Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

antivirus xp 2008 [RESOLVED]


  • This topic is locked This topic is locked

#1
rck

rck

    Member

  • Member
  • PipPip
  • 41 posts
please help. computer running very slow. ran ad aware last night and thought i was ok. came back today and computer had rebooted and loaded all problems back again. cannot seem to get to system restore point. tried to get a high jack this log and it would not completely finish. will try to get another log now. thank you for the help!
highjack this log stops at 023 - NT Services. What should I try next? :)
  • 0

Advertisements


#2
rck

rck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
hello,
read another posting on this problem. it was suggested that atf cleaner should be run. did that. cleared up a few things. then suggested to do a hjt log. got new version of hjt here is the log. thank you
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:53 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\lphc7qcj0e783.exe
C:\Program Files\rhc3qcj0e783\rhc3qcj0e783.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [lphc7qcj0e783] C:\WINDOWS\system32\lphc7qcj0e783.exe
O4 - HKLM\..\Run: [SMrhc3qcj0e783] C:\Program Files\rhc3qcj0e783\rhc3qcj0e783.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-18\..\Run: [Plug And Play] msnmsg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Plug And Play] msnmsg.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...1.10/ttinst.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9241 bytes
  • 0

#3
rck

rck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
also downloaded maleware antivirus. it said it deleted 50 things. it said it did not delete the following
C:/Program Files/rhc3qcjoc783/MFc71.dll
C:/Program Files/rhc3qcjoc783/mfc71env.DLL
C:/Program Files/rhc3qcjoc783/msvcp71.dll
C:/Program Files/rhc3qcjoc783/msvcr71.dll
C:/Program Files/rhc3qcjoc783/rhc3qcjoc783.exe

do not know how to do that but will research it. here is a mbam log
Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 2

5:48:57 PM 8/19/2008
mbam-log-08-19-2008 (17-48-57).txt

Scan type: Quick Scan
Objects scanned: 44952
Time elapsed: 7 minute(s), 21 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 5
Registry Keys Infected: 2
Registry Values Infected: 6
Registry Data Items Infected: 5
Folders Infected: 13
Files Infected: 17

Memory Processes Infected:
C:\Program Files\rhc3qcj0e783\rhc3qcj0e783.exe (Rogue.Multiple) -> Failed to unload process.
C:\WINDOWS\system32\lphc7qcj0e783.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\rhc3qcj0e783\MFC71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhc3qcj0e783\MFC71ENU.DLL (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhc3qcj0e783\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhc3qcj0e783\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.
C:\WINDOWS\system32\blphc7qcj0e783.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\rhc3qcj0e783 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhc3qcj0e783 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc7qcj0e783 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0cf47a01-be0a-4e64-90c6-52006aa5b8b1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.13,85.255.112.78 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0cf47a01-be0a-4e64-90c6-52006aa5b8b1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.13,85.255.112.78 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0cf47a01-be0a-4e64-90c6-52006aa5b8b1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.13,85.255.112.78 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\rhc3qcj0e783 (Rogue.Multiple) -> Delete on reboot.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\rhc3qcj0e783\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\rhc3qcj0e783\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3qcj0e783\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3qcj0e783\MFC71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhc3qcj0e783\MFC71ENU.DLL (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhc3qcj0e783\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhc3qcj0e783\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhc3qcj0e783\rhc3qcj0e783.exe (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhc3qcj0e783\rhc3qcj0e783.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphc7qcj0e783.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc7qcj0e783.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc7qcj0e783.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRP\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
  • 0

#4
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
Hi rck,

Welcome to Geeks to Go!

My name is Stamper19 and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point. :)

First, I see that you are running, or have previously installed, Bearshare. Although this application is not malware itself, the files downloaded with it are often a major source of infection. Hence, I strongly advise that it be removed. If you choose to do so, go to the Add/Remove Programs option in the Control Panel, and Uninstall Bearshare.
----------------------------------------------------------------

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

----------------------------------------------------------------

Information to include in your next post:
  • Combofix Log

  • 0

#5
rck

rck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
do not see anything named bearshare in add/remove programs. is it listed as something else? rck
  • 0

#6
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
It is possible the program is not there and that what Im seeing on your system are just some remnants. Lets skip that for now and move on to the next step in the previous set of instructions.
  • 0

#7
rck

rck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
combofix

ComboFix 08-08-26.02 - XP PRP 2008-08-27 0:09:03.1 - NTFSx86
Running from: C:\Documents and Settings\XP PRP\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\bin.clearspring.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\interclick.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\interclick.com\ud.sol
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\www.broadcaster.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-26 09:41 . 2008-08-26 10:20 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-19 17:34 . 2008-08-19 17:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-19 17:34 . 2008-08-19 17:34 <DIR> d-------- C:\Documents and Settings\XP PRP\Application Data\Malwarebytes
2008-08-19 17:34 . 2008-08-19 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-19 17:34 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-19 17:34 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 17:33 . 2008-08-19 17:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-19 17:14 . 2008-08-19 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 22:24 . 2008-08-18 22:44 14 --a------ C:\WINDOWS\system32\11B.tmp
2008-08-18 21:24 . 2008-08-18 21:24 0 --a------ C:\WINDOWS\system32\80.tmp
2008-08-18 20:34 . 2008-08-18 20:34 0 --a------ C:\WINDOWS\system32\44.tmp
2008-08-18 19:09 . 2008-08-18 19:09 14 --a------ C:\WINDOWS\system32\3B.tmp
2008-08-18 19:09 . 2008-08-18 19:09 0 --a------ C:\WINDOWS\system32\39.tmp
2008-08-18 11:19 . 2008-08-19 21:26 <DIR> d-------- C:\found.002
2008-08-18 02:39 . 2008-08-18 02:39 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-12 14:52 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-30 22:47 . 2008-07-30 23:04 <DIR> d-------- C:\Program Files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 19:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2005-03-14 16:11 17,920 ----a-w C:\Documents and Settings\XP PRP\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2003-09-17 12:06 716800]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-02-27 19:08 6051144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 16:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 16:51 118784]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-02-26 11:40 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-04-13 13:20 59040]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-13 19:04 100056]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-13 18:29 282624]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-26 11:40 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-02-23 12:41 67264]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\DeltaNet VPN Connector\\Extranet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57793:TCP"= 57793:TCP:Pando P2P TCP Listening Port
"57793:UDP"= 57793:UDP:Pando P2P UDP Listening Port

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2002-04-22 15:50]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 00:16]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 00:16]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
HKLM-Run-PicasaNet - C:\Program Files\Hello\Hello.exe
HKU-Default-Run-Plug And Play - msnmsg.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.msn.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = http=localhost:8080
R1 -: HKCU-Internet Settings,ProxyOverride = localhost;<local>
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 -: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
.
.
------- File Associations (Beta) -------
.
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 00:18:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-27 0:56:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-27 05:54:36

Pre-Run: 67,875,635,200 bytes free
Post-Run: 68,021,182,464 bytes free

155 --- E O F --- 2008-08-20 02:50:58

hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:12 AM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...1.10/ttinst.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8780 bytes
  • 0

#8
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#9
rck

rck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
how do you determine which operating system you have (sp1, sp2 or sp3)?
  • 0

#10
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
Hi rck,

You need to select the one named Windows XP Service Pack 2 (SP2)
  • 0

Advertisements


#11
rck

rck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
here's the log

ComboFix 08-08-26.02 - XP PRP 2008-08-27 22:36:54.2 - NTFSx86
Running from: C:\Documents and Settings\XP PRP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\XP PRP\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\bin.clearspring.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\interclick.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\interclick.com\ud.sol
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.

2008-08-26 09:41 . 2008-08-26 10:20 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-19 17:34 . 2008-08-19 17:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-19 17:34 . 2008-08-19 17:34 <DIR> d-------- C:\Documents and Settings\XP PRP\Application Data\Malwarebytes
2008-08-19 17:34 . 2008-08-19 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-19 17:34 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-19 17:34 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 17:33 . 2008-08-19 17:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-19 17:14 . 2008-08-19 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 22:24 . 2008-08-18 22:44 14 --a------ C:\WINDOWS\system32\11B.tmp
2008-08-18 21:24 . 2008-08-18 21:24 0 --a------ C:\WINDOWS\system32\80.tmp
2008-08-18 20:34 . 2008-08-18 20:34 0 --a------ C:\WINDOWS\system32\44.tmp
2008-08-18 19:09 . 2008-08-18 19:09 14 --a------ C:\WINDOWS\system32\3B.tmp
2008-08-18 19:09 . 2008-08-18 19:09 0 --a------ C:\WINDOWS\system32\39.tmp
2008-08-18 11:19 . 2008-08-19 21:26 <DIR> d-------- C:\found.002
2008-08-18 02:39 . 2008-08-18 02:39 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-12 14:52 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-30 22:47 . 2008-07-30 23:04 <DIR> d-------- C:\Program Files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 19:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2005-03-14 16:11 17,920 ----a-w C:\Documents and Settings\XP PRP\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [email protected]_ 0.35.49.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-31 00:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-19 03:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2003-09-17 12:06 716800]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-02-27 19:08 6051144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 16:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 16:51 118784]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-02-26 11:40 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-04-13 13:20 59040]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-13 19:04 100056]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-13 18:29 282624]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-26 11:40 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-02-23 12:41 67264]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Forget Me Not.lnk - C:\Program Files\Broderbund\AG CreataCard\agremind.exe [2006-09-25 14:21:52 331776]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-04-09 06:56:24 598150]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\DeltaNet VPN Connector\\Extranet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57793:TCP"= 57793:TCP:Pando P2P TCP Listening Port
"57793:UDP"= 57793:UDP:Pando P2P UDP Listening Port

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2002-04-22 15:50]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 00:16]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 00:16]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.msn.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = http=localhost:8080
R1 -: HKCU-Internet Settings,ProxyOverride = localhost;<local>
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 -: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
.
.
------- File Associations (Beta) -------
.
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 22:46:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-27 23:10:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-28 04:06:48
ComboFix2.txt 2008-08-27 05:56:37

Pre-Run: 67,849,854,976 bytes free
Post-Run: 67,973,931,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

165 --- E O F --- 2008-08-20 02:50:58
  • 0

#12
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
Hi rck,

We are going to use ComboFix to delete some things.

  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::
C:\WINDOWS\system32\11B.tmp
C:\WINDOWS\system32\80.tmp
C:\WINDOWS\system32\44.tmp
C:\WINDOWS\system32\3B.tmp
C:\WINDOWS\system32\39.tmp

Posted Image

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

----------------------------------------------------------------

Please clean out your temp files.

Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu..

----------------------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")
----------------------------------------------------------------

Information to include in your next post:
  • Combofix Log
  • Kapersky Log

  • 0

#13
rck

rck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
what do you mean change the save as type to all files? I've copied and transfered to notepad. when i go to save it, it says save in XP PRP. Does the code box include the word CODE?
  • 0

#14
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts

what do you mean change the save as type to all files?

When you go to save the file, beneath the file name there is a Save As Typedialogue - change that using the drop down lise to All Files

Does the code box include the word CODE?

No - just what is in the box.
  • 0

#15
rck

rck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
ComboFix 08-08-26.02 - XP PRP 2008-08-29 20:56:46.3 - NTFSx86
Running from: C:\Documents and Settings\XP PRP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\XP PRP\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\11B.tmp
C:\WINDOWS\system32\39.tmp
C:\WINDOWS\system32\3B.tmp
C:\WINDOWS\system32\44.tmp
C:\WINDOWS\system32\80.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\bin.clearspring.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\#SharedObjects\HL33NKCD\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\XP PRP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\WINDOWS\system32\11B.tmp
C:\WINDOWS\system32\39.tmp
C:\WINDOWS\system32\3B.tmp
C:\WINDOWS\system32\44.tmp
C:\WINDOWS\system32\80.tmp

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-26 09:41 . 2008-08-26 10:20 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-19 17:34 . 2008-08-19 17:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-19 17:34 . 2008-08-19 17:34 <DIR> d-------- C:\Documents and Settings\XP PRP\Application Data\Malwarebytes
2008-08-19 17:34 . 2008-08-19 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-19 17:34 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-19 17:34 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 17:33 . 2008-08-19 17:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-19 17:14 . 2008-08-19 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 11:19 . 2008-08-19 21:26 <DIR> d-------- C:\found.002
2008-08-18 02:39 . 2008-08-18 02:39 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-12 14:52 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-30 22:47 . 2008-07-30 23:04 <DIR> d-------- C:\Program Files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 20:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2005-03-14 16:11 17,920 ----a-w C:\Documents and Settings\XP PRP\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [email protected]_ 0.35.49.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-31 00:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-19 03:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2003-09-17 12:06 716800]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-02-27 19:08 6051144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 16:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 16:51 118784]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-02-26 11:40 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-04-13 13:20 59040]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-13 19:04 100056]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-13 18:29 282624]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-26 11:40 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-02-23 12:41 67264]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Forget Me Not.lnk - C:\Program Files\Broderbund\AG CreataCard\agremind.exe [2006-09-25 14:21:52 331776]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-04-09 06:56:24 598150]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\DeltaNet VPN Connector\\Extranet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57793:TCP"= 57793:TCP:Pando P2P TCP Listening Port
"57793:UDP"= 57793:UDP:Pando P2P UDP Listening Port

.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 21:06:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-29 21:30:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-30 02:28:28
ComboFix2.txt 2008-08-28 04:10:41
ComboFix3.txt 2008-08-27 05:56:37

Pre-Run: 67,704,594,432 bytes free
Post-Run: 67,922,755,584 bytes free

144 --- E O F --- 2008-08-20 02:50:58
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP