Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

DR/Dldr.Agent.Q.8, tr/spy.37888.A, tr/Dldr.WMA.Wimand.N [CLOSED]


  • This topic is locked This topic is locked

#1
Winter6879

Winter6879

    Member

  • Member
  • PipPip
  • 19 posts
Hi,

I posted this on April 12th:

http://www.geekstogo...-N-t194645.html

Hi,

Thank you for taking the time to read this. I have reason to believe that my computer has a virus.

The following items came up on my last virus scan:
DR/Dldr.Agent.Q.8
tr/spy.37888.A
tr/Dldr.WMA.Wimand.N

Also I have an annoying beeping noise on my computer that just started yesterday.

Thanks again!!!
Nicole




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:41 PM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topprodu...ds/msjavx86.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104291826123
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://upload.member...geUploader5.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.cust...l/java/RntX.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://www.hbo.com/c..._frilldress.jpg
O24 - Desktop Component 1: (no name) - http://www.hbo.com/c...e_charlotte.jpg
O24 - Desktop Component 2: (no name) - http://www.hbo.com/c..._inside_apt.jpg
O24 - Desktop Component 3: (no name) - https://www.insearch...ileens_bike.gif
O24 - Desktop Component 4: (no name) - http://ecx.images-am...B1L._AA240_.jpg

--
End of file - 7677 bytes


  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please do not create a duplicate topic for this. This will just delay the staff more since we need to close the other topic up. Post in the Waiting Room instead next time if you don't get a response after 3 days time has passed.

What scanner is picking those up and did it say where they were exactly?

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
Winter6879

Winter6879

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi,

Thank you so much for taking the time to respond. I thought I posted the 2nd request within the waiting room. I must I have gotten lost along the way. Anyways, I did have full intention of posting in the waiting room.
Per your request, below is a log from combofix.
AntiVir was the anti virus program that had detected the infection. I did not write down where it was located only the name.

Thanks again!

Nicole


ComboFix 08-04-18.3 - Nicole 2008-04-20 9:07:24.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.71 [GMT -4:00]
Running from: C:\Documents and Settings\Nicole\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nicole\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-18 18:54 . 2008-04-18 18:54 <DIR> d-------- C:\Documents and Settings\Nicole\Application Data\acccore
2008-04-18 18:54 . 2008-04-18 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-18 18:54 . 2008-04-18 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-18 18:53 . 2008-04-18 18:53 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-04-18 18:53 . 2008-04-18 20:28 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-18 18:52 . 2008-04-18 18:54 <DIR> d-------- C:\Program Files\AIM6
2008-04-18 18:50 . 2008-04-18 18:50 335 --a------ C:\WINDOWS\nsreg.dat
2008-04-18 18:49 . 2008-04-18 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-18 18:49 . 2008-04-18 18:54 1,396 --ah----- C:\IPH.PH
2008-04-18 18:49 . 2008-04-18 18:49 29 --a------ C:\WINDOWS\atid.ini
2008-04-16 22:49 . 2008-04-16 22:49 <DIR> d-------- C:\Program Files\Uniblue
2008-04-16 22:49 . 2008-04-16 22:49 <DIR> d-------- C:\Documents and Settings\Nicole\Application Data\Uniblue
2008-04-12 17:33 . 2008-04-12 17:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-12 17:25 . 2008-04-12 17:25 <DIR> d-------- C:\Deckard
2008-04-12 15:37 . 2008-04-12 17:13 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-04-12 14:25 . 2008-04-12 14:25 1,738 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-12 14:24 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-12 14:24 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-12 14:24 . 2008-04-12 17:34 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-12 14:24 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-12 14:24 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-12 14:24 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-12 14:24 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-12 14:05 . 2008-04-12 14:05 <DIR> d-------- C:\VundoFix Backups
2008-03-29 22:30 . 2008-03-29 22:30 <DIR> d-------- C:\thumbnails
2008-03-29 22:30 . 2008-03-29 22:31 <DIR> d-------- C:\images

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 13:27 --------- d-----w C:\Program Files\PestPatrol
2008-04-19 00:28 --------- d-----w C:\Program Files\AIM
2008-04-18 22:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-13 20:58 --------- d-----w C:\Program Files\LimeWire
2008-02-25 01:21 --------- d-----w C:\Program Files\WonderWebWare File Splitter
2007-04-28 14:10 104,040 ----a-w C:\Documents and Settings\Nicole\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [email protected]_15.19.52.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-08-29 04:57:58 1,740 -c----w C:\WINDOWS\$NtServicePackUninstall$\dcache.bin
+ 2002-08-29 01:32:34 2,816 -c----w C:\WINDOWS\$NtServicePackUninstall$\drmkaud.sys
+ 2008-04-12 19:39:58 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-04-12 19:39:58 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-04-12 19:39:58 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-04-12 19:40:00 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-01-09 19:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 19:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-04-12 19:40:00 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-04-12 19:39:58 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2008-01-09 19:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
+ 2008-04-20 13:12:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-05-31 15:06:51 2,494 ----a-r C:\WINDOWS\Installer\{69640730-B830-4C24-BB5C-222DA1260548}\ARPPRODUCTICON.exe
+ 2004-12-29 07:32:33 2,560 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2007-06-04 23:56:21 2,678 ----a-w C:\WINDOWS\java\Packages\Data\0Y1Z7FVR.DAT
+ 2007-06-04 23:56:21 2,678 ----a-w C:\WINDOWS\java\Packages\Data\6CE800V3.DAT
+ 2007-06-04 23:56:27 2,678 ----a-w C:\WINDOWS\java\Packages\Data\717L3FX7.DAT
+ 2007-06-04 23:56:22 2,678 ----a-w C:\WINDOWS\java\Packages\Data\WIMN1Z5B.DAT
+ 2007-06-04 23:56:30 2,232 ----a-w C:\WINDOWS\java\Packages\Data\ZRHR1JFP.DAT
+ 2007-06-04 23:56:20 2,678 ----a-w C:\WINDOWS\java\Packages\Data\ZZHJZV9V.DAT
+ 2004-08-04 08:07:21 1,788 ------w C:\WINDOWS\ServicePackFiles\i386\dcache.bin
+ 2004-08-04 06:07:57 2,944 ------w C:\WINDOWS\ServicePackFiles\i386\drmkaud.sys
+ 1997-02-28 07:00:02 2,486 ------w C:\WINDOWS\system\AS16POST.BIN
+ 2001-08-23 13:00:00 2,000 ----a-w C:\WINDOWS\system\KEYBOARD.DRV
+ 2001-08-23 13:00:00 2,032 ----a-w C:\WINDOWS\system\MOUSE.DRV
+ 2001-08-23 13:00:00 1,744 ----a-w C:\WINDOWS\system\SOUND.DRV
+ 2001-08-23 13:00:00 2,176 ----a-w C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 08:07:21 1,788 ----a-w C:\WINDOWS\system32\dcache.bin
+ 2001-08-23 13:00:00 2,000 -c--a-w C:\WINDOWS\system32\dllcache\keyboard.drv
+ 2001-08-23 13:00:00 2,560 -c--a-w C:\WINDOWS\system32\dllcache\lz32.dll
+ 2001-08-23 13:00:00 2,032 -c--a-w C:\WINDOWS\system32\dllcache\mouse.drv
+ 2001-08-23 13:00:00 2,944 -c--a-w C:\WINDOWS\system32\dllcache\null.sys
+ 2001-08-23 13:00:00 1,744 -c--a-w C:\WINDOWS\system32\dllcache\sound.drv
+ 2001-08-23 13:00:00 2,176 -c--a-w C:\WINDOWS\system32\dllcache\vga.drv
+ 2001-08-23 13:00:00 2,864 -c--a-w C:\WINDOWS\system32\dllcache\winsock.dll
+ 2001-08-23 13:00:00 2,112 -c--a-w C:\WINDOWS\system32\dllcache\winspool.exe
+ 2001-08-23 13:00:00 2,736 -c--a-w C:\WINDOWS\system32\dllcache\wowdeb.exe
- 2007-10-10 19:48:01 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2008-04-17 17:40:04 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2004-08-04 06:07:57 2,944 ----a-w C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2001-08-23 13:00:00 2,944 ----a-w C:\WINDOWS\system32\drivers\null.sys
+ 2001-08-23 13:00:00 2,000 ----a-w C:\WINDOWS\system32\keyboard.drv
+ 2001-08-23 13:00:00 2,560 ----a-w C:\WINDOWS\system32\lz32.dll
+ 2001-08-23 13:00:00 2,032 ----a-w C:\WINDOWS\system32\mouse.drv
+ 2001-08-23 13:00:00 2,656 ----a-w C:\WINDOWS\system32\netware.drv
+ 2001-08-23 13:00:00 1,744 ----a-w C:\WINDOWS\system32\sound.drv
+ 2004-12-28 19:08:51 1,536 ----a-w C:\WINDOWS\system32\TrueSoft.dat
+ 2001-08-23 13:00:00 2,176 ----a-w C:\WINDOWS\system32\vga.drv
+ 2001-08-23 13:00:00 2,864 ----a-w C:\WINDOWS\system32\winsock.dll
+ 2001-08-23 13:00:00 2,112 ----a-w C:\WINDOWS\system32\winspool.exe
+ 2001-08-23 13:00:00 2,736 ----a-w C:\WINDOWS\system32\wowdeb.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36 1207080]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 12:06 292152]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 11:53 148480]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 15:49 98304]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2003-05-30 03:47 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-17 01:20:35 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 05:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-12-08 18:50 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti Trojan Elite]
--a------ 2006-05-10 05:46 852992 C:\Program Files\Anti Trojan Elite\TJEnder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-04-17 13:39 262401 C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]
--a------ 2003-05-30 03:47 69632 C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 22:36 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
--a------ 2004-11-15 15:49 98304 C:\PROGRA~1\PESTPA~1\PPControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrolCL]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
--a------ 2003-04-19 11:53 148480 C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 18:36]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 09:28]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys [2004-09-10 04:05]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 09:27:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-20 9:33:09 - machine was rebooted [Nicole]
ComboFix-quarantined-files.txt 2008-04-20 13:32:55
ComboFix2.txt 2008-04-12 19:20:30
ComboFix3.txt 2007-10-20 02:33:46

Pre-Run: 1,497,206,784 bytes free
Post-Run: 1,469,243,392 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

217 --- E O F --- 2008-04-11 07:04:53
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What's inside these two folders:

C:\thumbnails
C:\images


Everything else comes up clean. Run the AntiVir scan again and try to get a log (or copy what it found) and post it here. I need to know the location of the infected files/entries.
  • 0

#5
Winter6879

Winter6879

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Nothing is in the those 2 folders.

Here is the log:

Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: NICOLE-G4M6RZC5

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 4/17/2008 17:39:57
AVSCAN.DLL : 8.1.1.0 53505 Bytes 4/17/2008 17:39:57
LUKE.DLL : 8.1.2.9 151809 Bytes 4/17/2008 17:40:00
LUKERES.DLL : 8.1.2.1 12033 Bytes 4/17/2008 17:40:00
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 04:12:14
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 15:46:25
ANTIVIR2.VDF : 7.0.3.156 795136 Bytes 4/11/2008 15:46:25
ANTIVIR3.VDF : 7.0.3.191 360960 Bytes 4/21/2008 10:30:38
Engineversion : 8.1.0.32
AEVDF.DLL : 8.1.0.5 102772 Bytes 4/17/2008 17:40:03
AESCRIPT.DLL : 8.1.0.26 233850 Bytes 4/18/2008 17:32:58
AESCN.DLL : 8.1.0.14 119156 Bytes 4/18/2008 17:32:53
AERDL.DLL : 8.1.0.19 418164 Bytes 4/17/2008 17:40:03
AEPACK.DLL : 8.1.1.2 364917 Bytes 4/18/2008 17:32:49
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 4/18/2008 17:32:41
AEHEUR.DLL : 8.1.0.18 1167735 Bytes 4/17/2008 17:40:02
AEHELP.DLL : 8.1.0.14 115063 Bytes 4/18/2008 17:32:37
AEGEN.DLL : 8.1.0.17 299380 Bytes 4/18/2008 17:32:35
AEEMU.DLL : 8.1.0.5 430450 Bytes 4/17/2008 17:40:02
AECORE.DLL : 8.1.0.27 168310 Bytes 4/18/2008 17:32:29
AVWINLL.DLL : 1.0.0.7 14593 Bytes 4/17/2008 17:39:57
AVPREF.DLL : 8.0.0.1 25857 Bytes 4/17/2008 17:39:57
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24
AVREG.DLL : 8.0.0.0 30977 Bytes 4/17/2008 17:39:57
AVARKT.DLL : 1.0.0.23 307457 Bytes 4/17/2008 17:39:56
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 4/17/2008 17:39:57
SQLITE3.DLL : 3.3.17.1 339968 Bytes 4/17/2008 17:40:01
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 4/17/2008 17:40:01
NETNT.DLL : 8.0.0.1 7937 Bytes 4/17/2008 17:40:00
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 4/17/2008 17:39:45
RCTEXT.DLL : 8.0.32.0 86273 Bytes 4/17/2008 17:39:45

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: C:\Program Files\AntiVir PersonalEdition Classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Monday, April 21, 2008 18:44

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'CookiePatrol.exe' - '1' Module(s) have been scanned
Scan process 'PPControl.exe' - '1' Module(s) have been scanned
Scan process 'PPMemCheck.exe' - '1' Module(s) have been scanned
Scan process 'WinPatrol.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'WgaTray.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'pctspk.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
33 processes with 33 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '33' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!


End of the scan: Monday, April 21, 2008 19:37
Used time: 53:29 min

The scan has been done completely.

5972 Scanning directories
261308 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
261308 Files not concerned
1416 Archives were scanned
3 Warnings
0 Notes
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You may delete these two folders unless you created them yourself:

C:\thumbnails
C:\images


It looks like the scan comes up clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
Winter6879

Winter6879

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I've been having a problem with the computer beeping at me every time something loads. I didn't change any settings to make this sound. It started happening when AntiVir pulled up those threats. Do you think it is connected? How can I make it stop?

Thanks,

Nicole
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is it beeping every time something loads or when certain things load? Monitor it to see if it's only happening to certain things. Also see if you can remember what you did recently before this problem occurred. It could be a program blocking something...
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP