.exe
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FC29A8D-F29D-477E-B428-0F942E23A960}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bqxomdo"=-
"aswmklt"=-
Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)
Refering to the picture above, drag CFScript into ComboFix.exe
Please post the new combofix log and a hijack log
#10
Posted 30 January 2008 - 12:07 PM
ComboFix 08-01-30.6 - Drew Angus 2008-01-30 12:57:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.76 [GMT -5:00]
Running from: C:\Documents and Settings\Drew Angus\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Drew Angus\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\bqxomdo.dll
C:\WINDOWS\dpvtporfgp.dll
C:\WINDOWS\elfwgps.dll
C:\WINDOWS\fvqkfsp.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\bqxomdo.dll
C:\WINDOWS\dpvtporfgp.dll
C:\WINDOWS\elfwgps.dll
C:\WINDOWS\fvqkfsp.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-30 10:32 . 2008-01-30 10:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 20:18 . 2008-01-29 20:18 <DIR> d--hs---- C:\found.000
2008-01-29 20:06 . 2008-01-29 20:06 <DIR> d-------- C:\Documents and Settings\Drew Angus\Application Data\Grisoft
2008-01-29 20:05 . 2008-01-29 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-29 20:05 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-20 15:57 . 2008-01-20 16:38 <DIR> d-------- C:\Program Files\Project64 1.6
2008-01-19 21:27 . 2008-01-19 21:27 <DIR> d-------- C:\Program Files\DivX
2008-01-17 15:28 . 2006-10-04 09:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-17 15:28 . 2006-10-04 09:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-17 15:28 . 2006-10-04 09:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-17 15:27 . 2008-01-17 15:27 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-17 15:24 . 2008-01-17 15:24 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-17 15:24 . 2008-01-17 15:25 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-12 22:12 . 2008-01-12 22:12 <DIR> d-------- C:\Documents and Settings\Drew Angus\Application Data\dvdcss
2008-01-09 17:00 . 2008-01-09 17:00 <DIR> d-------- C:\Program Files\FolderShare
2007-12-24 21:09 . 2007-12-27 15:35 <DIR> d-------- C:\DOOMS
2007-12-23 14:42 . 2007-12-23 14:43 <DIR> d-------- C:\Program Files\iTunes
2007-12-23 14:42 . 2007-12-23 14:42 <DIR> d-------- C:\Program Files\iPod
2007-12-23 14:35 . 2007-12-23 14:35 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-14 17:48 . 2007-12-14 17:48 <DIR> d-------- C:\Program Files\BitPim
2007-12-14 17:33 . 2007-12-14 17:33 <DIR> d-------- C:\Documents and Settings\Drew Angus\.thumbnails
2007-12-14 17:30 . 2007-12-14 17:30 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-12-14 17:30 . 2008-01-17 17:51 <DIR> d-------- C:\Documents and Settings\Drew Angus\.gimp-2.4
2007-12-14 16:53 . 2008-01-24 15:16 <DIR> d-------- C:\Program Files\Avanquest update
2007-12-14 16:52 . 2007-12-14 16:59 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2007-12-14 16:52 . 2007-12-14 16:52 <DIR> d-------- C:\Documents and Settings\Drew Angus\Application Data\InstallShield
2007-12-14 16:52 . 2007-12-14 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-14 16:36 . 2007-12-14 16:36 <DIR> d-------- C:\Program Files\WIBUKEY
2007-12-14 16:36 . 2007-12-14 16:36 <DIR> d-------- C:\Program Files\WIBU-SYSTEMS
2007-12-14 16:36 . 2001-12-27 10:59 716,800 --a------ C:\WINDOWS\system32\Wibuke32.cpl
2007-12-14 16:36 . 2001-12-27 10:59 139,264 --a------ C:\WINDOWS\system32\WkWin32.dll
2007-12-14 16:36 . 2004-03-08 10:18 77,895 --a------ C:\WINDOWS\system32\unibus_tcutil.dll
2007-12-14 16:36 . 2001-12-27 10:59 67,072 --a------ C:\WINDOWS\system32\drivers\Wibukey.sys
2007-12-14 16:36 . 2001-12-27 10:59 57,552 --a------ C:\WINDOWS\system32\WKDOS.EXE
2007-12-14 16:36 . 2001-12-27 10:59 52,736 --a------ C:\WINDOWS\system\WkWin.dll
2007-12-14 16:36 . 2004-03-01 18:53 37,760 --a------ C:\WINDOWS\system32\drivers\P2k.sys
2007-12-14 16:36 . 2001-12-27 10:59 29,696 --a------ C:\WINDOWS\system32\drivers\Wibukey2.sys
2007-12-14 16:35 . 2007-12-15 04:14 <DIR> d-------- C:\Program Files\Motorola
2007-12-14 16:25 . 2007-12-14 16:25 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-14 16:25 . 2007-12-14 16:25 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-12-14 16:24 . 2006-11-13 15:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-12-14 16:24 . 2006-12-14 11:27 40,832 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2007-12-14 16:24 . 2007-04-02 22:13 21,632 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-12-14 16:22 . 2007-12-14 16:22 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-07 18:36 . 2007-12-07 18:42 <DIR> d-------- C:\Program Files\Cheat Engine
2007-12-07 18:36 . 2005-09-03 23:48 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2007-12-07 18:36 . 2005-09-03 23:48 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 15:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 00:57 --------- d-----w C:\Documents and Settings\Drew Angus\Application Data\Skype
2008-01-25 02:05 --------- d-----w C:\Documents and Settings\Drew Angus\Application Data\.purple
2008-01-25 01:11 --------- d-----w C:\Program Files\Norton Internet Security
2008-01-21 22:37 --------- d-----w C:\Documents and Settings\Drew Angus\Application Data\gtk-2.0
2008-01-13 19:45 --------- d-----w C:\Program Files\dl_Cats
2008-01-11 02:10 --------- d-----w C:\Documents and Settings\Drew Angus\Application Data\Azureus
2008-01-09 01:21 --------- d-----w C:\Program Files\Azureus
2007-12-23 19:39 --------- d-----w C:\Program Files\QuickTime
2007-12-15 08:16 --------- d-----w C:\Documents and Settings\Drew Angus\Application Data\X-Chat 2
2007-12-14 21:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-30 22:44 --------- d-----w C:\Program Files\LSoft Technologies
2003-11-18 18:37 241,664 ----a-w C:\Program Files\npmusicn.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"FolderShare"="C:\Program Files\FolderShare\FolderShare.exe" [2005-10-30 22:12 851968]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.exe" [2007-04-18 01:49 50736]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-09-24 17:32 5033984]
"nwiz"="nwiz.exe" [2003-09-24 17:32 741376 C:\WINDOWS\system32\nwiz.exe]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 17:48 73728]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"HostManager"="C:\Program Files\Common Files\AOL\1190234924\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Monitor Apache Servers.lnk - C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-01-09 23:20:44 41041]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iSyncTunes]
--a------ 2006-11-01 21:08 339131 C:\Program Files\iSyncTunes\ISyncTunes.exe
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;C:\WINDOWS\system32\DRIVERS\WMP11V27.sys [2002-07-30 16:22]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 14:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 11:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-04-02 22:13]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 12:31]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 14:05]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-19 23:05:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-19 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Drew Angus.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 13:00:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-30 13:02:28
ComboFix-quarantined-files.txt 2008-01-30 18:02:19
ComboFix2.txt 2008-01-30 16:07:09
.
2008-01-18 08:01:54 --- E O F ---
Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:19 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\dlcfcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1190234924\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1190234924\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai...ol/SymDlBrg.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: dlcf_device - - C:\WINDOWS\System32\dlcfcoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 11079 bytes
#11
Posted 30 January 2008 - 12:28 PM
Please rescan with Hijackthis and place a check next to the following entries:
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
Now click "Fix Checked" and close Hijackthis
NEXT
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.
Download the file & save it as it's originally named, next to ComboFix.exe.
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
Please do not reboot your machine until we have reviewed the log.
#12
Posted 30 January 2008 - 01:03 PM
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
#13
Posted 30 January 2008 - 01:15 PM
How is the computer behaving?
#14
Posted 30 January 2008 - 01:20 PM
#15
Posted 30 January 2008 - 01:41 PM
go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Privacy Protection" or whatever else is checked if present.
Does that fix it?
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users