This topic is lockedTHANKS
GLENN
Spyware help [RESOLVED]
Started by
ghoude
, Jun 23 2008 07:59 PM
#46
Posted 03 August 2008 - 09:57 AM
ghoude
- Topic Starter
-
- Member
-
- 30 posts
Member
THANKS
GLENN
#47
Posted 03 August 2008 - 04:49 PM
sage5
-
- Retired Staff
-
- 2,646 posts
RIP 10/2009
First up, let's check out a couple of things:
Make sure Windows XP is set to show all files:
1. According to your HJT (HijackThis) logs, your Windows XP version is Service Pack 2.
Make sure that you have a C:\Windows\ServicePackFiles\i386 folder & that it is not empty. (There should be 22 folders & thousands of files)
If yes, continue to #2, if no tell me & we will get that fixed.
2. Check in the following 2 folders to see if you have the srframe.mmf file: C:\Windows\system32\dllcache or C:\Windows\system32\Restore
If yes, continue to #3, if no tell me & we will get you a copy.
3. Browse to the C:\Windows\Inf folder and make sure that the sr.inf file is in place.
If yes, continue to #4, if no tell me & we will get you a copy.
4. Go to Start > Run and type, (or Copy & Paste) the following:
rundll32.exe advpack.dll,LaunchINFSection C:\Windows\Inf\sr.inf
(note the spaces between ...exe & advpack..., and between ...Section & C:\Windows..)
If the Files Needed dialog box appears, click Browse and point to this location:
C:\Windows\ServicePackFiles\i386
If the srframe.mmf file can not be located, browse to C:\Windows\System32\Restore folder.
It may be necessary to browse back to the i386 folder to complete the reinstall.
Make sure Windows XP is set to show all files:
- Click Start > My Computer.
- On the Tools menu, click Folder Options.
- On the View tab:
- Uncheck Hide extensions for known file types.
- Uncheck Hide protected operating system files.
- Under Hidden files and folders click Show hidden files and folders.
- You will see a warning message, click Yes.
- Click Apply.
- Click OK.
1. According to your HJT (HijackThis) logs, your Windows XP version is Service Pack 2.
Make sure that you have a C:\Windows\ServicePackFiles\i386 folder & that it is not empty. (There should be 22 folders & thousands of files)
If yes, continue to #2, if no tell me & we will get that fixed.
2. Check in the following 2 folders to see if you have the srframe.mmf file: C:\Windows\system32\dllcache or C:\Windows\system32\Restore
If yes, continue to #3, if no tell me & we will get you a copy.
3. Browse to the C:\Windows\Inf folder and make sure that the sr.inf file is in place.
If yes, continue to #4, if no tell me & we will get you a copy.
4. Go to Start > Run and type, (or Copy & Paste) the following:
rundll32.exe advpack.dll,LaunchINFSection C:\Windows\Inf\sr.inf
(note the spaces between ...exe & advpack..., and between ...Section & C:\Windows..)
If the Files Needed dialog box appears, click Browse and point to this location:
C:\Windows\ServicePackFiles\i386
If the srframe.mmf file can not be located, browse to C:\Windows\System32\Restore folder.
It may be necessary to browse back to the i386 folder to complete the reinstall.
#48
Posted 04 August 2008 - 03:49 AM
ghoude
- Topic Starter
-
- Member
-
- 30 posts
Member
hi Sage..there is only one folder in that spot and it says..i386 when we open that folder or put out mouse over it it says it has 497 mb is the folder size.
Thanks Glenn
Thanks Glenn
#49
Posted 04 August 2008 - 05:57 AM
sage5
-
- Retired Staff
-
- 2,646 posts
RIP 10/2009
I think that will be alright for SP2, I was comparing it to my setup @ SP3.
Go to the next item & check for the existence of srfame.dll
Go to the next item & check for the existence of srfame.dll
#50
Posted 04 August 2008 - 03:05 PM
ghoude
- Topic Starter
-
- Member
-
- 30 posts
Member
hi Sage,
we have done all of the above and still not able to turn on or off the restore.
Thanks
Glenn
we have done all of the above and still not able to turn on or off the restore.
Thanks
Glenn
#51
Posted 04 August 2008 - 07:30 PM
sage5
-
- Retired Staff
-
- 2,646 posts
RIP 10/2009
I have called in the cavalry from the Tech Help Desk, so hopefully they will have an answer for you soon.
Cheers,
sage5
Cheers,
sage5
#52
Posted 04 August 2008 - 09:10 PM
sage5
-
- Retired Staff
-
- 2,646 posts
RIP 10/2009
System File Checker:
- Go to Start > Run and type sfc /scannow (Note the space between the c & the /)
- /scannow starts the System File Checker immediately.
- You will probably need your Windows XP CD to be handy as it may be required.
If you have Service Pack 2 installed, you will need the SP2 version of the CD. This can be done with a borrowed CD, if you don't have one. - Allow the scan to run and when complete reboot the system
#53
Posted 05 August 2008 - 06:00 PM
sage5
-
- Retired Staff
-
- 2,646 posts
RIP 10/2009
Hi ghoude,
That Combofix version that you used was very outdated & may not have worked properly.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
That Combofix version that you used was very outdated & may not have worked properly.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the text from C:\ComboFix.txt along with a new HijackThis log for further review.
#54
Posted 05 August 2008 - 06:20 PM
ghoude
- Topic Starter
-
- Member
-
- 30 posts
Member
Hi Sage
Here is the log from Combo fix...
ComboFix 08-08-04.09 - Administrator 2008-08-05 20:06:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.171 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\CAYLR4TH\interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\CAYLR4TH\interclick.com\ud.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_lanmandrv
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.
2008-07-30 18:03 . 2001-08-17 22:36 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-07-30 18:03 . 2003-03-31 06:00 68,209 --a------ C:\WINDOWS\system32\FRAMEDYN.DL_
2008-07-27 06:28 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-21 10:25 . 2008-07-21 10:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\hwonscux
2008-07-21 04:55 . 2008-07-21 06:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:33 --------- d-----w C:\Program Files\McAfee
2008-07-27 10:28 --------- d-----w C:\Program Files\Java
2008-07-23 09:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-19 21:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-03 00:12 --------- d-----w C:\Program Files\Comodo
2008-06-25 21:36 --------- d-----w C:\Program Files\Alwil Software
2008-06-25 21:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-06-25 21:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Comodo
2008-06-24 02:09 --------- d-----w C:\Program Files\Windows Defender
2008-06-24 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-24 00:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-06-23 22:50 --------- d-----w C:\Program Files\XoftSpySE
2008-06-23 22:17 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 22:15 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-06-23 22:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 22:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-22 23:33 --------- d-----w C:\Program Files\Trend Micro
2008-06-22 23:17 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\hwonscux
2008-06-22 23:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-22 22:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-20 19:32 0 ----a-w C:\Program Files\uninstall.dat
2008-06-20 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-20 19:24 --------- d-----w C:\Program Files\McAfee.com
2008-06-20 19:24 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 21:48 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 21:47 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2005-04-27 16:14 1,045 -c--a-w C:\Program Files\uninstal.log
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-16 01:30 1611480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AClntUsr"="c:\altiris\aclient\AClntUsr.EXE" [2008-08-05 20:12 184320]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-06 01:05 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LockTaskbar"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"LockTaskbar"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winag62.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfj37.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmq50.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmq83.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnr26.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnr61.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrw83.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsx50.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AClntUsr]
--a------ 2008-08-05 20:12 184320 c:\ALTIRIS\ACLIENT\AClntUsr.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-05-13 22:00 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMGAG]
--a------ 2004-02-05 02:36 106496 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMONIT.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
--a------ 2004-02-05 02:36 20480 C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
--a------ 2004-02-05 02:36 395264 C:\PROGRA~1\ThinkPad\UTILIT~1\BATINFEX.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--a------ 2003-12-25 03:04 208896 C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-16 01:30 1611480 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-10-06 01:05 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--a------ 2003-05-05 09:57 143360 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-02-23 00:44 32881 C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-04-08 16:11 512000 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-04-08 16:12 110592 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-25 16:51 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
--a------ 2006-10-02 10:19 94208 C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKBDLED]
--a------ 2002-10-08 20:28 40960 C:\WINDOWS\system32\TpScrLk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-06-27 06:53 88363 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2001-09-04 14:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
--a------ 2002-09-04 02:05 53248 C:\WINDOWS\system32\TP4EX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\ALTIRIS\\ACLIENT\\AClntUsr.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2004-02-05 02:36]
R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 09:41]
S2 zlnvatts;Terminal Server Device Redirector Controller;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 23:28]
S3 EraserUtilDrv10621;EraserUtilDrv10621;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 IMWEB51;High Rate Wireless LAN Mini-PCI LAN Driver;C:\WINDOWS\system32\DRIVERS\IMWEBN51.sys [2003-06-04 13:33]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zlnvatts
.
Contents of the 'Scheduled Tasks' folder
2004-11-16 C:\WINDOWS\Tasks\BMMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-02-05 02:36]
2008-07-23 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-04 00:56]
2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-08-04 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
- C:\Program Files\RegistrySmart\RegistrySmart.exe []
2008-08-04 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
- C:\Program Files\RegistrySmart []
.
- - - - ORPHANS REMOVED - - - -
Toolbar-ID - (no file)
Notify-ckpNotify - (no file)
Notify-tpfnf2 - notifyf2.dll
Notify-tphotkey - tphklock.dll
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-COMODO Firewall Pro - C:\Program Files\Comodo\Firewall\CPF.exe
MSConfigStartUp-iPCCheck - C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
MSConfigStartUp-lanmanwrk - C:\WINDOWS\System32\lanmanwrk.exe
MSConfigStartUp-QCTray - C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
MSConfigStartUp-QCWLIcon - C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
MSConfigStartUp-Samsung Common SM - C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
MSConfigStartUp-vptray - C:\PROGRA~1\SYMANT~1\VPTray.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fgsxe19n.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 20:12:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SAVRT]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\ALTIRIS\ACLIENT\ACLIENT.EXE
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\icollect\icserv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\icollect\wake_up.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-08-05 20:16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 00:16:12
Pre-Run: 28,742,561,792 bytes free
Post-Run: 28,945,940,480 bytes free
245 --- E O F --- 2008-07-27 18:15:32
And the other log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:20:12, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\altiris\aclient\ACLIENT.EXE
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\icollect\icserv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\icollect\wake_up.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.101
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Program Files\Netscape\Users\brenner_judith\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AClntUsr] c:\altiris\aclient\AClntUsr.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=about:blank
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - c:\altiris\aclient\ACLIENT.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - c:\icollect\icserv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6412 bytes
Here is the log from Combo fix...
ComboFix 08-08-04.09 - Administrator 2008-08-05 20:06:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.171 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\CAYLR4TH\interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\CAYLR4TH\interclick.com\ud.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_lanmandrv
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.
2008-07-30 18:03 . 2001-08-17 22:36 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-07-30 18:03 . 2003-03-31 06:00 68,209 --a------ C:\WINDOWS\system32\FRAMEDYN.DL_
2008-07-27 06:28 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-21 10:25 . 2008-07-21 10:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\hwonscux
2008-07-21 04:55 . 2008-07-21 06:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:33 --------- d-----w C:\Program Files\McAfee
2008-07-27 10:28 --------- d-----w C:\Program Files\Java
2008-07-23 09:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-19 21:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-03 00:12 --------- d-----w C:\Program Files\Comodo
2008-06-25 21:36 --------- d-----w C:\Program Files\Alwil Software
2008-06-25 21:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-06-25 21:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Comodo
2008-06-24 02:09 --------- d-----w C:\Program Files\Windows Defender
2008-06-24 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-24 00:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-06-23 22:50 --------- d-----w C:\Program Files\XoftSpySE
2008-06-23 22:17 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 22:15 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-06-23 22:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 22:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-22 23:33 --------- d-----w C:\Program Files\Trend Micro
2008-06-22 23:17 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\hwonscux
2008-06-22 23:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-22 22:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-20 19:32 0 ----a-w C:\Program Files\uninstall.dat
2008-06-20 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-20 19:24 --------- d-----w C:\Program Files\McAfee.com
2008-06-20 19:24 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 21:48 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 21:47 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2005-04-27 16:14 1,045 -c--a-w C:\Program Files\uninstal.log
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-16 01:30 1611480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AClntUsr"="c:\altiris\aclient\AClntUsr.EXE" [2008-08-05 20:12 184320]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-06 01:05 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LockTaskbar"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"LockTaskbar"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winag62.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfj37.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmq50.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmq83.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnr26.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnr61.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrw83.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsx50.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AClntUsr]
--a------ 2008-08-05 20:12 184320 c:\ALTIRIS\ACLIENT\AClntUsr.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-05-13 22:00 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMGAG]
--a------ 2004-02-05 02:36 106496 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMONIT.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
--a------ 2004-02-05 02:36 20480 C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
--a------ 2004-02-05 02:36 395264 C:\PROGRA~1\ThinkPad\UTILIT~1\BATINFEX.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--a------ 2003-12-25 03:04 208896 C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-16 01:30 1611480 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-10-06 01:05 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--a------ 2003-05-05 09:57 143360 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-02-23 00:44 32881 C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-04-08 16:11 512000 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-04-08 16:12 110592 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-25 16:51 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
--a------ 2006-10-02 10:19 94208 C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKBDLED]
--a------ 2002-10-08 20:28 40960 C:\WINDOWS\system32\TpScrLk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-06-27 06:53 88363 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2001-09-04 14:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
--a------ 2002-09-04 02:05 53248 C:\WINDOWS\system32\TP4EX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\ALTIRIS\\ACLIENT\\AClntUsr.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2004-02-05 02:36]
R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 09:41]
S2 zlnvatts;Terminal Server Device Redirector Controller;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 23:28]
S3 EraserUtilDrv10621;EraserUtilDrv10621;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 IMWEB51;High Rate Wireless LAN Mini-PCI LAN Driver;C:\WINDOWS\system32\DRIVERS\IMWEBN51.sys [2003-06-04 13:33]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zlnvatts
.
Contents of the 'Scheduled Tasks' folder
2004-11-16 C:\WINDOWS\Tasks\BMMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-02-05 02:36]
2008-07-23 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-04 00:56]
2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-08-04 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
- C:\Program Files\RegistrySmart\RegistrySmart.exe []
2008-08-04 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
- C:\Program Files\RegistrySmart []
.
- - - - ORPHANS REMOVED - - - -
Toolbar-ID - (no file)
Notify-ckpNotify - (no file)
Notify-tpfnf2 - notifyf2.dll
Notify-tphotkey - tphklock.dll
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-COMODO Firewall Pro - C:\Program Files\Comodo\Firewall\CPF.exe
MSConfigStartUp-iPCCheck - C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
MSConfigStartUp-lanmanwrk - C:\WINDOWS\System32\lanmanwrk.exe
MSConfigStartUp-QCTray - C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
MSConfigStartUp-QCWLIcon - C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
MSConfigStartUp-Samsung Common SM - C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
MSConfigStartUp-vptray - C:\PROGRA~1\SYMANT~1\VPTray.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fgsxe19n.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 20:12:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SAVRT]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\ALTIRIS\ACLIENT\ACLIENT.EXE
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\icollect\icserv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\icollect\wake_up.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-08-05 20:16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 00:16:12
Pre-Run: 28,742,561,792 bytes free
Post-Run: 28,945,940,480 bytes free
245 --- E O F --- 2008-07-27 18:15:32
And the other log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:20:12, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\altiris\aclient\ACLIENT.EXE
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\icollect\icserv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\icollect\wake_up.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.101
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Program Files\Netscape\Users\brenner_judith\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AClntUsr] c:\altiris\aclient\AClntUsr.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=about:blank
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - c:\altiris\aclient\ACLIENT.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - c:\icollect\icserv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6412 bytes
#55
Posted 05 August 2008 - 07:00 PM
sage5
-
- Retired Staff
-
- 2,646 posts
RIP 10/2009
That is looking good, so now try the following to correct that System Restore:
Click Start > Run & type Services.msc
In the Services window, scroll down to System Restore Service.
Right click and select Properties.
Set the Startup Type to Automatic, and Start the service.
Click OK & close the Services window.
If an error message is returned, post me that message.
Otherwise restart the PC check to see if the System Restore is now functioning on that drive.
Click Start > Run & type Services.msc
In the Services window, scroll down to System Restore Service.
Right click and select Properties.
Set the Startup Type to Automatic, and Start the service.
Click OK & close the Services window.
If an error message is returned, post me that message.
Otherwise restart the PC check to see if the System Restore is now functioning on that drive.
#56
Posted 06 August 2008 - 03:23 AM
ghoude
- Topic Starter
-
- Member
-
- 30 posts
Member
Hi Sage , when we did what you needed the sysyem was already on automatic and would not let me click start....the message is gone now saying there is not enough disk space...
Thanks
Glenn
Thanks
Glenn
#57
Posted 06 August 2008 - 03:36 AM
sage5
-
- Retired Staff
-
- 2,646 posts
RIP 10/2009
So does that mean you can now clear out the System Restore points, as in Post #31?
If you can, then repeat the instructions for ATF Cleaner, but use the following instead of the OTMoveIt cleanup:
Time for some housekeeping:
If all goes well, you are good to go.
Let me know.
Cheers,
sage5
If you can, then repeat the instructions for ATF Cleaner, but use the following instead of the OTMoveIt cleanup:
Time for some housekeeping:
- Follow these steps to uninstall Combofix and tools used in the removal of malware
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
If all goes well, you are good to go.
Let me know.
Cheers,
sage5
Edited by sage5, 06 August 2008 - 03:43 AM.
#58
Posted 06 August 2008 - 02:57 PM
ghoude
- Topic Starter
-
- Member
-
- 30 posts
Member
Hi Sage..did it all and all went fine as far as we know...We still do have the military time instaed of the normal time in the lower right task bar?...
thanks Glenn
thanks Glenn
#59
Posted 06 August 2008 - 05:02 PM
sage5
-
- Retired Staff
-
- 2,646 posts
RIP 10/2009
Reset Time Format:
Check to see if that has restored the clock, let me know how you get on.
- Go to Start > Control Panel > Region & Language Options.
- Open the Region Options tab.
- Change the region in the dropdown box to something completely different, like French
- Click OK to close the window
- Now reopen that same window & reset the Region to what it should be. English (United States)
- Click OK
Check to see if that has restored the clock, let me know how you get on.
#60
Posted 07 August 2008 - 02:39 PM
ghoude
- Topic Starter
-
- Member
-
- 30 posts
Member
Hi Sage 
the clock is back to normal...Thanks...
This has been a long trip together and we are lucky to have you help us..Please let us know if we are done...and can we delete some of these things from our system?..
Thank You
glenn
the clock is back to normal...Thanks...This has been a long trip together and we are lucky to have you help us..Please let us know if we are done...and can we delete some of these things from our system?..
Thank You
glenn
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
