Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware [CLOSED]

Started by tglloyd , Apr 11 2008 10:37 AM

  • This topic is locked This topic is locked

#1
tglloyd
Posted 11 April 2008 - 10:37 AM

tglloyd

    New Member

  • Member
  • Pip
  • 2 posts
I can't run Windows Media Player. When I try to open it a dialog box pops up and says there is a virus. Im not completely sure if it means theres a virus or if there is just something wrong with the program. We are also having a problem un-installing my current, but out of date, virus protection(shtat.exe). We would like to install new updated protection instead. I went through all of the malware removal tips that I was given. Here is my hijack log. Thanks for all the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:47 AM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dmacc.edu/mylogin.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {2B102984-10AC-49B1-B81C-F3DB0CDAF512} - (no file) (HKCU)
O9 - Extra button: (no name) - {6E19E843-24C4-439C-A7FF-EDF7B097EA5B} - (no file) (HKCU)
O9 - Extra button: (no name) - {6EB95393-4786-4DAA-A875-99124A40DC19} - (no file) (HKCU)
O9 - Extra button: (no name) - {8E4F7131-BF3A-4125-8B20-B399624ED09C} - (no file) (HKCU)
O9 - Extra button: (no name) - {95F639D4-2B17-4650-B940-635B82F477D5} - (no file) (HKCU)
O9 - Extra button: (no name) - {C50A9BE3-DB08-428A-B0C7-5F3ABC8B163A} - C:\WINDOWS\system32\NCXPNT794g.dll (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1155851711769
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab30149.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...ploader_v10.cab
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - http://sjc-static12....Z9QE4-Egs/2.jpg
O24 - Desktop Component 1: (no name) - http://www.pmalladmi...p;value2=Shelby

--
End of file - 10275 bytes
  • 0

Advertisements

#2
greyknight17
Posted 14 April 2008 - 08:57 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {2B102984-10AC-49B1-B81C-F3DB0CDAF512} - (no file) (HKCU)
O9 - Extra button: (no name) - {6E19E843-24C4-439C-A7FF-EDF7B097EA5B} - (no file) (HKCU)
O9 - Extra button: (no name) - {6EB95393-4786-4DAA-A875-99124A40DC19} - (no file) (HKCU)
O9 - Extra button: (no name) - {8E4F7131-BF3A-4125-8B20-B399624ED09C} - (no file) (HKCU)
O9 - Extra button: (no name) - {95F639D4-2B17-4650-B940-635B82F477D5} - (no file) (HKCU)
O9 - Extra button: (no name) - {C50A9BE3-DB08-428A-B0C7-5F3ABC8B163A} - C:\WINDOWS\system32\NCXPNT794g.dll (file missing) (HKCU)

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
tglloyd
Posted 17 April 2008 - 08:08 PM

tglloyd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I had problems trying to start the recovery console up on the computer because my xp cd has a huge scratch in the middle of it. I can try and buy another one or borrow one if necessary but i was able to download and start combofix and here is the log.

ComboFix 08-04-16.5 - Trevor 2008-04-17 20:44:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.241 [GMT -5:00]
Running from: C:\Documents and Settings\Trevor\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
C:\Documents and Settings\Trevor\Application Data\SpamBlocker
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA.cfg
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA0.che
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA1.che
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA2.che
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA3.che
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA4.che
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA5.che
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA6.che
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA7.che
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA8.che
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\MUZAoDA9.che
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\wnsintsu.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-14 10:53 . 2006-11-23 15:54 1,808 --a------ C:\WINDOWS\SYSTEM32\subst.inf
2008-04-13 15:32 . 2008-04-13 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ArcSoft
2008-04-13 15:15 . 2008-04-16 22:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-13 15:15 . 2008-04-13 15:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-13 15:12 . 2008-04-13 15:21 <DIR> d-------- C:\Documents and Settings\Trevor\Application Data\ArcSoft
2008-04-13 13:05 . 2008-04-13 13:05 <DIR> d-------- C:\Documents and Settings\Trevor\Application Data\Panasonic
2008-04-13 12:54 . 2008-04-13 12:54 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-13 12:54 . 2008-04-13 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-13 12:48 . 2008-04-13 12:48 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-04-13 12:48 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\afc.sys
2008-04-13 12:48 . 2008-04-13 12:48 26 --a------ C:\UpdaterforApp.ini
2008-04-13 12:47 . 2008-04-13 12:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\MediaImpression Slideshow
2008-04-13 12:47 . 2007-02-13 11:22 126,976 --a------ C:\WINDOWS\SYSTEM32\MediaImpression Slideshow.scr
2008-04-13 12:46 . 2008-04-13 12:46 <DIR> d-------- C:\Program Files\ArcSoft
2008-04-13 12:44 . 2008-04-13 12:44 <DIR> d-------- C:\Program Files\Panasonic
2008-04-13 12:44 . 2005-03-07 19:44 45,056 --a------ C:\WINDOWS\SYSTEM32\PhDi2.sys
2008-04-11 11:28 . 2008-04-11 11:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-10 20:01 . 2008-04-14 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-07 15:51 . 2008-04-07 15:52 23,392 --a------ C:\WINDOWS\SYSTEM32\nscompat.tlb
2008-04-07 15:51 . 2008-04-07 15:52 16,832 --a------ C:\WINDOWS\SYSTEM32\amcompat.tlb
2008-04-03 18:54 . 2008-04-03 18:54 <DIR> d-------- C:\Program Files\MarkAny

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 03:23 --------- d-----w C:\Program Files\LimeWire
2008-04-15 18:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 15:43 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-04-13 18:03 --------- d-----w C:\Program Files\QuickTime
2008-04-13 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-13 17:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 02:04 --------- d-----w C:\Program Files\MyFree Codec
2008-04-11 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 01:33 --------- d-----w C:\Program Files\Lavasoft
2008-04-11 01:33 --------- d-----w C:\Documents and Settings\Trevor\Application Data\Lavasoft
2008-04-10 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-07 20:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-28 01:22 33,952 -c--a-w C:\Documents and Settings\Trevor\Application Data\GDIPFONTCACHEV1.DAT
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-21 19:12 --------- d-----w C:\Documents and Settings\Trevor\Application Data\U3
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2004-09-08 17:36 372,736 --sha-r C:\WINDOWS\SYSTEM32\t?skmgr.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 15:32 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-26 12:01 4632576]
"nwiz"="nwiz.exe" [2004-10-26 12:01 921600 C:\WINDOWS\SYSTEM32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 14:12 290816]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2005-07-05 02:32 639040]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 09:31 135168]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 17:21 132624]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 20:36 57344]
"ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-10 17:18 100864]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 01:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
PHOTOfunSTUDIO -viewer-.lnk - C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-04-13 12:44:36 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2005-07-05 02:33 188482 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAClient]
-ra------ 2003-05-06 02:42 176128 C:\Program Files\Mediacom\BBClient\Programs\RegCon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\SYSTEM32\\muzapp.exe"=
"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\javaw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 ACDaemon;ArcSoft Connect Daemon;C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-04-10 17:19]
S3 LxrSG20d;LxrSG20d;C:\WINDOWS\System32\Drivers\LxrSG20d.sys [2004-11-17 09:18]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 21:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68813be1-e0af-11dc-9a31-000cf13d3fe1}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 02:13:05 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe
"2008-04-13 17:54:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 02:13:05 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\cleanmgr.exe
"2008-04-10 23:41:50 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOffer@16
"2008-03-26 01:39:02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1197410594.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-07 02:13:05 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job"
- C:\PROGRA~1\SPYBOT~1\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 20:56:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-17 21:00:58
ComboFix-quarantined-files.txt 2008-04-18 02:00:35

Pre-Run: 1,954,910,208 bytes free
Post-Run: 3,504,472,064 bytes free
.
2008-04-09 12:27:38 --- E O F ---



Thanks again for your help,
Trevor Lloyd
  • 0

#4
greyknight17
Posted 17 April 2008 - 08:57 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\SYSTEM32\t?skmgr.exe /u

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

No need to use the CD. Go back to that site where you downloaded Combofix and skip the CD part...go with the manual recovery console utility download instead (as if you don't have the CD :)). Install the recovery console...it should give you a new log. If not, run Combofix again.

How is the computer running so far?
  • 0

#5
greyknight17
Posted 23 April 2008 - 10:33 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP