Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinFixer, Adware, Outerinfo [RESOLVED]


  • This topic is locked This topic is locked

#1
GeekMeUp

GeekMeUp

    Member

  • Member
  • PipPip
  • 11 posts
Hi,

I am new here, and not very pc savvy, so please forgive me if am not sure on things. I have run the HTJ Tool and created a log, but wanted to give info of what I have done so far, I apologize if this isn't needed, but wanted to safe just in case. I am in the process of trying to get rid of a Trojan (or 2) that came in with OuterInfo, and other adware/spyware on my computer. I have visited numerous threads to instructions on how to repair. So far, I have used OinUninstaller.exe, ComboFix, ATF Cleaner, Ad-Aware, SpyBot S&D, SUPERAntiSpyware, and Panda ActiveScan. I attempted to use the AVG Anit-Spyware program in Safe Mode, but unfortunately it would not let me log in, is it possible to run in Normal?

It seems that some of the issues that I was experiences have somewhat died down. I had an issue with not being able to open My Computer through the Start Menu or desktop. I also noticed that two "fake" Shortcuts were installed on my Desktop (Help and Support Center, and Windows Update). At one point I could not delete those files, but once SpyBot and SAS were ran, I was able to delete the Shortcuts. Whenever I opened IE, my Privacy Settings would default to Accept All Cookies after I changed it any time IE was opened, refreshed or typing in address. I also installed Zone Alarm Firewall and seem to be free of pop-ups for now.


Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:38, on 2008-02-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\TriActive\MicroAgent\bin\ma.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\TriActive\MicroAgent\bin\matray-2.0.21.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vip.vangent.local/Default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vip.vangent.local/Default.aspx
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vip.ic.ncs.com/Default.aspx
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [matray] C:\Program Files\TriActive\MicroAgent\bin\matray-2.0.21.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [7cd6dbb5] rundll32.exe "C:\WINDOWS\system32\gbylrifg.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O4 - Global Startup: nbtknonprt.bat
O4 - Global Startup: NCS Pearson VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\tcrenak.VNGT\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vip.vangent.local/Default.aspx
O15 - Trusted Zone: vip.ic.ncs.com
O15 - Trusted Zone: *.vangent.com
O15 - Trusted Zone: *.vangent.local
O15 - Trusted Zone: *.vangent.com (HKLM)
O15 - Trusted Zone: *.vangent.local (HKLM)
O15 - ESC Trusted Zone: http://www.activemanagesolutions.com
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://support.dell.com
O15 - ESC Trusted Zone: http://www.dell.com
O15 - ESC Trusted Zone: http://vip.ic.ncs.com
O15 - ESC Trusted Zone: http://download.sysinternals.com
O15 - ESC Trusted Zone: http://software.u3.com
O15 - ESC Trusted Zone: http://www.u3.com
O15 - ESC Trusted Zone: http://www.activemanagesolutions.com (HKLM)
O15 - ESC Trusted Zone: http://ardownload.adobe.com (HKLM)
O15 - ESC Trusted Zone: http://www.adobe.com (HKLM)
O15 - ESC Trusted Zone: http://support.dell.com (HKLM)
O15 - ESC Trusted Zone: http://www.dell.com (HKLM)
O15 - ESC Trusted Zone: http://vip.ic.ncs.com (HKLM)
O15 - ESC Trusted Zone: http://download.sysinternals.com (HKLM)
O15 - ESC Trusted Zone: http://software.u3.com (HKLM)
O15 - ESC Trusted Zone: http://www.u3.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1182267120578
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - http://mntkappprod1:...indows-i586.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.playfirst...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vangent.local
O17 - HKLM\Software\..\Telephony: DomainName = vangent.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vangent.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vangent.local
O20 - Winlogon Notify: vkcwcbvw - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TriActive MicroAgent (MA) - TriActive, Inc. - C:\Program Files\TriActive\MicroAgent\bin\ma.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12167 bytes




Hijack Uninstall list


Ad-Aware 2007
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Professional
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Adobe Reader 8.1.1
Adobe Shockwave Player
ALPS Touch Pad Driver
AT&T Labs' Natural Voices - Lauren 16k 1.4 (Desktop)
AT&T Natural Voices Rosa v. 1.4
AVG Anti-Spyware 7.5
Bluetooth Stack for Windows by Toshiba
Broadcom Gigabit Integrated Controller
Conexant HDA D110 MDC V.92 Modem
Dell Resource CD
Dell Wireless WLAN Card
DivX Codec
DivX Content Uploader
DivX Web Player
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
Intel® Graphics Media Accelerator Driver
iPassConnect
IVR-2-RSO setup
IVR-2-RSO setup transfer utility
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
JobsNowX
JobsNowX Client Setup Push Utility
Lernout & Hauspie TruVoice American English TTS Engine
Lexmark Printer Software Uninstall
McAfee Anti-Spyware Enterprise Module
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Standard 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Netflix Movie Viewer
NextUp-ScanSoft Julie Canadian French Voice
OpenLink Data Access Drivers ()
OZ776 SCR CardBus V1.1.3.6
OZ776 SCR CardBus Windows Driver
Panda ActiveScan
PowerDVD 5.7
QuickSet
QuickTime
RealPlayer
Rhapsody
Rhapsody Player Engine
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
RSOReportAutomation
Scribe 2001 - Reid London House Transcription
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
SigmaTel Audio
Sonic Foundry MP3 Plug-In
Sonic Foundry Sound Forge 4.5d
Sonic Update Manager
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
TextAloud
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VPN Client
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
ZoneAlarm

Thank you in advance for your help.
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Delete ComboFix.exe and the folder C:\qoobox then do the following


Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
GeekMeUp

GeekMeUp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi,

Thank you for responding! :)

ComboFix Log


ComboFix 08-02.05.3 - tcrenak 2008-02-10 10:37:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.404 [GMT -6:00]
Running from: C:\Documents and Settings\tcrenak.VNGT\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 07:45 . 2008-02-10 07:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 07:35 . 2008-02-10 07:35 <DIR> d-------- C:\Documents and Settings\tcrenak.VNGT\Application Data\Grisoft
2008-02-10 07:35 . 2008-02-10 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 07:35 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-10 07:18 . 2008-02-10 10:39 200,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-10 07:18 . 2008-02-10 07:49 1,964 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-10 07:14 . 2008-02-10 07:14 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-10 07:14 . 2008-02-10 07:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-10 06:30 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vtkdopnbxidt.sys
2008-02-10 06:29 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2008-02-10 06:06 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\rxuejwtvlmmw.sys
2008-02-10 04:35 . 2008-02-10 04:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-10 04:34 . 2008-02-10 06:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-10 04:34 . 2008-02-10 04:34 <DIR> d-------- C:\Documents and Settings\tcrenak.VNGT\Application Data\SUPERAntiSpyware.com
2008-02-10 03:43 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-10 03:39 . 2004-08-04 04:00 388,608 --a------ C:\kmd.exe
2008-02-10 02:08 . 2008-02-10 06:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 02:08 . 2008-02-10 02:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 00:06 . 2008-02-10 06:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-10 00:06 . 2008-02-10 06:03 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-10 00:06 . 2008-02-10 06:03 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-10 00:06 . 2008-02-10 06:03 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-09 23:44 . 2008-02-09 23:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-09 23:44 . 2008-02-09 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 23:43 . 2008-02-10 02:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 22:31 . 2008-02-08 22:34 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-02-06 21:24 . 2008-02-06 21:24 <DIR> d-------- C:\Program Files\Samsung
2008-02-06 21:24 . 2008-02-06 21:24 <DIR> d-------- C:\Program Files\MarkAny
2008-02-06 21:24 . 2007-12-14 17:19 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2008-02-06 21:24 . 2007-12-14 17:19 1,046,528 --a------ C:\WINDOWS\system32\MFC71LU.DLL
2008-02-06 21:24 . 2007-12-14 17:19 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-02-06 21:24 . 2007-12-14 17:19 507,904 --a------ C:\WINDOWS\system32\MSLUP71.dll
2008-02-06 21:24 . 2007-12-14 17:19 352,256 --a------ C:\WINDOWS\system32\MSLUR71.dll
2008-02-06 21:24 . 2007-12-14 17:19 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-02-06 21:24 . 2007-12-14 17:19 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-02-06 21:24 . 2007-12-14 17:19 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-02-02 03:32 . 2008-02-02 03:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 03:32 . 2008-02-02 03:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 08:22 . 2008-01-16 08:22 <DIR> d-------- C:\Program Files\Citrix
2008-01-13 22:38 . 2008-02-08 23:45 <DIR> d-------- C:\temp
2008-01-13 22:38 . 2008-01-27 00:21 135 --a------ C:\temp\install.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 12:45 --------- d-----w C:\Program Files\Apoint
2008-02-10 01:47 --------- d-----w C:\Documents and Settings\tcrenak.VNGT\Application Data\IMVU
2008-02-08 21:55 --------- d-----w C:\Program Files\Sound Forge
2008-02-08 21:16 --------- d-----w C:\Program Files\TextAloud
2008-02-07 14:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 01:32 --------- d-----w C:\Program Files\mcafee
2008-01-03 04:54 --------- d-----w C:\Program Files\IMVU
2007-12-30 23:59 --------- d-----w C:\Program Files\DivX
2007-12-20 01:47 --------- d-----w C:\Program Files\ImvuTools
2007-12-15 05:40 28 ----a-w C:\Program Files\deviceinfo
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-05 19:40 98,304 ----a-w C:\Program Files\rpshellextension.dll
2007-12-05 19:40 95,816 ----a-w C:\Program Files\rdsf3260.dll
2007-12-05 19:40 94,208 ----a-w C:\Program Files\rpbrowserrecordupdate.dll
2007-12-05 19:40 9,216 ----a-w C:\Program Files\rphelperapp.exe
2007-12-05 19:40 86,016 ----a-w C:\Program Files\rpplugprot.dll
2007-12-05 19:40 81,920 ----a-w C:\Program Files\tsasdk.dll
2007-12-05 19:40 719,360 ----a-w C:\Program Files\dbghelp.dll
2007-12-05 19:40 7,168 ----a-w C:\Program Files\realjbox.exe
2007-12-05 19:40 692,224 ----a-w C:\Program Files\dtdr3260.dll
2007-12-05 19:40 685 ----a-w C:\Program Files\RecordingManager.exe.manifest
2007-12-05 19:40 682 ----a-w C:\Program Files\realplay.exe.manifest
2007-12-05 19:40 655,360 ----a-w C:\Program Files\rjbres.dll
2007-12-05 19:40 65,536 ----a-w C:\Program Files\rjwmapln.dll
2007-12-05 19:40 643,917 ----a-w C:\Program Files\normal.vs
2007-12-05 19:40 63,040 ----a-w C:\Program Files\rpshell.dll
2007-12-05 19:40 61,495 ----a-w C:\Program Files\ssimages.vs
2007-12-05 19:40 6,656 ----a-w C:\Program Files\fixrjb.exe
2007-12-05 19:40 57,762 ----a-w C:\Program Files\howto.chm
2007-12-05 19:40 57,344 ----a-w C:\Program Files\tpasdk.dll
2007-12-05 19:40 568 ----a-w C:\Program Files\fpsectbl
2007-12-05 19:40 53,248 ----a-w C:\Program Files\rpau3260.dll
2007-12-05 19:40 53,098 ----a-w C:\Program Files\presets.rnx
2007-12-05 19:40 52,609 ----a-w C:\Program Files\RealNetworks License.html
2007-12-05 19:40 52,609 ----a-w C:\Program Files\playrlic.html
2007-12-05 19:40 50,548 ----a-w C:\Program Files\RealNetworks License.txt
2007-12-05 19:40 50,548 ----a-w C:\Program Files\playrlic.txt
2007-12-05 19:40 50 ----a-w C:\Program Files\strs23.dat
2007-12-05 19:40 480 ----a-w C:\Program Files\keys.dat
2007-12-05 19:40 43,088 ----a-w C:\Program Files\rpshellsearch.dll
2007-12-05 19:40 41,472 ----a-w C:\Program Files\mmcdda32.dll
2007-12-05 19:40 40,154 ----a-w C:\Program Files\realplay.chm
2007-12-05 19:40 370,296 ----a-w C:\Program Files\rpbrowserrecordplugin.dll
2007-12-05 19:40 36,352 ----a-w C:\Program Files\ierjplug.dll
2007-12-05 19:40 339,968 ----a-w C:\Program Files\rjdlg.dll
2007-12-05 19:40 32,768 ----a-w C:\Program Files\rpwa3260.dll
2007-12-05 19:40 23,558 ----a-w C:\Program Files\freeoffers.ico
2007-12-05 19:40 214,560 ----a-w C:\Program Files\realplay.exe
2007-12-05 19:40 207 ----a-w C:\Program Files\subscription.rnx
2007-12-05 19:40 2,851 ----a-w C:\Program Files\cdroms.cfg
2007-12-05 19:40 19,456 ----a-w C:\Program Files\tnetdtct.dll
2007-12-05 19:40 19,456 ----a-w C:\Program Files\rjprog.dll
2007-12-05 19:40 17,846 ----a-w C:\Program Files\videotest.rm
2007-12-05 19:40 16,296 ----a-w C:\Program Files\realtfon.fon
2007-12-05 19:40 153,176 ----a-w C:\Program Files\RecordingManager.exe
2007-12-05 19:40 14,336 ----a-w C:\Program Files\wmdmhelper.dll
2007-12-05 19:40 139,264 ----a-w C:\Program Files\DUNZIP32.dll
2007-12-05 19:40 13 ----a-w C:\Program Files\strs26.dat
2007-12-05 19:40 119,808 ----a-w C:\Program Files\waiting.avi
2007-12-05 19:40 11,444 ----a-w C:\Program Files\frw.bmp
2007-12-05 19:40 102,400 ----a-w C:\Program Files\HXAudioDeviceHook.dll
2007-12-05 19:40 1,209 ----a-w C:\Program Files\flvplay.swf
2007-12-05 19:40 1,030 ----a-w C:\Program Files\autoplaylist.dat
2007-12-05 19:40 1,026 ----a-w C:\Program Files\browserrecord.swf
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-14 22:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 22:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 04:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 17:10 1392640]
"NVHotkey"="nvHotkey.dll" [2006-01-19 08:14 73728 C:\WINDOWS\system32\nvhotkey.dll]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-02-20 11:29 1191936]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 13:13 176128]
"iPCCheck"="C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" [2004-07-23 16:38 282624]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 19:29 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-03-27 14:06 136768]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 07:00 98304]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 08:48 147514]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 04:00 143360]
"matray"="C:\Program Files\TriActive\MicroAgent\bin\matray-2.0.21.exe" [2007-11-16 11:05 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-30 20:00 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-30 20:00 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-30 19:59 138008]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-05 13:40 185896]
"7cd6dbb5"="C:\WINDOWS\system32\gbylrifg.dll" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56 217194]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 16:46:00 1724416]
iPassConnect.lnk - C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe [2007-06-19 09:42:39 655360]
nbtknonprt.bat [2007-03-28 10:54:24 492]
NCS Pearson VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-06-19 09:43:33 1470480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vkcwcbvw]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=pomeroytechs.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2094749845-1362696355-111083759-133432\Scripts\Logon\0\0]
"Script"=User-To-Computer-Script.vbs

R2 MA;TriActive MicroAgent;"C:\Program Files\TriActive\MicroAgent\bin\ma.exe" [2007-11-16 11:05]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2007-06-19 09:42]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;D:\oracle\ora81\BIN\ONRSD.EXE [2000-10-19 10:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 10:39:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 10:39:40
ComboFix2.txt 2008-02-10 10:01:14
.
2008-01-08 23:09:25 --- E O F ---



HTJ Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48, on 2008-02-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\TriActive\MicroAgent\bin\ma.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\TriActive\MicroAgent\bin\matray-2.0.21.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vip.vangent.local/Default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vip.vangent.local/Default.aspx
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vip.ic.ncs.com/Default.aspx
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [matray] C:\Program Files\TriActive\MicroAgent\bin\matray-2.0.21.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [7cd6dbb5] rundll32.exe "C:\WINDOWS\system32\gbylrifg.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O4 - Global Startup: nbtknonprt.bat
O4 - Global Startup: NCS Pearson VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\tcrenak.VNGT\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vip.vangent.local/Default.aspx
O15 - Trusted Zone: vip.ic.ncs.com
O15 - Trusted Zone: *.vangent.com
O15 - Trusted Zone: *.vangent.local
O15 - Trusted Zone: *.vangent.com (HKLM)
O15 - Trusted Zone: *.vangent.local (HKLM)
O15 - ESC Trusted Zone: http://www.activemanagesolutions.com
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://support.dell.com
O15 - ESC Trusted Zone: http://www.dell.com
O15 - ESC Trusted Zone: http://vip.ic.ncs.com
O15 - ESC Trusted Zone: http://download.sysinternals.com
O15 - ESC Trusted Zone: http://software.u3.com
O15 - ESC Trusted Zone: http://www.u3.com
O15 - ESC Trusted Zone: http://www.activemanagesolutions.com (HKLM)
O15 - ESC Trusted Zone: http://ardownload.adobe.com (HKLM)
O15 - ESC Trusted Zone: http://www.adobe.com (HKLM)
O15 - ESC Trusted Zone: http://support.dell.com (HKLM)
O15 - ESC Trusted Zone: http://www.dell.com (HKLM)
O15 - ESC Trusted Zone: http://vip.ic.ncs.com (HKLM)
O15 - ESC Trusted Zone: http://download.sysinternals.com (HKLM)
O15 - ESC Trusted Zone: http://software.u3.com (HKLM)
O15 - ESC Trusted Zone: http://www.u3.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1182267120578
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - http://mntkappprod1:...indows-i586.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.playfirst...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vangent.local
O17 - HKLM\Software\..\Telephony: DomainName = vangent.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vangent.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vangent.local
O20 - Winlogon Notify: vkcwcbvw - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TriActive MicroAgent (MA) - TriActive, Inc. - C:\Program Files\TriActive\MicroAgent\bin\ma.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11949 bytes
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\Program Files\TriActive\MicroAgent\bin\ma.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O4 - HKLM\..\Run: [7cd6dbb5] rundll32.exe "C:\WINDOWS\system32\gbylrifg.dll",b
O20 - Winlogon Notify: vkcwcbvw - C:\WINDOWS\


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\temp\install.bat

Folder::
C:\WINDOWS\system32\nGpxx01


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#5
GeekMeUp

GeekMeUp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks for repsonding so quickly!!


Well, it seems that I have lost my internet connection. :) I am currently using another computer to add this reply. I tried to open virustotal.com in a seperate window and came to the "Page cannot be displayed" IE error. I returned to my post and tried to add a reply and received the same IE error. Tried a couple of more times with other pages and still nothing, however ZoneAlarm is constantly popping up with information of addresses trying to access my network. Is this something that I caused to happen?

Is there a way to correct this? In the meantime, I will continue to try and restore my connection until further notification. Thank you again for all of your help, I really appreciate it.
  • 0

#6
GeekMeUp

GeekMeUp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Internet back up and running!!!

Ok, I was able to get into Virustotal.com here is what it says:

File has already been analysed:
MD5: 9166ffe0ea0859324a6eb567bd0366a0
Date: 11.24.2007 04:00:58 (CET) [>78D]
Results: 1/32
Permalink: analisis/0e4ecbdd9943bd4ad71bf1f57ef62846



About to do system scan only for HTJ, will post the new log once finished with combofix. Thanks!
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok post the HJT and ComboFix logs when they are done
  • 0

#8
GeekMeUp

GeekMeUp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, selected the Fix Checked for the files outlined in bold for HTJ. Ran the ComboFix but the log produced but didn't save at "C:\ComboFix.txt. So I pointed it to save it there and noticed that a log already existed with that name. I wasn't sure if I should save over the existing file, so I saved it as "C:\ComboFix2.txt" Should I delete the other file?





Here is the new HTJ log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02, on 2008-02-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\TriActive\MicroAgent\bin\ma.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\TriActive\MicroAgent\bin\matray-2.0.21.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vip.vangent.local/Default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vip.vangent.local/Default.aspx
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vip.ic.ncs.com/Default.aspx
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [matray] C:\Program Files\TriActive\MicroAgent\bin\matray-2.0.21.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O4 - Global Startup: nbtknonprt.bat
O4 - Global Startup: NCS Pearson VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\tcrenak.VNGT\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vip.vangent.local/Default.aspx
O15 - Trusted Zone: vip.ic.ncs.com
O15 - Trusted Zone: *.vangent.com
O15 - Trusted Zone: *.vangent.local
O15 - Trusted Zone: *.vangent.com (HKLM)
O15 - Trusted Zone: *.vangent.local (HKLM)
O15 - ESC Trusted Zone: http://www.activemanagesolutions.com
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://support.dell.com
O15 - ESC Trusted Zone: http://www.dell.com
O15 - ESC Trusted Zone: http://vip.ic.ncs.com
O15 - ESC Trusted Zone: http://download.sysinternals.com
O15 - ESC Trusted Zone: http://software.u3.com
O15 - ESC Trusted Zone: http://www.u3.com
O15 - ESC Trusted Zone: http://www.activemanagesolutions.com (HKLM)
O15 - ESC Trusted Zone: http://ardownload.adobe.com (HKLM)
O15 - ESC Trusted Zone: http://www.adobe.com (HKLM)
O15 - ESC Trusted Zone: http://support.dell.com (HKLM)
O15 - ESC Trusted Zone: http://www.dell.com (HKLM)
O15 - ESC Trusted Zone: http://vip.ic.ncs.com (HKLM)
O15 - ESC Trusted Zone: http://download.sysinternals.com (HKLM)
O15 - ESC Trusted Zone: http://software.u3.com (HKLM)
O15 - ESC Trusted Zone: http://www.u3.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1182267120578
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - http://mntkappprod1:...indows-i586.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.playfirst...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vangent.local
O17 - HKLM\Software\..\Telephony: DomainName = vangent.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vangent.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vangent.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TriActive MicroAgent (MA) - TriActive, Inc. - C:\Program Files\TriActive\MicroAgent\bin\ma.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11819 bytes
  • 0

#9
GeekMeUp

GeekMeUp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix2.txt file

Thank you again!


ComboFix 08-02.05.3 - tcrenak 2008-02-10 11:53:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.459 [GMT -6:00]
Running from: C:\Documents and Settings\tcrenak.VNGT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tcrenak.VNGT\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\temp\install.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\install.bat
C:\WINDOWS\system32\nGpxx01

.
((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 10:36 . 2004-08-04 04:00 388,608 --a------ C:\kmd.exe
2008-02-10 07:45 . 2008-02-10 07:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 07:35 . 2008-02-10 07:35 <DIR> d-------- C:\Documents and Settings\tcrenak.VNGT\Application Data\Grisoft
2008-02-10 07:35 . 2008-02-10 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 07:35 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-10 07:18 . 2008-02-10 11:55 241,696 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-10 07:18 . 2008-02-10 07:49 1,964 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-10 07:14 . 2008-02-10 07:14 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-10 07:14 . 2008-02-10 07:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-10 06:30 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vtkdopnbxidt.sys
2008-02-10 06:29 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2008-02-10 06:06 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\rxuejwtvlmmw.sys
2008-02-10 04:35 . 2008-02-10 04:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-10 04:34 . 2008-02-10 06:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-10 04:34 . 2008-02-10 04:34 <DIR> d-------- C:\Documents and Settings\tcrenak.VNGT\Application Data\SUPERAntiSpyware.com
2008-02-10 03:43 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-10 02:08 . 2008-02-10 06:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 02:08 . 2008-02-10 02:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 00:06 . 2008-02-10 06:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-10 00:06 . 2008-02-10 06:03 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-10 00:06 . 2008-02-10 06:03 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-10 00:06 . 2008-02-10 06:03 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-09 23:44 . 2008-02-09 23:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-09 23:44 . 2008-02-09 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 23:43 . 2008-02-10 02:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 21:24 . 2008-02-06 21:24 <DIR> d-------- C:\Program Files\Samsung
2008-02-06 21:24 . 2008-02-06 21:24 <DIR> d-------- C:\Program Files\MarkAny
2008-02-06 21:24 . 2007-12-14 17:19 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2008-02-06 21:24 . 2007-12-14 17:19 1,046,528 --a------ C:\WINDOWS\system32\MFC71LU.DLL
2008-02-06 21:24 . 2007-12-14 17:19 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-02-06 21:24 . 2007-12-14 17:19 507,904 --a------ C:\WINDOWS\system32\MSLUP71.dll
2008-02-06 21:24 . 2007-12-14 17:19 352,256 --a------ C:\WINDOWS\system32\MSLUR71.dll
2008-02-06 21:24 . 2007-12-14 17:19 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-02-06 21:24 . 2007-12-14 17:19 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-02-06 21:24 . 2007-12-14 17:19 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-02-02 03:32 . 2008-02-02 03:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 03:32 . 2008-02-02 03:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 08:22 . 2008-01-16 08:22 <DIR> d-------- C:\Program Files\Citrix
2008-01-13 22:38 . 2008-02-10 11:53 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 12:45 --------- d-----w C:\Program Files\Apoint
2008-02-10 01:47 --------- d-----w C:\Documents and Settings\tcrenak.VNGT\Application Data\IMVU
2008-02-08 21:55 --------- d-----w C:\Program Files\Sound Forge
2008-02-08 21:16 --------- d-----w C:\Program Files\TextAloud
2008-02-07 14:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 01:32 --------- d-----w C:\Program Files\mcafee
2008-01-03 04:54 --------- d-----w C:\Program Files\IMVU
2007-12-30 23:59 --------- d-----w C:\Program Files\DivX
2007-12-20 01:47 --------- d-----w C:\Program Files\ImvuTools
2007-12-15 05:40 28 ----a-w C:\Program Files\deviceinfo
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-05 19:40 98,304 ----a-w C:\Program Files\rpshellextension.dll
2007-12-05 19:40 95,816 ----a-w C:\Program Files\rdsf3260.dll
2007-12-05 19:40 94,208 ----a-w C:\Program Files\rpbrowserrecordupdate.dll
2007-12-05 19:40 9,216 ----a-w C:\Program Files\rphelperapp.exe
2007-12-05 19:40 86,016 ----a-w C:\Program Files\rpplugprot.dll
2007-12-05 19:40 81,920 ----a-w C:\Program Files\tsasdk.dll
2007-12-05 19:40 719,360 ----a-w C:\Program Files\dbghelp.dll
2007-12-05 19:40 7,168 ----a-w C:\Program Files\realjbox.exe
2007-12-05 19:40 692,224 ----a-w C:\Program Files\dtdr3260.dll
2007-12-05 19:40 685 ----a-w C:\Program Files\RecordingManager.exe.manifest
2007-12-05 19:40 682 ----a-w C:\Program Files\realplay.exe.manifest
2007-12-05 19:40 655,360 ----a-w C:\Program Files\rjbres.dll
2007-12-05 19:40 65,536 ----a-w C:\Program Files\rjwmapln.dll
2007-12-05 19:40 643,917 ----a-w C:\Program Files\normal.vs
2007-12-05 19:40 63,040 ----a-w C:\Program Files\rpshell.dll
2007-12-05 19:40 61,495 ----a-w C:\Program Files\ssimages.vs
2007-12-05 19:40 6,656 ----a-w C:\Program Files\fixrjb.exe
2007-12-05 19:40 57,762 ----a-w C:\Program Files\howto.chm
2007-12-05 19:40 57,344 ----a-w C:\Program Files\tpasdk.dll
2007-12-05 19:40 568 ----a-w C:\Program Files\fpsectbl
2007-12-05 19:40 53,248 ----a-w C:\Program Files\rpau3260.dll
2007-12-05 19:40 53,098 ----a-w C:\Program Files\presets.rnx
2007-12-05 19:40 52,609 ----a-w C:\Program Files\RealNetworks License.html
2007-12-05 19:40 52,609 ----a-w C:\Program Files\playrlic.html
2007-12-05 19:40 50,548 ----a-w C:\Program Files\RealNetworks License.txt
2007-12-05 19:40 50,548 ----a-w C:\Program Files\playrlic.txt
2007-12-05 19:40 50 ----a-w C:\Program Files\strs23.dat
2007-12-05 19:40 480 ----a-w C:\Program Files\keys.dat
2007-12-05 19:40 43,088 ----a-w C:\Program Files\rpshellsearch.dll
2007-12-05 19:40 41,472 ----a-w C:\Program Files\mmcdda32.dll
2007-12-05 19:40 40,154 ----a-w C:\Program Files\realplay.chm
2007-12-05 19:40 370,296 ----a-w C:\Program Files\rpbrowserrecordplugin.dll
2007-12-05 19:40 36,352 ----a-w C:\Program Files\ierjplug.dll
2007-12-05 19:40 339,968 ----a-w C:\Program Files\rjdlg.dll
2007-12-05 19:40 32,768 ----a-w C:\Program Files\rpwa3260.dll
2007-12-05 19:40 23,558 ----a-w C:\Program Files\freeoffers.ico
2007-12-05 19:40 214,560 ----a-w C:\Program Files\realplay.exe
2007-12-05 19:40 207 ----a-w C:\Program Files\subscription.rnx
2007-12-05 19:40 2,851 ----a-w C:\Program Files\cdroms.cfg
2007-12-05 19:40 19,456 ----a-w C:\Program Files\tnetdtct.dll
2007-12-05 19:40 19,456 ----a-w C:\Program Files\rjprog.dll
2007-12-05 19:40 17,846 ----a-w C:\Program Files\videotest.rm
2007-12-05 19:40 16,296 ----a-w C:\Program Files\realtfon.fon
2007-12-05 19:40 153,176 ----a-w C:\Program Files\RecordingManager.exe
2007-12-05 19:40 14,336 ----a-w C:\Program Files\wmdmhelper.dll
2007-12-05 19:40 139,264 ----a-w C:\Program Files\DUNZIP32.dll
2007-12-05 19:40 13 ----a-w C:\Program Files\strs26.dat
2007-12-05 19:40 119,808 ----a-w C:\Program Files\waiting.avi
2007-12-05 19:40 11,444 ----a-w C:\Program Files\frw.bmp
2007-12-05 19:40 102,400 ----a-w C:\Program Files\HXAudioDeviceHook.dll
2007-12-05 19:40 1,209 ----a-w C:\Program Files\flvplay.swf
2007-12-05 19:40 1,030 ----a-w C:\Program Files\autoplaylist.dat
2007-12-05 19:40 1,026 ----a-w C:\Program Files\browserrecord.swf
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-14 22:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 22:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 04:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 17:10 1392640]
"NVHotkey"="nvHotkey.dll" [2006-01-19 08:14 73728 C:\WINDOWS\system32\nvhotkey.dll]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-02-20 11:29 1191936]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 13:13 176128]
"iPCCheck"="C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" [2004-07-23 16:38 282624]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 19:29 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-03-27 14:06 136768]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 07:00 98304]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 08:48 147514]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 04:00 143360]
"matray"="C:\Program Files\TriActive\MicroAgent\bin\matray-2.0.21.exe" [2007-11-16 11:05 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-30 20:00 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-30 20:00 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-30 19:59 138008]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-05 13:40 185896]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56 217194]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 16:46:00 1724416]
iPassConnect.lnk - C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe [2007-06-19 09:42:39 655360]
nbtknonprt.bat [2007-03-28 10:54:24 492]
NCS Pearson VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-06-19 09:43:33 1470480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=pomeroytechs.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2094749845-1362696355-111083759-133432\Scripts\Logon\0\0]
"Script"=User-To-Computer-Script.vbs

R2 MA;TriActive MicroAgent;"C:\Program Files\TriActive\MicroAgent\bin\ma.exe" [2007-11-16 11:05]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2007-06-19 09:42]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;D:\oracle\ora81\BIN\ONRSD.EXE [2000-10-19 10:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 11:55:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 11:56:02
ComboFix-quarantined-files.txt 2008-02-10 17:56:00
ComboFix2.txt 2008-02-10 16:39:41
ComboFix3.txt 2008-02-10 10:01:14
.
2008-01-08 23:09:25 --- E O F ---
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do this


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


Also tell me how your PC is running

Edited by Rorschach112, 10 February 2008 - 12:22 PM.

  • 0

Advertisements


#11
GeekMeUp

GeekMeUp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, I apologize for the delay, the scan has finished. Here is the report:


A0025228.exe;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP184;Adware.MediaTicket.origin;Incurable.Moved.;
A0025230.exe\data002;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP184\A0025230.exe;Adware.MediaTicket.origin;;
A0025230.exe;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP184;Archive contains infected objects;Moved.;
A0025231.exe;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP184;Adware.Outer;Incurable.Moved.;
A0025235.dll;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP184;Trojan.Virtumod.260;Deleted.;
A0025242.bat;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP185;Probably BATCH.Virus;Incurable.Moved.;
A0025283.exe;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP185;Trojan.DownLoader.45546;Deleted.;
A0025285.dll;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP185;Adware.ClickSpring.origin;Incurable.Moved.;
A0025286.dll;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP185;Trojan.Virtumod.240;Deleted.;
A0025288.dll;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP185;Trojan.Virtumod.260;Deleted.;
A0025289.dll;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP185;Trojan.Virtumod.260;Deleted.;
A0025292.bat;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP185;Probably BATCH.Virus;Incurable.Moved.;
A0025293.dll;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP185;Trojan.Virtumod.240;Deleted.;
A0025377.dll;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP186;Trojan.Virtumod.260;Deleted.;
A0025535.bat;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP186;Probably BATCH.Virus;Incurable.Moved.;
MFEX-1.DAT;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP186\snapshot;Trojan.Virtumod.260;Deleted.;
A0025600.bat;C:\System Volume Information\_restore{094CFF88-9E62-44CA-8692-984A237DD303}\RP187;Probably BATCH.Virus;Incurable.Moved.;





Wasn't sure if a new HTJ log was needed, but I did one. Here is is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:25, on 2008-02-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\TriActive\MicroAgent\bin\ma.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\TriActive\MicroAgent\bin\matray-2.0.21.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\tcrenak.VNGT\Desktop\drweb-cureit.exe
C:\DOCUME~1\TCRENA~1.VNG\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\TCRENA~1.VNG\LOCALS~1\Temp\RarSFX0\setup.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vip.vangent.local/Default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vip.vangent.local/Default.aspx
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vip.ic.ncs.com/Default.aspx
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [matray] C:\Program Files\TriActive\MicroAgent\bin\matray-2.0.21.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O4 - Global Startup: nbtknonprt.bat
O4 - Global Startup: NCS Pearson VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\tcrenak.VNGT\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vip.vangent.local/Default.aspx
O15 - Trusted Zone: vip.ic.ncs.com
O15 - Trusted Zone: *.vangent.com
O15 - Trusted Zone: *.vangent.local
O15 - Trusted Zone: *.vangent.com (HKLM)
O15 - Trusted Zone: *.vangent.local (HKLM)
O15 - ESC Trusted Zone: http://www.activemanagesolutions.com
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://support.dell.com
O15 - ESC Trusted Zone: http://www.dell.com
O15 - ESC Trusted Zone: http://vip.ic.ncs.com
O15 - ESC Trusted Zone: http://download.sysinternals.com
O15 - ESC Trusted Zone: http://software.u3.com
O15 - ESC Trusted Zone: http://www.u3.com
O15 - ESC Trusted Zone: http://www.activemanagesolutions.com (HKLM)
O15 - ESC Trusted Zone: http://ardownload.adobe.com (HKLM)
O15 - ESC Trusted Zone: http://www.adobe.com (HKLM)
O15 - ESC Trusted Zone: http://support.dell.com (HKLM)
O15 - ESC Trusted Zone: http://www.dell.com (HKLM)
O15 - ESC Trusted Zone: http://vip.ic.ncs.com (HKLM)
O15 - ESC Trusted Zone: http://download.sysinternals.com (HKLM)
O15 - ESC Trusted Zone: http://software.u3.com (HKLM)
O15 - ESC Trusted Zone: http://www.u3.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1182267120578
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - http://mntkappprod1:...indows-i586.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.playfirst...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vangent.local
O17 - HKLM\Software\..\Telephony: DomainName = vangent.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vangent.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vangent.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TriActive MicroAgent (MA) - TriActive, Inc. - C:\Program Files\TriActive\MicroAgent\bin\ma.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12095 bytes
  • 0

#12
GeekMeUp

GeekMeUp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry, forgot to add CPU performance, did you need how the CPU percentage is? If you mean, just from what I notice, IE seems to run quckly- I may lose my internet connection sometimes. Opening other programs, (My Computer) it takes a little longer, maybe a 35 seconds to a minute for it to open but it will open. It takes a while for my computer to load the desktop during startup/restart. My background shows up immediately, but my active desktop and Start Menu take atleast a minute if not longer to load.

In Processes under Task Manager: System Idle Process is at 98-99. My CPU Usage is anywhere between 1-5%.
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here


Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#14
GeekMeUp

GeekMeUp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OY!!

Ok, I had a few issues. I just typed a reply (nice and long) to what you said, and completely lost ALL of it. Will update with the what I did.
  • 0

#15
GeekMeUp

GeekMeUp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, thank you again!!!

Don't know if this is an issue, but I did the ComboFix uninstall and don't know if it did the things that you listed. A pop up came up and said that ComboFix uninstall was successful and deleted the .exe App. But my clock settings are still set in Military Time ex. 20:09 2008-02-10. Is this correct, is this what was suppose to happen/the reset clock settings? Sorry, I'm not too smart with this.

I removed my old version of Java and went to the link provided, I got a little turned around here. I selected the Java Runtime Environment 6 Update 4 and it brought me to a download page with the following file options:

Windows Online Installation: jre-6u4-windows-i586-p-iftw.exe
Windows x64 executable: jre-6u4-windows-x64.exe
Windows Offline Installation: jre-6u4-windows-i586-p.exe

The instructions were to select the files I wanted and then click the "Download Selected with Sun Download Manager" SDM. Or to individually click on the file names and download to my browser. I checkmarked all three selections and clicked the download with SDM. I saved the file to my desktop and double-clicked to run. Once I did that, ZoneAlarm alert came up asking if I wanted to allow "splash.exe" access. I allowed it, and then received an error:

Java™ Web Start 1.0.1
Bad installation. Error invoking Java VM (SysExec) C:\Program Files\Java\j2re1.4.0_01\bin\javaw.exe

Can you tell me what to do from here?

I had a few questions regarding the Programs I installed before posting here. Is it okay to delete the log files that I have? (HTJ, ComboFix, ActiveScan, etc.) I was wondering if it is okay to delete/uninstall some of the Porgrams I have and do a reinstall of some? ATF Cleaner, SAS, AVG Anti-Spyware, Ad-Aware, Spybot, DrWeb CureIt. I know that I need to have protection, but don't want to run the risk of having the Programs conflicting with eachother. I want to keep ZoneAlarm, and reinstall Ad-Aware along with the free Programs that you provided, but wanted to clean up my Desktop/Programs. Would this be alright to do?


Is a Disable/Re-enable System Restore needed or a reboot? I did not reboot once ComboFix was uninstalled, should I restart before installing or uninstalling the other Programs or create a System Restore point before going any further?

Is there a way to uninstall the Windows Recovery File? I am a jinx when it comes to computers, and I don't want to select this by mistake one day when starting up my computer. I guess it is okay if I can't uninstall, I will just have to be more careful and not touch anything until my login screen shows at startup.


I noticed a few Programs showing up in my ZoneAlarm Alert asking for access and wanted to know if I should be worried about them. TriActive MicroAgent ma.exe and Framework Service.exe are asking for Program access, I denied access, but do you know anything about these? I can google some information on them, but just thought I'd ask.

I'm sorry to be a pain if I am asking too much here. If these cannot be answered here, can you please direct me to where I should go?



Once again, THANK YOU so very much for all of your help throughout this process, for being patient with me, responding so quickly and keeping me updated. I cannot tell you how much I appreciate it. I don't know much about computers, but this has certainly taught me ALOT.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP