Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problem with pop ups about windows/command32/cmd.exe

Started by ast2007 , Apr 16 2008 06:53 AM

  • Please log in to reply

#1
ast2007
Posted 16 April 2008 - 06:53 AM

ast2007

    Member

  • Member
  • PipPip
  • 13 posts
I really don't know what the problem is. I keep getting command prompt windows that pop up all the time and lots of ads that pop up. I have run spybot but I think I may have cause more problems rather than fixing it because it always asks me to allow or deny changes and I don't know which one to choose. I also did the IEDefender. I am going to do the ATF Cleaner next.

ETA: I ran the ATF Cleaner and Malwarebytes' Anti-Malware

Edited by ast2007, 16 April 2008 - 07:59 AM.

  • 0

Advertisements

#2
kahdah
Posted 16 April 2008 - 10:05 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello ast2007

Welcome to G2Go. :)
=====================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
ast2007
Posted 16 April 2008 - 10:51 AM

ast2007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here you go! Thanks!

_____________________________________




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:53 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\dldocoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {1B3CE736-8444-49CE-A98F-ECD9E2BE3DC2} - (no file)
O2 - BHO: (no name) - {24A364E7-2BDB-4801-BA7A-DDB550B24420} - (no file)
O2 - BHO: (no name) - {2ffcab8a-aa1f-4602-9ef8-362705b3a5f7} - (no file)
O2 - BHO: (no name) - {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {630C3131-33AF-4978-B88F-B5D60A5EC176} - C:\WINDOWS\system32\ljJDTNHW.dll (file missing)
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D68E5CA-D46E-4755-91B8-301BA50A52D8} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BAA03D82-454E-4561-88C0-3EA7D4324E92} - (no file)
O2 - BHO: (no name) - {BCA95E31-1FBF-4F84-8F23-1BA653007A1E} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: gooochi browser optimizer - {f2fe6cc2-e461-548b-2c62-064956ebc700} - C:\WINDOWS\system32\{4f09176d-5e4a-14fd-bafb-9348a34aebd8}.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{4f09176d-5e4a-14fd-bafb-9348a34aebd8}.dll" DllInit
O4 - HKLM\..\RunOnce: [SpybotDeletingC4366] cmd /c del "C:\WINDOWS\Fonts\'\!Easy ScreenSaver Studio 4.0.zip"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5150] command /c del "C:\WINDOWS\Fonts\'\007 - Tomorrow Never Dies DVDR.zip"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9926] command /c del "C:\WINDOWS\Fonts\'\#1 DVD Audio Ripper 1.2.50.zip"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3836] cmd /c del "C:\WINDOWS\Fonts\'\#1 DVD Audio Ripper 1.2.50.zip"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1637] command /c del "C:\WINDOWS\Fonts\'\#1 DVD Ripper 7.2.1.zip"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4929] cmd /c del "C:\WINDOWS\Fonts\'\#1 DVD Ripper 7.2.1.zip"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5919] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5519] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB431] command /c del "C:\WINDOWS\system32\emxpqhmp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3493] cmd /c del "C:\WINDOWS\system32\emxpqhmp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB268] command /c del "C:\WINDOWS\system32\kalaaadu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3539] cmd /c del "C:\WINDOWS\system32\kalaaadu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6854] command /c del "C:\WINDOWS\system32\shwkhrth.dll_old"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://care.alltel.com
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.87.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.a...aller_2-0-0.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective....torLauncher.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1208137568875
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmai..._downloader.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/d...kimi_plugin.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://sympatico.zon...PA.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: rqRLdDWp - rqRLdDWp.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 14741 bytes
  • 0

#4
kahdah
Posted 16 April 2008 - 10:58 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You Have 2 antivirus programs running.
Please uninstall either Windows Live one care or Trend Micro Internet Security.
Having 2 of these lessen your protection and can also further lock up the computer.
=======================================================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
ast2007
Posted 16 April 2008 - 01:28 PM

ast2007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:24 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\dldocoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {630C3131-33AF-4978-B88F-B5D60A5EC176} - C:\WINDOWS\system32\ljJDTNHW.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: gooochi browser optimizer - {f2fe6cc2-e461-548b-2c62-064956ebc700} - C:\WINDOWS\system32\{4f09176d-5e4a-14fd-bafb-9348a34aebd8}.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://care.alltel.com
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.87.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.a...aller_2-0-0.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective....torLauncher.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1208137568875
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmai..._downloader.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/d...kimi_plugin.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://sympatico.zon...PA.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: rqRLdDWp - rqRLdDWp.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 11768 bytes



----------------------------------------------------------------------------------------------------------------------



ComboFix 08-04-15.8 - Jay and April 2008-04-16 13:27:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.354 [GMT -4:00]
Running from: C:\Documents and Settings\Jay and April\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dcads_sidebar.dll
C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
C:\WINDOWS\system32\drivers\fipss.sys
C:\WINDOWS\system32\dtyrxtvu.dll
C:\WINDOWS\system32\fooybrsy.dll
C:\WINDOWS\system32\GjRBKRqr.ini
C:\WINDOWS\system32\GjRBKRqr.ini2
C:\WINDOWS\system32\jggoxikt.ini
C:\WINDOWS\system32\lugdyein.dll
C:\WINDOWS\system32\MpoXHkkj.ini
C:\WINDOWS\system32\MpoXHkkj.ini2
C:\WINDOWS\system32\nhsfbjgc.dll
C:\WINDOWS\system32\ocubcjpw.ini
C:\WINDOWS\system32\onygvvhd.ini
C:\WINDOWS\system32\pmhqpxme.ini
C:\WINDOWS\system32\qjghbcqc.dll
C:\WINDOWS\system32\uFeLoUvw.ini
C:\WINDOWS\system32\uFeLoUvw.ini2
C:\WINDOWS\system32\vfwjersx.dll
C:\WINDOWS\system32\WGMSDJjl.ini
C:\WINDOWS\system32\WGMSDJjl.ini2
C:\WINDOWS\system32\WHNTDJjl.ini
C:\WINDOWS\system32\WHNTDJjl.ini2
C:\WINDOWS\system32\x64
C:\WINDOWS\system32\ydypdlmw.dll
C:\WINDOWS\system32\ylubekvx.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FIPSS
-------\Service_fipss


((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-16 09:06 . 2008-04-16 09:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-16 09:06 . 2008-04-16 09:06 <DIR> d-------- C:\Documents and Settings\Jay and April\Application Data\Malwarebytes
2008-04-16 09:06 . 2008-04-16 09:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-16 08:34 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-16 08:34 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-16 08:34 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-16 08:34 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-16 08:34 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-16 08:34 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-14 20:41 . 2008-04-14 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-04-14 13:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-14 13:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-13 19:38 . 2008-04-13 19:38 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-13 19:38 . 2007-03-29 08:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-13 19:38 . 2007-03-29 08:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-13 19:38 . 2007-03-29 08:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-13 19:38 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-13 19:38 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-13 19:38 . 2007-03-29 08:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-13 18:30 . 2008-04-13 22:20 646 --ahs---- C:\WINDOWS\system32\gutoghbs.ini
2008-04-13 17:02 . 2008-04-13 17:02 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-13 16:42 . 2008-04-13 16:42 <DIR> dr-h----- C:\Documents and Settings\Admin\Application Data\yahoo!
2008-04-13 16:39 . 2008-04-13 19:09 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-13 16:24 . 2008-04-13 16:30 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\StumbleUpon
2008-04-13 16:22 . 2006-11-28 03:16 <DIR> d--h----- C:\Documents and Settings\Admin\Application Data\Gtek
2008-04-13 16:22 . 2008-04-14 20:42 <DIR> d-------- C:\Documents and Settings\Admin
2008-04-12 10:17 . 2008-04-12 10:17 167,545 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-11 09:27 . 2008-04-11 09:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-11 09:27 . 2008-04-11 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 02:43 . 2008-04-11 02:43 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-11 02:38 . 2008-04-15 10:20 101,168 --a------ C:\WINDOWS\BM570bc053.xml
2008-04-10 22:42 . 2008-04-10 22:42 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-10 18:41 . 2008-04-10 18:41 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-04-10 14:43 . 2008-04-10 14:43 298,311 --a------ C:\WINDOWS\system32\gside.exe
2008-04-10 14:38 . 2008-04-10 16:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\StumbleUpon
2008-04-10 14:35 . 2008-04-10 14:35 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-10 14:32 . 2008-04-13 19:06 <DIR> d--hs---- C:\WINDOWS\SmF5IGFuZCBBcHJpbA
2008-04-10 14:32 . 2008-04-10 14:32 <DIR> d-------- C:\Temp\wdlw14
2008-04-10 14:32 . 2008-04-10 14:32 40,713 --a------ C:\WINDOWS\system32\cpmsky-uninst.exe
2008-04-10 14:32 . 2008-04-11 15:13 937 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-07 12:30 . 2008-04-07 12:30 330,240 --a------ C:\WINDOWS\system32\{4f09176d-5e4a-14fd-bafb-9348a34aebd8}.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 16:50 --------- d-----w C:\Program Files\Trend Micro
2008-04-16 14:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-16 13:05 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-11 19:33 --------- d-----w C:\Program Files\GemMaster
2008-04-11 19:33 --------- d-----w C:\Program Files\BenefitBarIE
2008-04-11 13:06 --------- d-----w C:\Program Files\Incomplete
2008-04-11 13:03 --------- d-----w C:\Program Files\LimeWire
2008-04-06 18:44 --------- d-----w C:\Documents and Settings\Jay and April\Application Data\Corel
2008-03-28 22:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-28 21:04 0 ----a-w C:\Program Files\temp01
2008-03-10 23:24 --------- d-----w C:\Documents and Settings\Jay and April\Application Data\StumbleUpon
2008-03-04 23:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 23:05 --------- d-----w C:\Program Files\3D Home Architect
2008-02-27 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-02-23 23:20 --------- d-----w C:\Program Files\Coupons
2008-02-17 20:47 251 ----a-w C:\Program Files\wt3d.ini
2008-01-31 18:27 1,377,872 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-09-16 13:49 110 ----a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-05-17 14:41 118,248 ----a-w C:\Documents and Settings\Jay and April\Application Data\GDIPFONTCACHEV1.DAT
2007-03-13 17:12 164 ----a-w C:\Documents and Settings\Jay and April\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B3CE736-8444-49CE-A98F-ECD9E2BE3DC2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24A364E7-2BDB-4801-BA7A-DDB550B24420}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ffcab8a-aa1f-4602-9ef8-362705b3a5f7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{630C3131-33AF-4978-B88F-B5D60A5EC176}]
C:\WINDOWS\system32\ljJDTNHW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63AB48C9-01A8-495C-8194-A715DB8A37A2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D68E5CA-D46E-4755-91B8-301BA50A52D8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAA03D82-454E-4561-88C0-3EA7D4324E92}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCA95E31-1FBF-4F84-8F23-1BA653007A1E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2fe6cc2-e461-548b-2c62-064956ebc700}]
2008-04-07 12:30 330240 --a------ C:\WINDOWS\system32\{4f09176d-5e4a-14fd-bafb-9348a34aebd8}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB9926"="command /c del C:\WINDOWS\Fonts\'\#1 DVD Audio Ripper 1.2.50.zip" [ ]
"SpybotDeletingD3836"="cmd /c del C:\WINDOWS\Fonts\'\#1 DVD Audio Ripper 1.2.50.zip" [ ]
"SpybotDeletingB1637"="command /c del C:\WINDOWS\Fonts\'\#1 DVD Ripper 7.2.1.zip" [ ]
"SpybotDeletingD4929"="cmd /c del C:\WINDOWS\Fonts\'\#1 DVD Ripper 7.2.1.zip" [ ]
"SpybotDeletingB5919"="command /c del C:\WINDOWS\system32\drivers\core.cache.dsk" [ ]
"SpybotDeletingD5519"="cmd /c del C:\WINDOWS\system32\drivers\core.cache.dsk" [ ]
"SpybotDeletingB431"="command /c del C:\WINDOWS\system32\emxpqhmp.dll_old" [ ]
"SpybotDeletingD3493"="cmd /c del C:\WINDOWS\system32\emxpqhmp.dll_old" [ ]
"SpybotDeletingB268"="command /c del C:\WINDOWS\system32\kalaaadu.dll_old" [ ]
"SpybotDeletingD3539"="cmd /c del C:\WINDOWS\system32\kalaaadu.dll_old" [ ]
"SpybotDeletingB6854"="command /c del C:\WINDOWS\system32\shwkhrth.dll_old" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 01:06 5181440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 06:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-28 03:10:03 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-04-06 15:25:24 1073152]
Windstream Broadband Check-up Center.lnk - C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe [2006-12-07 15:07:21 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-06-19 09:09 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRLdDWp]
rqRLdDWp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MostFun\\Bin\\MostFun.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dldocoms.exe"=
"C:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"C:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Dell 968 AIO Printer\\dldoafcn.exe"=

R2 dldo_device;dldo_device;C:\WINDOWS\system32\dldocoms.exe [2007-10-05 09:30]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe [2007-10-05 09:30]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\Dell Games\Dell Game Console\GameConsoleService.exe" [2007-12-18 14:40]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 11:35:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 13:57:15 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 14:03:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\fipss]
"ImagePath"="System32\drivers\fipss.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\rtutils.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccUpdUI.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
.
**************************************************************************
.
Completion time: 2008-04-16 14:17:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 18:16:34

Pre-Run: 122,126,536,704 bytes free
Post-Run: 123,033,772,032 bytes free
.
2008-04-15 15:58:54 --- E O F ---
  • 0

#6
kahdah
Posted 16 April 2008 - 06:15 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please uninstall one of the antivirus programs that you are running.
This will greatly increase the overall speed of the computer.
========================================
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#7
ast2007
Posted 16 April 2008 - 07:39 PM

ast2007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I uninstalled the Windows One Care. It was just a trial. I removed it in Add/Remove Programs and it is no longer there.

________________________________________________________________________________
_______



ComboFix 08-04-15.8 - Jay and April 2008-04-16 20:45:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.547 [GMT -4:00]
Running from: C:\Documents and Settings\Jay and April\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jay and April\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-16 14:35 . 2008-04-16 14:35 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-16 09:06 . 2008-04-16 09:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-16 09:06 . 2008-04-16 09:06 <DIR> d-------- C:\Documents and Settings\Jay and April\Application Data\Malwarebytes
2008-04-16 09:06 . 2008-04-16 09:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-16 08:34 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-16 08:34 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-16 08:34 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-16 08:34 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-16 08:34 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-16 08:34 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-14 20:41 . 2008-04-14 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-04-14 13:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-14 13:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-13 19:38 . 2008-04-13 19:38 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-13 19:38 . 2007-03-29 08:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-13 19:38 . 2007-03-29 08:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-13 19:38 . 2007-03-29 08:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-13 19:38 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-13 19:38 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-13 19:38 . 2007-03-29 08:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-13 18:30 . 2008-04-13 22:20 646 --ahs---- C:\WINDOWS\system32\gutoghbs.ini
2008-04-13 17:02 . 2008-04-13 17:02 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-13 16:42 . 2008-04-13 16:42 <DIR> dr-h----- C:\Documents and Settings\Admin\Application Data\yahoo!
2008-04-13 16:39 . 2008-04-16 14:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-13 16:24 . 2008-04-13 16:30 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\StumbleUpon
2008-04-13 16:22 . 2006-11-28 03:16 <DIR> d--h----- C:\Documents and Settings\Admin\Application Data\Gtek
2008-04-13 16:22 . 2008-04-14 20:42 <DIR> d-------- C:\Documents and Settings\Admin
2008-04-11 09:27 . 2008-04-11 09:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-11 09:27 . 2008-04-11 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 02:43 . 2008-04-11 02:43 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-11 02:38 . 2008-04-15 10:20 101,168 --a------ C:\WINDOWS\BM570bc053.xml
2008-04-10 22:42 . 2008-04-10 22:42 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-10 18:41 . 2008-04-10 18:41 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-04-10 14:43 . 2008-04-10 14:43 298,311 --a------ C:\WINDOWS\system32\gside.exe
2008-04-10 14:38 . 2008-04-10 16:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\StumbleUpon
2008-04-10 14:35 . 2008-04-10 14:35 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-10 14:32 . 2008-04-13 19:06 <DIR> d--hs---- C:\WINDOWS\SmF5IGFuZCBBcHJpbA
2008-04-10 14:32 . 2008-04-10 14:32 <DIR> d-------- C:\Temp\wdlw14
2008-04-10 14:32 . 2008-04-10 14:32 40,713 --a------ C:\WINDOWS\system32\cpmsky-uninst.exe
2008-04-10 14:32 . 2008-04-11 15:13 937 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-07 12:30 . 2008-04-07 12:30 330,240 --a------ C:\WINDOWS\system32\{4f09176d-5e4a-14fd-bafb-9348a34aebd8}.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 16:50 --------- d-----w C:\Program Files\Trend Micro
2008-04-16 14:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-16 13:05 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-11 19:33 --------- d-----w C:\Program Files\GemMaster
2008-04-11 19:33 --------- d-----w C:\Program Files\BenefitBarIE
2008-04-11 13:06 --------- d-----w C:\Program Files\Incomplete
2008-04-11 13:03 --------- d-----w C:\Program Files\LimeWire
2008-04-06 18:44 --------- d-----w C:\Documents and Settings\Jay and April\Application Data\Corel
2008-03-28 22:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-28 21:04 0 ----a-w C:\Program Files\temp01
2008-03-10 23:24 --------- d-----w C:\Documents and Settings\Jay and April\Application Data\StumbleUpon
2008-03-04 23:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 23:05 --------- d-----w C:\Program Files\3D Home Architect
2008-02-27 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-02-23 23:20 --------- d-----w C:\Program Files\Coupons
2008-02-17 20:47 251 ----a-w C:\Program Files\wt3d.ini
2008-01-31 18:27 1,377,872 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-09-16 13:49 110 ----a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-05-17 14:41 118,248 ----a-w C:\Documents and Settings\Jay and April\Application Data\GDIPFONTCACHEV1.DAT
2007-03-13 17:12 164 ----a-w C:\Documents and Settings\Jay and April\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-16_14.14.28.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-22 01:34:22 465,472 ----a-w C:\WINDOWS\LastGood\Downloaded Program Files\wlscBase.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{630C3131-33AF-4978-B88F-B5D60A5EC176}]
C:\WINDOWS\system32\ljJDTNHW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2fe6cc2-e461-548b-2c62-064956ebc700}]
2008-04-07 12:30 330240 --a------ C:\WINDOWS\system32\{4f09176d-5e4a-14fd-bafb-9348a34aebd8}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 01:06 5181440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 06:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-28 03:10:03 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-04-06 15:25:24 1073152]
Windstream Broadband Check-up Center.lnk - C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe [2006-12-07 15:07:21 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-06-19 09:09 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRLdDWp]
rqRLdDWp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MostFun\\Bin\\MostFun.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dldocoms.exe"=
"C:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"C:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Dell 968 AIO Printer\\dldoafcn.exe"=

R2 dldo_device;dldo_device;C:\WINDOWS\system32\dldocoms.exe [2007-10-05 09:30]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe [2007-10-05 09:30]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\Dell Games\Dell Game Console\GameConsoleService.exe" [2007-12-18 14:40]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 11:35:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 13:57:15 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 20:50:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-16 20:56:12
ComboFix-quarantined-files.txt 2008-04-17 00:55:59
ComboFix2.txt 2008-04-16 18:17:43

Pre-Run: 123,033,305,088 bytes free
Post-Run: 123,047,866,368 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
.
2008-04-15 15:58:54 --- E O F ---
  • 0

#8
ast2007
Posted 16 April 2008 - 07:40 PM

ast2007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It still says that I don't have the Recovery Console but I followed all the steps in your last post.
  • 0

#9
kahdah
Posted 17 April 2008 - 03:18 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It is installed. :)

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\BM570bc053.xml
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\cpmsky-uninst.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\{4f09176d-5e4a-14fd-bafb-9348a34aebd8}.dll
C:\WINDOWS\system32\ljJDTNHW.dll
Folder::
C:\WINDOWS\SmF5IGFuZCBBcHJpbA
C:\Temp\wdlw14
C:\Program Files\Coupons
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{630C3131-33AF-4978-B88F-B5D60A5EC176}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2fe6cc2-e461-548b-2c62-064956ebc700}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#10
ast2007
Posted 17 April 2008 - 06:39 AM

ast2007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ComboFix 08-04-15.8 - Jay and April 2008-04-17 7:18:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.545 [GMT -4:00]
Running from: C:\Documents and Settings\Jay and April\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jay and April\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM570bc053.xml
C:\WINDOWS\system32\{4f09176d-5e4a-14fd-bafb-9348a34aebd8}.dll
C:\WINDOWS\system32\cpmsky-uninst.exe
C:\WINDOWS\system32\ljJDTNHW.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Coupons
C:\Program Files\Coupons\Coupons.com.url
C:\Program Files\Coupons\uninstall.exe
C:\Program Files\Coupons\Uninstall\IRIMG1.JPG
C:\Program Files\Coupons\Uninstall\IRIMG2.JPG
C:\Program Files\Coupons\Uninstall\IRIMG3.JPG
C:\Program Files\Coupons\Uninstall\IRIMG4.JPG
C:\Program Files\Coupons\Uninstall\IRIMG5.JPG
C:\Program Files\Coupons\Uninstall\IRIMG6.JPG
C:\Program Files\Coupons\Uninstall\IRIMG7.JPG
C:\Program Files\Coupons\Uninstall\IRIMG8.JPG
C:\Program Files\Coupons\Uninstall\uninstall.dat
C:\Program Files\Coupons\Uninstall\uninstall.xml
C:\Temp\wdlw14
C:\Temp\wdlw14\maxN1bo.log
C:\WINDOWS\BM570bc053.xml
C:\WINDOWS\SmF5IGFuZCBBcHJpbA
C:\WINDOWS\system32\{4f09176d-5e4a-14fd-bafb-9348a34aebd8}.dll
C:\WINDOWS\system32\cpmsky-uninst.exe
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-16 14:35 . 2008-04-16 14:35 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-16 09:06 . 2008-04-16 09:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-16 09:06 . 2008-04-16 09:06 <DIR> d-------- C:\Documents and Settings\Jay and April\Application Data\Malwarebytes
2008-04-16 09:06 . 2008-04-16 09:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-16 08:34 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-16 08:34 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-16 08:34 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-16 08:34 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-16 08:34 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-16 08:34 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-14 20:41 . 2008-04-14 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-04-14 13:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-14 13:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-13 19:38 . 2008-04-13 19:38 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-13 19:38 . 2007-03-29 08:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-13 19:38 . 2007-03-29 08:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-13 19:38 . 2007-03-29 08:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-13 19:38 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-13 19:38 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-13 19:38 . 2007-03-29 08:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-13 18:30 . 2008-04-13 22:20 646 --ahs---- C:\WINDOWS\system32\gutoghbs.ini
2008-04-13 17:02 . 2008-04-13 17:02 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-13 16:42 . 2008-04-13 16:42 <DIR> dr-h----- C:\Documents and Settings\Admin\Application Data\yahoo!
2008-04-13 16:39 . 2008-04-16 14:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-13 16:24 . 2008-04-13 16:30 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\StumbleUpon
2008-04-13 16:22 . 2006-11-28 03:16 <DIR> d--h----- C:\Documents and Settings\Admin\Application Data\Gtek
2008-04-13 16:22 . 2008-04-14 20:42 <DIR> d-------- C:\Documents and Settings\Admin
2008-04-11 09:27 . 2008-04-11 09:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-11 09:27 . 2008-04-11 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 02:43 . 2008-04-11 02:43 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-10 22:42 . 2008-04-10 22:42 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-10 18:41 . 2008-04-10 18:41 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-04-10 14:43 . 2008-04-10 14:43 298,311 --a------ C:\WINDOWS\system32\gside.exe
2008-04-10 14:38 . 2008-04-10 16:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\StumbleUpon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 16:50 --------- d-----w C:\Program Files\Trend Micro
2008-04-16 14:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-16 13:05 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-11 19:33 --------- d-----w C:\Program Files\GemMaster
2008-04-11 19:33 --------- d-----w C:\Program Files\BenefitBarIE
2008-04-11 13:06 --------- d-----w C:\Program Files\Incomplete
2008-04-11 13:03 --------- d-----w C:\Program Files\LimeWire
2008-04-06 18:44 --------- d-----w C:\Documents and Settings\Jay and April\Application Data\Corel
2008-03-28 22:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-28 21:04 0 ----a-w C:\Program Files\temp01
2008-03-10 23:24 --------- d-----w C:\Documents and Settings\Jay and April\Application Data\StumbleUpon
2008-03-04 23:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 23:05 --------- d-----w C:\Program Files\3D Home Architect
2008-02-27 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-02-17 20:47 251 ----a-w C:\Program Files\wt3d.ini
2008-01-31 18:27 1,377,872 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-09-16 13:49 110 ----a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-05-17 14:41 118,248 ----a-w C:\Documents and Settings\Jay and April\Application Data\GDIPFONTCACHEV1.DAT
2007-03-13 17:12 164 ----a-w C:\Documents and Settings\Jay and April\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-16_14.14.28.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-22 01:34:22 465,472 ----a-w C:\WINDOWS\LastGood\Downloaded Program Files\wlscBase.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB9926"="command /c del C:\WINDOWS\Fonts\'\#1 DVD Audio Ripper 1.2.50.zip" [ ]
"SpybotDeletingD3836"="cmd /c del C:\WINDOWS\Fonts\'\#1 DVD Audio Ripper 1.2.50.zip" [ ]
"SpybotDeletingB1637"="command /c del C:\WINDOWS\Fonts\'\#1 DVD Ripper 7.2.1.zip" [ ]
"SpybotDeletingD4929"="cmd /c del C:\WINDOWS\Fonts\'\#1 DVD Ripper 7.2.1.zip" [ ]
"SpybotDeletingB5919"="command /c del C:\WINDOWS\system32\drivers\core.cache.dsk" [ ]
"SpybotDeletingD5519"="cmd /c del C:\WINDOWS\system32\drivers\core.cache.dsk" [ ]
"SpybotDeletingB431"="command /c del C:\WINDOWS\system32\emxpqhmp.dll_old" [ ]
"SpybotDeletingD3493"="cmd /c del C:\WINDOWS\system32\emxpqhmp.dll_old" [ ]
"SpybotDeletingB268"="command /c del C:\WINDOWS\system32\kalaaadu.dll_old" [ ]
"SpybotDeletingD3539"="cmd /c del C:\WINDOWS\system32\kalaaadu.dll_old" [ ]
"SpybotDeletingB6854"="command /c del C:\WINDOWS\system32\shwkhrth.dll_old" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 01:06 5181440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 06:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-28 03:10:03 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-04-06 15:25:24 1073152]
Windstream Broadband Check-up Center.lnk - C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe [2006-12-07 15:07:21 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-06-19 09:09 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRLdDWp]
rqRLdDWp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MostFun\\Bin\\MostFun.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dldocoms.exe"=
"C:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"C:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Dell 968 AIO Printer\\dldoafcn.exe"=

R2 dldo_device;dldo_device;C:\WINDOWS\system32\dldocoms.exe [2007-10-05 09:30]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe [2007-10-05 09:30]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\Dell Games\Dell Game Console\GameConsoleService.exe" [2007-12-18 14:40]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 11:35:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 13:57:15 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 07:23:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-17 7:29:21
ComboFix-quarantined-files.txt 2008-04-17 11:29:14
ComboFix2.txt 2008-04-17 00:56:15
ComboFix3.txt 2008-04-16 18:17:43

Pre-Run: 123,012,345,856 bytes free
Post-Run: 123,032,104,960 bytes free
.
2008-04-15 15:58:54 --- E O F ---




________________________________________________________________________________
___________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:10 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\dldocoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {1B3CE736-8444-49CE-A98F-ECD9E2BE3DC2} - (no file)
O2 - BHO: (no name) - {24A364E7-2BDB-4801-BA7A-DDB550B24420} - (no file)
O2 - BHO: (no name) - {2ffcab8a-aa1f-4602-9ef8-362705b3a5f7} - (no file)
O2 - BHO: (no name) - {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {630C3131-33AF-4978-B88F-B5D60A5EC176} - (no file)
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D68E5CA-D46E-4755-91B8-301BA50A52D8} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BAA03D82-454E-4561-88C0-3EA7D4324E92} - (no file)
O2 - BHO: (no name) - {BCA95E31-1FBF-4F84-8F23-1BA653007A1E} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {f2fe6cc2-e461-548b-2c62-064956ebc700} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9926] command /c del "C:\WINDOWS\Fonts\'\#1 DVD Audio Ripper 1.2.50.zip"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://care.alltel.com
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.87.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.a...aller_2-0-0.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective....torLauncher.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1208137568875
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmai..._downloader.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/d...kimi_plugin.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://sympatico.zon...PA.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: rqRLdDWp - rqRLdDWp.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 12565 bytes
  • 0

Advertisements

#11
kahdah
Posted 17 April 2008 - 09:16 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#12
ast2007
Posted 17 April 2008 - 12:22 PM

ast2007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Malwarebytes' Anti-Malware 1.11
Database version: 642

Scan type: Full Scan (C:\|)
Objects scanned: 134123
Time elapsed: 1 hour(s), 5 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bca95e31-1fbf-4f84-8f23-1ba653007a1e} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63ab48c9-01a8-495c-8194-a715db8a37a2} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Downloads\HangStanTriviaSetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP478\A0050477.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP488\A0059487.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP488\A0059488.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • 0

#13
kahdah
Posted 17 April 2008 - 12:34 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as an html document button:
  • Save the file to your desktop.
  • Attach that information in your next post.

  • 0

#14
ast2007
Posted 17 April 2008 - 03:22 PM

ast2007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 17, 2008 5:20:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/04/2008
Kaspersky Anti-Virus database records: 712742


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 97934
Number of viruses found 17
Number of infected objects 47
Number of suspicious objects 2
Duration of the scan process 01:29:38

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip/mrofinu1000106.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\Jay and April\Application Data\Roxio\MediaManager8\Album.ldb Object is locked skipped

C:\Documents and Settings\Jay and April\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped

C:\Documents and Settings\Jay and April\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jay and April\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Jay and April\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jay and April\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jay and April\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jay and April\Local Settings\History\History.IE5\MSHist012008041720080418\index.dat Object is locked skipped

C:\Documents and Settings\Jay and April\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jay and April\My Documents\SmitfraudFix\dumphive.exe Object is locked skipped

C:\Documents and Settings\Jay and April\My Documents\SmitfraudFix\Reboot.exe Object is locked skipped

C:\Documents and Settings\Jay and April\My Documents\SmitfraudFix\swxcacls.exe Object is locked skipped

C:\Documents and Settings\Jay and April\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Jay and April\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Downloads\HangStanTriviaSetup-dm[1].exe Object is locked skipped

C:\Program Files\ALLTEL DSL Check-up Center\log\mpbtn.log Object is locked skipped

C:\Program Files\LimeWire\GameHouse Mystery Case Files Huntsville v1.2.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped

C:\Program Files\LimeWire\GameHouse Mystery Case Files Huntsville v1.2.zip ZIP: infected - 1 skipped

C:\Program Files\LimeWire\mystery case file - huntsville.zip/setup.exe/data0013/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ah skipped

C:\Program Files\LimeWire\mystery case file - huntsville.zip/setup.exe/data0013/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ah skipped

C:\Program Files\LimeWire\mystery case file - huntsville.zip/setup.exe/data0013 Infected: not-a-virus:AdWare.Win32.TrafficSol.ah skipped

C:\Program Files\LimeWire\mystery case file - huntsville.zip/setup.exe/data0014/stream/data0005 Infected: not-a-virus:Downloader.Win32.AdLoad.b skipped

C:\Program Files\LimeWire\mystery case file - huntsville.zip/setup.exe/data0014/stream Infected: not-a-virus:Downloader.Win32.AdLoad.b skipped

C:\Program Files\LimeWire\mystery case file - huntsville.zip/setup.exe/data0014 Infected: not-a-virus:Downloader.Win32.AdLoad.b skipped

C:\Program Files\LimeWire\mystery case file - huntsville.zip/setup.exe Infected: not-a-virus:Downloader.Win32.AdLoad.b skipped

C:\Program Files\LimeWire\mystery case file - huntsville.zip ZIP: infected - 7 skipped

C:\Program Files\LimeWire\[Full] psp media manager with Bonus\setup.exe Object is locked skipped

C:\Program Files\LimeWire\[Full] psp media manager with Bonus.zip/setup.exe/data0009/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped

C:\Program Files\LimeWire\[Full] psp media manager with Bonus.zip/setup.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped

C:\Program Files\LimeWire\[Full] psp media manager with Bonus.zip/setup.exe/data0009 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped

C:\Program Files\LimeWire\[Full] psp media manager with Bonus.zip/setup.exe/data0010/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.adj skipped

C:\Program Files\LimeWire\[Full] psp media manager with Bonus.zip/setup.exe/data0010/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.ww skipped

C:\Program Files\LimeWire\[Full] psp media manager with Bonus.zip/setup.exe/data0010/stream Infected: not-a-virus:AdWare.Win32.BHO.ww skipped

C:\Program Files\LimeWire\[Full] psp media manager with Bonus.zip/setup.exe/data0010 Infected: not-a-virus:AdWare.Win32.BHO.ww skipped

C:\Program Files\LimeWire\[Full] psp media manager with Bonus.zip/setup.exe Infected: not-a-virus:AdWare.Win32.BHO.ww skipped

C:\Program Files\LimeWire\[Full] psp media manager with Bonus.zip ZIP: infected - 8 skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\14A.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\15.tmp Infected: Trojan-Downloader.WMA.Wimad.l skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\18.tmp Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\3.tmp Infected: Backdoor.Win32.VB.czs skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\4.tmp Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\52.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\53.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\58.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\5A.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\5C.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\5D.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\60.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\72.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.nvf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\89.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\8A.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\8B.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\8C.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\8D.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\8E.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\8F.tmp Infected: Trojan.Win32.KillAV.rf skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dcads_sidebar.dll.vir Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP395\A0041099.dll Infected: not-a-virus:AdWare.Win32.Agent.alo skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0042192.dll Infected: not-a-virus:AdWare.Win32.Agent.bii skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP478\A0050488.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP478\A0050488.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP478\A0050488.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP478\A0050488.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP478\A0050488.exe RarSFX: infected - 4 skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP488\A0059576.exe Object is locked skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP488\A0059582.exe Object is locked skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP488\A0059589.exe Object is locked skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP489\A0059606.exe Infected: Trojan-Downloader.Win32.VB.dsk skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0059886.dll Object is locked skipped

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP492\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D1C85876-B611-482B-B1C0-6E6CBB457D41}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{0D3B2346-3FA6-464F-8E59-94EA2330D21B}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\JET33D7.tmp Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#15
kahdah
Posted 17 April 2008 - 06:19 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip 
C:\Program Files\LimeWire\GameHouse Mystery Case Files Huntsville v1.2.zip 
C:\Program Files\LimeWire\mystery case file - huntsville.zip
C:\Program Files\LimeWire\[Full] psp media manager with Bonus.zip 
Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\fipss]
Driver::
fipss.sys
fipss
File::
C:\Windows\System32\drivers\fipss.sys


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP