Hi Malware Techs,
Just got through scrubbing down and restoring my system from a trojan that got in through a bad e-mail I should never have opened. Did ALL the scans and used all the online products you require .... and this one symptom remains after all that. Have logs from the many scans and fixes, including SUPER Anti-Spyware, AVG A/V, Kaspersky Online scan, A-Squared Online Trojan scan, Combo.fix, SDFix, Dr Web CureIt, Spybot S&D, Symantec Security Check, and Panda.
One last symptom remains, probably damage in the 'settings' for my e-mail server. I use Mozilla's mail server 'Thunderbird' with my safe-mail.net account. Been using it for years. Now a quirky problem has arisen which is baffling me.
Opening any e-mail that is already in the inbox displays it as an HTML source code usually displays, when you click that menu option in any browser. My Thunderbird settings are View > Character Encoding > Auto-detect OFF; radio button on Western (ISO-8859-1). I'm pretty sure this is how it always was.
Going to Tools > Options > Display tab shows nothing irregular....nor do any of the settings in 'Options', or account settings.
All I know is that it worked fine until I downloaded a batch of new mail and maybe clicked open a junk or spam item, now long deleted. It started after that. I ran my updated AVG virus scanner specifically on C:\Program Files\Thunderbird and came up with nothing. I can run more scans, which I'll do, but I wonder if there is a quick fix or any useful advice I might garnish from a GTG Posting. Any advice would be nice.
P.S. - I tried uninstalling Thunderbird, then reinstalling it again after a reboot. Same problem exists, so I think it must be damage lurking in the 'settings' from the trojan attack.
How can I fix this, and scan whole system for any other damage which I've yet to discover ? I've done all the scans and several times over, even in safe-mode. Now, it is a repair damage issue, since the bugs are mainly removed.
Only other symptom is that I get low ID's in gaming, and the TCP port is being rejected no matter how I configure it.
So here is the HiJackThis Log.....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:54 AM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 7611 bytes
And here's the ComboFix log:
ComboFix 08-02-18.1 - Owner 2008-02-18 9:53:27.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.
2008-02-18 09:49 . 2008-02-18 09:49 24,295 --a------ C:\MGtools.php
2008-02-18 06:09 . 2008-02-18 06:09 <DIR> d-------- C:\SAV32CLI
2008-02-18 04:34 . 2008-02-18 04:34 54,526,464 --a------ C:\1EF.tmp
2008-02-17 14:10 . 2008-02-17 14:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-17 14:00 . 2008-02-18 06:02 1,309,729 --a------ C:\SDFix.exe
2008-02-16 20:06 . 2008-02-16 20:06 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-02-16 19:08 . 2008-02-18 05:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 19:08 . 2008-02-18 05:32 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 19:08 . 2008-02-18 05:32 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 19:08 . 2008-02-18 05:32 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 11:08 . 2008-02-16 11:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-16 11:08 . 2008-02-16 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 10:46 . 2008-02-16 10:49 54,526,464 --a------ C:\107.tmp
2008-02-13 21:08 . 2008-02-13 21:08 <DIR> d-------- C:\Program Files\Easy Video Joiner
2008-02-13 20:52 . 2008-02-13 20:52 <DIR> d-------- C:\Program Files\Pegasys Inc
2008-02-13 00:41 . 2008-02-13 00:41 <DIR> d-------- C:\Program Files\WinPcap
2008-02-13 00:40 . 2008-02-13 00:42 <DIR> d-------- C:\Program Files\WM Recorder
2008-02-13 00:40 . 2008-02-13 00:40 286,720 --a------ C:\WINDOWS\iun506.exe
2008-02-11 21:32 . 2008-02-18 08:46 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2008-02-11 02:14 . 2008-02-11 02:14 <DIR> d-------- C:\Program Files\The Herbal Pharmacy
2008-02-11 02:14 . 1996-12-03 16:07 403,216 --a------ C:\WINDOWS\system32\msrepl35.dll
2008-02-11 02:14 . 1997-07-01 05:01 331,032 --a------ C:\WINDOWS\system32\Threed20.ocx
2008-02-11 02:14 . 1997-07-19 19:00 129,808 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-02-11 02:14 . 1996-08-21 03:00 78,848 --a------ C:\WINDOWS\system32\Msoutl32.ocx
2008-02-11 02:14 . 1997-02-27 20:40 78,608 --a------ C:\WINDOWS\system32\Vb5db.dll
2008-02-11 02:14 . 1996-12-05 03:00 77,824 --a------ C:\WINDOWS\system32\Odbctl32.dll
2008-02-09 15:41 . 2005-10-20 23:32 614,400 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-02-09 15:14 . 2008-02-09 15:14 32 --ahs---- C:\WINDOWS\system32\{08026524-ADCF-41C1-955E-179AA9A443A5}.dat
2008-02-09 15:14 . 2008-02-09 15:14 32 --ahs---- C:\WINDOWS\{62956119-A394-4A40-B338-82024785660E}.dat
2008-02-09 15:13 . 2008-02-09 15:13 32 --ahs---- C:\WINDOWS\system32\{0BCDEC34-D9BE-4016-9B4C-A27AE8FF98DD}.dat
2008-02-09 15:13 . 2008-02-09 15:13 32 --ahs---- C:\WINDOWS\{0781DBA9-8D92-49E0-B1BC-B7250E2CE403}.dat
2008-02-09 15:12 . 2006-08-25 10:45 617,472 --a------ C:\WINDOWS\system32\COMCTL32.NU7
2008-02-09 15:12 . 2002-08-14 09:03 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2008-02-09 15:12 . 2002-08-14 09:03 31,744 --a------ C:\WINDOWS\system32\S32STAT.DLL
2008-02-09 15:12 . 2008-02-09 15:12 32 --ahs---- C:\WINDOWS\system32\{D0469130-AC30-4782-8CB7-80FB402B36CD}.dat
2008-02-09 15:12 . 2008-02-09 15:12 32 --ahs---- C:\WINDOWS\{AEEF3303-6814-431A-8543-A9C5F57F1C7A}.dat
2008-02-09 15:10 . 2002-08-14 18:03 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-02-09 15:10 . 2002-08-14 18:03 17,005 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-02-09 15:10 . 2002-08-14 18:03 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-02-09 15:10 . 2002-08-14 18:03 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-02-09 15:10 . 2008-02-09 15:10 32 --ahs---- C:\WINDOWS\system32\{1BE23CE5-13B0-4346-A7FC-48656F24ED7F}.dat
2008-02-09 15:10 . 2008-02-09 15:10 32 --ahs---- C:\WINDOWS\{BEF60247-EAF0-4A0A-B211-F2764F2DC675}.dat
2008-02-09 15:09 . 2008-02-09 15:12 <DIR> d-------- C:\Program Files\Symantec
2008-02-09 15:09 . 2008-02-09 15:32 <DIR> d-------- C:\Program Files\Norton SystemWorks
2008-02-09 15:09 . 2008-02-09 15:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-02-09 15:09 . 2008-02-09 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-09 15:09 . 2002-08-29 16:14 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-02-09 15:09 . 2002-08-29 16:14 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-09 15:09 . 2002-08-29 16:14 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-09 15:09 . 2008-02-09 15:09 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-02-09 15:09 . 2008-02-09 15:09 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-02-09 15:08 . 2008-02-09 15:31 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-09 15:08 . 1998-06-26 03:00 89,600 --a------ C:\WINDOWS\system32\MSCAL.OCX
2008-02-09 00:24 . 2008-02-09 00:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2008-02-09 00:10 . 2002-04-11 23:21 13,335 --a------ C:\WINDOWS\system32\drivers\usbcm.sys
2008-02-08 21:52 . 2008-02-08 21:52 <DIR> d-------- C:\WINDOWS\Sun
2008-02-08 15:45 . 2008-02-08 15:45 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-08 03:52 . 2008-02-08 03:52 <DIR> d-------- C:\Program Files\Fisher
2008-02-08 03:06 . 2008-02-08 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Riverdeep Interactive Learning Limited
2008-02-08 01:46 . 2008-02-08 01:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SoundSpectrum
2008-02-08 01:22 . 2007-06-30 00:05 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-02-08 01:22 . 2007-09-25 02:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-08 01:21 . 2008-02-08 01:22 <DIR> d-------- C:\Program Files\Java
2008-02-08 01:20 . 2008-02-08 01:20 <DIR> d-------- C:\Program Files\GSpot
2008-02-08 01:19 . 2008-02-08 01:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-08 01:13 . 2008-02-08 01:13 60,416 --a------ C:\WINDOWS\ALCFDRTM.VER
2008-02-08 01:13 . 2008-02-08 01:13 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2008-02-08 01:12 . 2004-06-18 12:15 7,506,432 --------- C:\WINDOWS\system32\RTLCPL.exe
2008-02-08 01:12 . 2004-02-24 05:08 400,384 --------- C:\WINDOWS\system32\drivers\alcxsens.sys
2008-02-08 01:12 . 2004-02-09 09:18 155,648 --------- C:\WINDOWS\system32\RtlCPAPI.dll
2008-02-08 01:12 . 2002-02-05 07:54 141,016 --------- C:\WINDOWS\system32\alsndmgr.wav
2008-02-08 01:12 . 2004-08-02 11:10 1,048 --------- C:\WINDOWS\system32\drivers\alcxinit.dat
2008-02-08 01:12 . 2004-06-28 05:01 176 --------- C:\WINDOWS\system32\drivers\alcxhweq.dat
2008-02-08 01:06 . 2008-02-08 01:06 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-02-08 01:06 . 2008-02-08 01:06 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-02-08 01:05 . 2008-02-08 01:13 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-02-08 00:59 . 2004-06-18 12:32 15,684,608 --------- C:\WINDOWS\system32\alsndmgr.cpl
2008-02-08 00:59 . 2007-03-23 18:19 9,715,200 --a------ C:\WINDOWS\RTLCPL.exe
2008-02-08 00:59 . 2005-05-03 19:43 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-02-08 00:59 . 2004-06-18 12:31 67,584 --------- C:\WINDOWS\soundman.exe
2008-02-07 22:00 . 2008-02-08 01:53 <DIR> d-------- C:\Program Files\Web Publish
2008-02-07 22:00 . 2004-01-20 06:08 970,752 --a------ C:\WINDOWS\system32\cdintf210.dll
2008-02-07 21:58 . 2008-02-08 03:07 <DIR> d-------- C:\Program Files\PrintMaster 16
2008-02-07 21:58 . 2008-02-07 21:58 <DIR> d-------- C:\Program Files\Common Files\Broderbund
2008-02-07 21:58 . 2008-02-07 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Broderbund Software
2008-02-07 20:17 . 2008-02-13 21:06 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-07 19:46 . 2008-02-07 19:46 <DIR> d-------- C:\WINDOWS\Drivers
2008-02-07 19:16 . 2008-02-07 19:16 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2008-02-07 19:16 . 2008-02-07 19:16 <DIR> d-------- C:\Program Files\Nero
2008-02-07 19:16 . 2008-02-07 19:16 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-02-07 19:16 . 2008-02-07 19:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2008-02-07 18:59 . 2008-02-07 18:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-02-07 17:52 . 2008-02-07 17:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-02-07 17:29 . 2008-02-08 17:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-07 17:16 . 2008-02-18 05:36 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-07 17:07 . 2008-02-07 17:07 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-07 17:07 . 2008-02-07 17:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-07 17:07 . 2008-02-07 17:07 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-07 16:52 . 1998-02-07 00:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-02-07 16:51 . 2008-02-07 16:51 <DIR> d-------- C:\Program Files\ArcSoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 20:50 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-02-07 20:50 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-07 20:50 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-07 19:37 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-02-07 17:02 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-01-04 21:58 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-01-04 21:58 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 23:13 1591808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 22:40 2577632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-07 13:15 579072]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 07:00 98304]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 22:20 866584]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 17:08 16380416 C:\WINDOWS\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-07 13:15 219136]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 22:05:35 360448]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 15:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 14:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 01:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-09-08 14:06 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2002-08-20 01:22 50880 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2002-08-20 01:23 34504 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
--a------ 2004-08-04 14:00 388608 C:\WINDOWS\system32\kmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 14:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
--a------ 2002-08-14 18:21 94208 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2005-09-07 17:33 862720 C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2005-05-31 04:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 04:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMem]
--a------ 2007-04-03 15:04 507392 C:\Program Files\WinCleaner Memory Optimizer\WinMemOpt.exe
R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 18:11]
S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 09:03]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 14:33:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-16 05:38:51 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-18 14:55:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 09:55:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-18 9:56:00
ComboFix2.txt 2008-02-17 18:58:42
.
2008-02-13 21:24:35 --- E O F ---
Hope there is info in here that identifies the glich and suggests a quick, easy fix. I feel okay about touching resistry objects, which is the last part (and the part I don't try to fix myself). So walk me through it and I will be most appreciative. Or suggest another 'Fix' app to try.....whatever,
Thanks folks, you're the BEST !!
-scottportraits
Edited by scottportraits, 19 February 2008 - 07:01 PM.