Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

infected with win32.delf.rtk and refpron

Started by b.rodriguez , Mar 12 2009 11:52 PM

  • Please log in to reply

#1
b.rodriguez
Posted 12 March 2009 - 11:52 PM

b.rodriguez

    New Member

  • Member
  • Pip
  • 7 posts
help im infected with win32.delf.rtk and refpron according to spybot, malware finds a couple backdoors and after removal it wont even wait till i reboot it automatically comes back..i tried turning off system restore and then removing that didnt help any so here i am coming to you heres the results of my scans. please help me out

otlistit

OTListIt logfile created on: 3/13/2009 1:28:14 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.5 Folder = C:\Documents and Settings\brian\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.98 Mb Total Physical Memory | 202.21 Mb Available Physical Memory | 39.57% Memory free
1.26 Gb Paging File | 0.39 Gb Available in Paging File | 30.65% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.50 Gb Total Space | 115.56 Gb Free Space | 79.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MYDELL
Current User Name: brian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Common Files\AOL\ACS\acsd.exe (America Online, Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\WINDOWS\System32\CTsvcCDA.exe (Creative Technology Ltd)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
PRC - C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\wanmpsvc.exe (America Online, Inc.)
PRC - C:\WINDOWS\System32\MsPMSPSv.exe (Microsoft Corporation)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
PRC - C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
PRC - C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
PRC - C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
PRC - C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\CTHELPER.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
PRC - C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
PRC - C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
PRC - C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (TODO: <Company name>)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\AOL\1235556417\ee\aolsoftware.exe (America Online, Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
PRC - C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
PRC - C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
PRC - C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\CTHELPER.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
PRC - C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
PRC - C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (TODO: <Company name>)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
PRC - C:\Program Files\Registry Mechanic\RegMech.exe (PC Tools)
PRC - C:\Program Files\Innovative Solutions\DriverMax\devices.exe (Innovative Solutions)
PRC - C:\Program Files\Common Files\AOL\1235556417\ee\aolsoftware.exe (America Online, Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
PRC - C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
PRC - C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
PRC - C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\CTHELPER.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
PRC - C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
PRC - C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
PRC - C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (TODO: <Company name>)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation)
PRC - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe (Uniblue Software)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
PRC - C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
PRC - C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
PRC - C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\CTHELPER.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
PRC - C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
PRC - C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
PRC - C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (TODO: <Company name>)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation)
PRC - C:\WINDOWS\system32\nxtepad.exe ()
PRC - C:\WINDOWS\system32\tpszxyd.sys ()
PRC - C:\WINDOWS\system32\tdctxte.exe ()
PRC - C:\Program Files\Flock\flock.exe (Flock, Inc.)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\brian\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AOL ACS [Auto | Running]) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe (America Online, Inc.)
SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Creative Service for CDROM Access [Auto | Running]) -- C:\WINDOWS\System32\CTsvcCDA.exe (Creative Technology Ltd)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McNASvc [Auto | Running]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McProxy [Auto | Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McShield [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon [On_Demand | Running]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MpfService [Auto | Running]) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (NetSvc [On_Demand | Stopped]) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel® Corporation)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
SRV - (sopidkc [Auto | Running]) -- C:\WINDOWS\system32\sopidkc.exe ()
SRV - (SymWSC [Auto | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (Symantec Corporation)
SRV - (WANMiniportService [Auto | Running]) -- C:\WINDOWS\wanmpsvc.exe (America Online, Inc.)
SRV - (WMDM PMSP Service [Auto | Running]) -- C:\WINDOWS\System32\MsPMSPSv.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (afisicx [Auto | Running]) -- C:\WINDOWS\system32\afisicx.exe File not found
SRV - (mabidwe [Auto | Running]) -- C:\WINDOWS\system32\mabidwe.exe File not found
SRV - (tdctxte [Auto | Running]) -- C:\WINDOWS\system32\tdctxte.exe ()

========== Driver Services (SafeList) ==========

DRV - (AliIde [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (amdagp [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (asc [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550 [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (ASCTRM [Auto | Running]) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows ® 2000 DDK provider)
DRV - (ati2mtag [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (CmdIde [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (ctac32k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctaud2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctdvda2k [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (ctprxy2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (dac2w2k [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (drvmcdb [Boot | Running]) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (drvnddm [Auto | Running]) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (EL90XBC [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\el90xbc5.sys (3Com Corporation)
DRV - (emupia [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (ha10kx2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (hap16v2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\hap16v2k.sys (Creative Technology Ltd)
DRV - (i81x [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\i81xnt5.sys (Intel® Corporation)
DRV - (iAimFP0 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wADV01nt.sys (Intel® Corporation)
DRV - (iAimFP1 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wADV02NT.sys (Intel® Corporation)
DRV - (iAimFP2 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wADV05NT.sys (Intel® Corporation)
DRV - (iAimFP3 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys (Intel® Corporation)
DRV - (iAimFP4 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys (Intel® Corporation)
DRV - (iAimTV0 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wATV01nt.sys (Intel® Corporation)
DRV - (iAimTV1 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wATV02NT.sys (Intel® Corporation)
DRV - (iAimTV3 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wATV04nt.sys (Intel® Corporation)
DRV - (iAimTV4 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys (Intel® Corporation)
DRV - (IntelC51 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\IntelC51.sys (Intel Corporation)
DRV - (IntelC52 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\IntelC52.sys (Intel Corporation)
DRV - (IntelC53 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\IntelC53.sys (Intel Corporation)
DRV - (mfeavfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [System | Running]) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdk [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (mfesmfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (MODEMCSA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (mohfilt [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\mohfilt.sys (Intel Corporation)
DRV - (MPFP [System | Running]) -- C:\WINDOWS\System32\Drivers\Mpfp.sys (McAfee, Inc.)
DRV - (mraid35x [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (MxlW2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\MxlW2k.sys (MusicMatch, Inc.)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (omci [System | Running]) -- C:\WINDOWS\System32\DRIVERS\omci.sys (Dell Computer Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (pcistub [On_Demand | Stopped]) -- C:\WINDOWS\system32\pcistub.sys ()
DRV - (PfModNT [Auto | Running]) -- C:\WINDOWS\System32\drivers\PfModNT.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (ql1080 [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql12160 [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1280 [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sisagp [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (Sparrow [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sscdbhk5 [System | Running]) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions)
DRV - (ssrtln [System | Running]) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions)
DRV - (symc810 [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (symc8xx [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_hi [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (sym_u3 [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (tfsnboio [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)
DRV - (tfsncofs [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)
DRV - (tfsndrct [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)
DRV - (tfsndres [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)
DRV - (tfsnifs [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)
DRV - (tfsnopio [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)
DRV - (tfsnpool [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)
DRV - (tfsnudf [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)
DRV - (tfsnudfa [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)
DRV - (ultra [Disabled | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (wanatw [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys (America Online, Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings:


extras txt


OTListIt Extras logfile created on: 3/13/2009 1:28:14 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.5 Folder = C:\Documents and Settings\brian\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.98 Mb Total Physical Memory | 202.21 Mb Available Physical Memory | 39.57% Memory free
1.26 Gb Paging File | 0.39 Gb Available in Paging File | 30.65% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.50 Gb Total Space | 115.56 Gb Free Space | 79.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MYDELL
Current User Name: brian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\system32\nxtepad.exe ()

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FlockHTML] -- C:\Program Files\Flock\flock.exe (Flock, Inc.)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 (America Online, Inc.)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 (America Online, Inc.)
C:\Program Files\DNA\btdna.exe:*:Enabled:DNA File not found
C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent (BitTorrent, Inc.)
C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour (Apple Inc.)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{04410044-9149-45C6-A806-F2BF9CFCE762}" = Microsoft Encarta Encyclopedia Standard 2004
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{1526D87C-A955-4FAB-BF18-697BA457E352}" = Norton WMI Update
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{33BEE6F3-9987-4F98-A069-97A64EC8321A}" = Microsoft Works Suite Add-in for Microsoft Word
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{43FCA273-9534-40DB-B7C5-D7758875616A}" = Dell Support
"{45EBDA59-D33B-433A-956E-B2F236468B56}" = MUSICMATCH® Jukebox
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{8704D51E-25B7-4F23-81E7-AA4F54790210}" = Microsoft Streets and Trips 2004
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9B2CFE3B-7F55-4786-A20D-BB244914F6D8}" = EarthLink Setup Files
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B9966F27-9678-4620-9579-925E3084647E}" = Microsoft Works
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{DBA8B9E1-C6FF-4624-9598-73D3B41A0903}" = Microsoft Picture It! Photo Premium 9
"{E82BF103-904F-49C0-B77F-6EC110B71E87}" = Sound Blaster Audigy 2
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"America Online us" = America Online (Choose which version to remove)
"AolCoach" = AOL Coach Version 1.0(Build:20030807.3)
"Ask Toolbar_is1" = Ask Toolbar
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"ERUNT_is1" = ERUNT 1.1j
"Flock (2.0.3)" = Flock (2.0.3)
"GOM Player" = GOM Player
"HijackThis" = HijackThis 2.0.2
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"LiveUpdate" = LiveUpdate 1.90 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"PictureIt_v9" = Microsoft Picture It! Photo Premium 9
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer Basic
"Registry Mechanic_is1" = Registry Mechanic 8.0
"RegistryBooster 2_is1" = Uniblue RegistryBooster 2
"Shockwave" = Shockwave
"StreetPlugin" = Learn2 Player (Uninstall Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2004Setup" = Microsoft Works 2004 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/1/2009 9:33:48 AM | Computer Name = MYDELL | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x0181101c.

Error - 3/1/2009 9:33:48 AM | Computer Name = MYDELL | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x01ef101c.

Error - 3/1/2009 9:33:49 AM | Computer Name = MYDELL | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x0223101c.

Error - 3/1/2009 10:01:23 AM | Computer Name = MYDELL | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5512, fault address 0x00025652.

Error - 3/1/2009 2:08:49 PM | Computer Name = MYDELL | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5512, fault address 0x00025652.

Error - 3/1/2009 6:36:10 PM | Computer Name = MYDELL | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 3/1/2009 6:37:34 PM | Computer Name = MYDELL | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 11.0.5721.5145, faulting
module wininet.dll, version 6.0.2900.5694, fault address 0x00003674.

Error - 3/1/2009 6:38:25 PM | Computer Name = MYDELL | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module wininet.dll, version 6.0.2900.5694, fault address 0x00003674.

Error - 3/1/2009 6:38:45 PM | Computer Name = MYDELL | Source = Application Error | ID = 1001
Description = Fault bucket 1047907391.

Error - 3/1/2009 7:33:56 PM | Computer Name = MYDELL | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 3/11/2009 10:07:53 PM | Computer Name = MYDELL | Source = Service Control Manager | ID = 7023
Description = The .Freame Micer service terminated with the following error: %%126

Error - 3/12/2009 12:01:18 AM | Computer Name = MYDELL | Source = Service Control Manager | ID = 7000
Description = The afisicx service failed to start due to the following error: %%3

Error - 3/12/2009 12:01:45 AM | Computer Name = MYDELL | Source = Service Control Manager | ID = 7000
Description = The mabidwe service failed to start due to the following error: %%3

Error - 3/12/2009 9:24:33 AM | Computer Name = MYDELL | Source = Service Control Manager | ID = 7023
Description = The 6to4 service terminated with the following error: %%126

Error - 3/12/2009 9:24:33 AM | Computer Name = MYDELL | Source = Service Control Manager | ID = 7023
Description = The Service AntiVir service terminated with the following error: %%126

Error - 3/12/2009 9:24:33 AM | Computer Name = MYDELL | Source = Service Control Manager | ID = 7023
Description = The .Freame Micer service terminated with the following error: %%126

Error - 3/12/2009 10:19:06 AM | Computer Name = MYDELL | Source = DCOM | ID = 10001
Description = Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493}
as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
-Embedding

Error - 3/12/2009 4:31:04 PM | Computer Name = MYDELL | Source = DCOM | ID = 10001
Description = Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493}
as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
-Embedding

Error - 3/12/2009 5:37:17 PM | Computer Name = MYDELL | Source = DCOM | ID = 10001
Description = Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493}
as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
-Embedding

Error - 3/12/2009 5:37:17 PM | Computer Name = MYDELL | Source = DCOM | ID = 10001
Description = Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493}
as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
-Embedding


< End of report >


rooter txt

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:148993 Mo/Free:3648 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Fri 03/13/2009| 1:31

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\WINDOWS\System32\CTsvcCDA.exe
---------- C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
---------- C:\Program Files\McAfee\MPF\MPFSrv.exe
---------- C:\WINDOWS\System32\nvsvc32.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\wanmpsvc.exe
---------- C:\WINDOWS\System32\MsPMSPSv.exe
---------- C:\WINDOWS\System32\alg.exe
---------- c:\PROGRA~1\mcafee.com\agent\mcagent.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
---------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
---------- C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
---------- C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
---------- C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
---------- C:\WINDOWS\system32\CTHELPER.EXE
---------- C:\Program Files\Dell\Media Experience\PCMService.exe
---------- C:\WINDOWS\system32\dla\tfswctrl.exe
---------- C:\Program Files\Real\RealPlayer\RealPlay.exe
---------- C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
---------- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
---------- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\Program Files\Common Files\AOL\1235556417\ee\aolsoftware.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
---------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
---------- C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
---------- C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
---------- C:\WINDOWS\system32\CTHELPER.EXE
---------- C:\Program Files\Dell\Media Experience\PCMService.exe
---------- C:\WINDOWS\system32\dla\tfswctrl.exe
---------- c:\PROGRA~1\mcafee.com\agent\mcagent.exe
---------- C:\Program Files\Real\RealPlayer\RealPlay.exe
---------- C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
---------- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
---------- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
---------- C:\Program Files\Registry Mechanic\RegMech.exe
---------- C:\Program Files\Innovative Solutions\DriverMax\devices.exe
---------- C:\Program Files\Common Files\AOL\1235556417\ee\aolsoftware.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\Explorer.EXE
---------- c:\PROGRA~1\mcafee.com\agent\mcagent.exe
---------- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
---------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
---------- C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
---------- C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
---------- C:\WINDOWS\system32\CTHELPER.EXE
---------- C:\Program Files\Dell\Media Experience\PCMService.exe
---------- C:\WINDOWS\system32\dla\tfswctrl.exe
---------- C:\Program Files\Real\RealPlayer\RealPlay.exe
---------- C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
---------- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
---------- C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\Explorer.EXE
---------- c:\PROGRA~1\mcafee.com\agent\mcagent.exe
---------- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
---------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
---------- C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
---------- C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
---------- C:\WINDOWS\system32\CTHELPER.EXE
---------- C:\Program Files\Dell\Media Experience\PCMService.exe
---------- C:\WINDOWS\system32\dla\tfswctrl.exe
---------- C:\Program Files\Real\RealPlayer\RealPlay.exe
---------- C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
---------- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
---------- C:\WINDOWS\system32\nxtepad.exe
---------- C:\WINDOWS\system32\tpszxyd.sys
---------- C:\WINDOWS\system32\tdctxte.exe
---------- C:\PROGRA~1\FLOCK\FLOCK.EXE
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\Documents and Settings\brian\Desktop\OTListIt2.exe
---------- C:\WINDOWS\system32\dlctsd32.sys
---------- C:\WINDOWS\system32\umtcdtw.sys
---------- C:\WINDOWS\notepad.exe
---------- C:\WINDOWS\notepad.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe
--Hidden-- C:\WINDOWS\system32\sopidkc.exe
--Hidden-- C:\WINDOWS\system32\afisicx.exe
--Hidden-- C:\WINDOWS\system32\mabidwe.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

HKLM\SYSTEM\ControlSet004\Services\seneka
HKLM\SYSTEM\ControlSet005\Services\seneka
HKLM\SYSTEM\ControlSet006\Services\seneka
HKLM\SYSTEM\CurrentControlSet\Services\seneka


1 - "C:\Rooter$\Rooter_1.txt" - Fri 03/13/2009| 1:31

----------------------\\ Scan completed at 1:31
  • 0

Advertisements

#2
Thunderbird1988
Posted 13 March 2009 - 02:20 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello B.Rodriguez and welcome at Geekstogo,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Thunderbird1988
  • 0

#3
b.rodriguez
Posted 13 March 2009 - 09:09 AM

b.rodriguez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
hey thanks for the quick reply here are my results from running combofix

ComboFix 09-03-12.01 - brian 2009-03-13 10:46:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.202 [GMT -4:00]
Running from: c:\documents and settings\brian\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\Install.txt
c:\windows\system32\comsa32.sys
c:\windows\system32\init32.exe
c:\windows\system32\sopidkc.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\win32hlp.cnf
c:\windows\system32\xcchit32.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_AFISICX
-------\Legacy_DEFAULTLIB
-------\Legacy_MABIDWE
-------\Legacy_SOFTYINFORWOW1
-------\Legacy_SOPIDKC
-------\Service_6to4
-------\Service_afisicx
-------\Service_defaultlib
-------\Service_mabidwe
-------\Service_seneka
-------\Service_softyinforwow1
-------\Service_sopidkc


((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-13 01:30 . 2009-03-13 01:31 <DIR> d-------- C:\Rooter$
2009-03-13 01:15 . 2009-03-13 01:15 <DIR> d-------- c:\program files\ERUNT
2009-03-13 00:40 . 2009-03-13 00:55 <DIR> d-------- c:\program files\XoftSpySE
2009-03-13 00:30 . 2009-03-13 00:30 <DIR> d-------- c:\program files\Trend Micro
2009-03-12 15:57 . 2009-03-12 15:57 0 --a------ c:\documents and settings\brian\Application Data\wklnhst.dat
2009-03-07 12:26 . 2009-03-07 12:26 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-07 12:20 . 2009-03-07 20:22 <DIR> d-------- c:\program files\NOS
2009-03-07 12:20 . 2009-03-07 20:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-06 16:31 . 2009-03-06 16:31 <DIR> d-------- c:\documents and settings\matthew\Application Data\GRETECH
2009-03-06 08:37 . 2009-03-06 08:37 <DIR> d---s---- c:\documents and settings\kids\UserData
2009-03-05 02:23 . 2009-03-05 02:23 <DIR> d-------- c:\documents and settings\brian\Application Data\GRETECH
2009-03-04 19:59 . 2009-03-04 19:59 <DIR> d-------- c:\program files\Uniblue
2009-03-04 17:09 . 2009-03-04 17:09 <DIR> d-------- c:\program files\Webteh
2009-03-04 17:09 . 2009-03-05 02:20 <DIR> d-------- c:\program files\BS.Player ControlBar
2009-03-04 17:09 . 2009-03-04 17:09 <DIR> d-------- c:\documents and settings\brian\Application Data\BSplayer Pro
2009-03-04 16:46 . 2009-03-04 16:46 <DIR> d-------- c:\program files\Innovative Solutions
2009-03-04 14:53 . 2009-03-04 14:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-03-04 08:52 . 2009-03-04 08:52 <DIR> d-------- c:\documents and settings\matthew\Application Data\Malwarebytes
2009-03-03 12:22 . 2009-03-13 10:53 10,607 --a------ c:\windows\SYSTEM32\Config.MPF
2009-03-03 12:11 . 2007-12-02 13:51 40,488 --a------ c:\windows\SYSTEM32\DRIVERS\mfesmfk.sys
2009-03-03 12:11 . 2007-11-22 07:44 35,240 --a------ c:\windows\SYSTEM32\DRIVERS\mfebopk.sys
2009-03-03 12:11 . 2007-11-22 07:44 33,832 --a------ c:\windows\SYSTEM32\DRIVERS\mferkdk.sys
2009-03-03 12:10 . 2009-03-03 12:10 <DIR> d-------- c:\program files\McAfee.com
2009-03-03 12:10 . 2009-03-03 12:10 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-03 12:10 . 2009-03-03 12:10 <DIR> d-------- C:\mcafee_mcpr
2009-03-03 12:10 . 2007-11-22 07:44 201,320 --a------ c:\windows\SYSTEM32\DRIVERS\mfehidk.sys
2009-03-03 12:10 . 2007-07-13 07:20 113,952 --a------ c:\windows\SYSTEM32\DRIVERS\Mpfp.sys
2009-03-03 12:10 . 2007-11-22 07:44 79,304 --a------ c:\windows\SYSTEM32\DRIVERS\mfeavfk.sys
2009-03-03 12:09 . 2009-03-03 12:25 <DIR> d-------- c:\program files\McAfee
2009-03-03 11:51 . 2009-03-03 12:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-03-03 00:36 . 2009-03-03 00:36 <DIR> d---s---- c:\documents and settings\LocalService\UserData
2009-03-02 18:56 . 2009-03-02 18:56 <DIR> d-------- c:\documents and settings\kids\Application Data\Malwarebytes
2009-03-01 19:19 . 2009-03-01 19:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-01 19:15 . 2004-08-08 16:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-03-01 19:15 . 2004-08-08 16:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-03-01 19:15 . 2004-08-08 16:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-03-01 19:15 . 2004-08-08 16:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Creative
2009-03-01 19:15 . 2009-03-02 17:56 <DIR> d-------- c:\documents and settings\Administrator
2009-03-01 19:08 . 2009-03-01 19:08 381 --a------ c:\windows\cdPlayer.ini
2009-03-01 18:49 . 2009-03-01 18:52 365,672 --a------ C:\mmjb.DDF
2009-03-01 17:38 . 2009-03-01 17:38 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-01 17:34 . 2009-03-01 17:34 <DIR> d-------- c:\windows\SYSTEM32\LogFiles
2009-03-01 17:34 . 2009-03-01 17:35 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\UMDF
2009-03-01 13:11 . 2009-03-01 13:11 <DIR> d---s---- c:\windows\SYSTEM32\CONFIG\systemprofile\UserData
2009-03-01 10:21 . 2009-03-01 19:31 <DIR> d-------- c:\windows\SYSTEM32\3361
2009-03-01 10:21 . 2002-02-15 15:02 676,352 --a------ c:\windows\SYSTEM32\rtl60.bpl
2009-03-01 10:21 . 2009-03-01 10:21 108,336 --a------ c:\windows\SYSTEM32\MSWINSCK.OCX
2009-03-01 10:21 . 2009-03-01 18:03 227 --a------ c:\windows\SYSTEM32\hgset.ini
2009-03-01 10:21 . 2009-03-01 17:31 50 --a------ c:\windows\SYSTEM32\work.ini
2009-03-01 10:18 . 2009-03-01 19:31 <DIR> d-------- c:\windows\SYSTEM32\inf
2009-02-25 23:42 . 2009-02-25 23:42 <DIR> d-------- c:\documents and settings\brian\Application Data\Leadertech
2009-02-25 06:06 . 2009-02-25 06:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-02-23 02:46 . 2009-02-23 02:46 <DIR> d---s---- c:\documents and settings\brian\UserData
2009-02-22 21:23 . 2008-04-13 14:45 26,368 --a------ c:\windows\SYSTEM32\DLLCACHE\usbstor.sys
2009-02-21 22:21 . 2009-02-21 22:21 <DIR> d-------- c:\documents and settings\kids\Application Data\Viewpoint
2009-02-20 03:58 . 2009-02-20 03:59 <DIR> d-------- c:\program files\iTunes
2009-02-20 03:58 . 2009-02-20 03:58 <DIR> d-------- c:\program files\iPod
2009-02-20 03:58 . 2009-02-20 03:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-20 01:36 . 2009-02-20 01:36 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-02-20 01:36 . 2009-02-20 01:36 <DIR> d-------- c:\windows\SYSTEM32\en
2009-02-20 01:36 . 2009-02-20 01:36 <DIR> d-------- c:\windows\l2schemas
2009-02-19 23:44 . 2004-08-04 03:56 159,232 --a------ c:\windows\SYSTEM32\ptpusd.dll
2009-02-19 23:44 . 2008-04-13 14:45 15,104 --a------ c:\windows\SYSTEM32\DRIVERS\usbscan.sys
2009-02-19 23:44 . 2001-08-17 23:36 5,632 --a------ c:\windows\SYSTEM32\ptpusb.dll
2009-02-19 23:21 . 2008-04-17 14:12 107,368 --a------ c:\windows\SYSTEM32\GEARAspi.dll
2009-02-19 23:21 . 2008-04-17 14:12 15,464 --a------ c:\windows\SYSTEM32\DRIVERS\GEARAspiWDM.sys
2009-02-19 23:20 . 2009-02-19 23:20 <DIR> d-------- c:\program files\Bonjour
2009-02-19 23:19 . 2009-02-19 23:20 <DIR> d-------- c:\program files\QuickTime
2009-02-19 23:19 . 2009-02-19 23:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-19 23:18 . 2009-02-19 23:21 <DIR> d----c--- c:\windows\SYSTEM32\DRVSTORE
2009-02-19 23:18 . 2009-02-20 03:58 <DIR> d-------- c:\program files\Common Files\Apple
2009-02-19 23:18 . 2009-02-19 23:18 <DIR> d-------- c:\program files\Apple Software Update
2009-02-19 23:18 . 2009-02-19 23:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-19 23:18 . 2008-11-07 15:23 32,000 --a------ c:\windows\SYSTEM32\DRIVERS\usbaapl.sys
2009-02-19 00:07 . 2009-02-19 00:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 00:07 . 2009-02-19 00:07 <DIR> d-------- c:\documents and settings\brian\Application Data\Malwarebytes
2009-02-19 00:07 . 2009-02-19 00:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-19 00:07 . 2009-02-11 11:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-19 00:07 . 2009-02-11 11:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-18 22:23 . 2009-02-18 22:23 <DIR> d-------- c:\windows\Sun
2009-02-17 14:01 . 2009-02-19 18:18 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-17 14:01 . 2009-02-17 14:01 1,409 --a------ c:\windows\QTFont.for
2009-02-16 09:26 . 2006-11-01 19:31 1,669,120 --------- c:\windows\SYSTEM32\DLLCACHE\setup_wm.exe
2009-02-16 09:25 . 2006-10-18 22:47 991,744 --------- c:\windows\SYSTEM32\DLLCACHE\drmv2clt.dll
2009-02-16 09:06 . 2009-02-16 09:06 <DIR> d---s---- c:\documents and settings\matthew\UserData
2009-02-15 20:00 . 2009-03-13 10:54 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-15 13:43 . 2009-03-07 12:25 <DIR> d-------- c:\program files\Common Files\Adobe
2009-02-15 11:23 . 2009-02-15 11:23 <DIR> d-------- c:\documents and settings\kids\Application Data\GRETECH
2009-02-15 10:56 . 2009-02-15 10:56 <DIR> d-------- c:\documents and settings\kids\Application Data\Flock
2009-02-14 16:57 . 2009-02-14 16:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-14 16:57 . 2009-02-14 17:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-14 01:53 . 2009-03-05 02:22 <DIR> d-------- c:\program files\GRETECH
2009-02-14 00:51 . 2009-02-14 00:51 <DIR> d-------- c:\program files\BitTorrent
2009-02-14 00:51 . 2009-02-14 00:51 <DIR> d-------- c:\program files\AskBarDis
2009-02-14 00:51 . 2009-02-14 00:51 <DIR> d-------- c:\program files\7-Zip
2009-02-14 00:51 . 2009-03-13 00:01 <DIR> d-------- c:\documents and settings\brian\Application Data\BitTorrent
2009-02-13 01:44 . 2009-02-17 11:32 45,056 --a------ c:\windows\NCUNINST.EXE
2009-02-13 01:29 . 2009-02-13 01:29 <DIR> d-------- c:\program files\Common Files\SWF Studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 14:22 --------- d-----w c:\program files\Flock
2009-03-04 20:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-03 16:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-03 16:08 --------- d-----w c:\program files\Symantec
2009-03-03 16:08 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-27 02:06 --------- d-----w c:\program files\DivX
2009-02-26 04:24 --------- d-----w c:\documents and settings\brian\Application Data\Sonic
2009-02-25 10:07 --------- d-----w c:\program files\Common Files\AOL
2009-02-25 10:06 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-23 17:30 --------- d-----w c:\program files\America Online 9.0
2009-02-12 19:18 --------- d-----w c:\documents and settings\matthew\Application Data\Move Networks
2009-02-12 08:01 --------- d-----w c:\program files\MSXML 4.0
2009-02-12 06:49 --------- d-----w c:\documents and settings\brian\Application Data\Viewpoint
2009-02-10 16:33 --------- d-----w c:\documents and settings\matthew\Application Data\Viewpoint
2009-02-10 15:51 --------- d-----w c:\documents and settings\matthew\Application Data\Flock
2009-02-10 05:33 --------- d-----w c:\documents and settings\brian\Application Data\Flock
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 18:24 325000 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2009-02-10 5391192]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD2842"="del" [X]
"SpybotDeletingD3227"="del" [X]
"SpybotDeletingB9358"="command.com" [2002-08-29 c:\windows\SYSTEM32\COMMAND.COM]
"SpybotDeletingB8307"="command.com" [2002-08-29 c:\windows\SYSTEM32\COMMAND.COM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-08-08 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 50688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\SYSTEM32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\SYSTEM32\CTASIO.DLL]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-08-08 36953]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 tdctxte;tdctxte Service;c:\windows\SYSTEM32\tdctxte.exe [2002-08-29 171520]
S3 pcistub;pcistub;c:\windows\SYSTEM32\pcistub.sys [2002-08-29 2176]
.
Contents of the 'Scheduled Tasks' folder

2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-03-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-03-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38]
.
- - - - ORPHANS REMOVED - - - -

Notify-vtUOfEVp - vtUOfEVp.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 10:52:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???8???????x???x???????????x???????????x???x???????????@????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-13 10:59:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-13 14:58:41

Pre-Run: 123,310,673,920 bytes free
Post-Run: 124,082,356,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
313 --- E O F --- 2009-03-11 23:18:27
  • 0

#4
b.rodriguez
Posted 13 March 2009 - 09:25 AM

b.rodriguez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
spybot is still showing win32 and refpron
  • 0

#5
Thunderbird1988
Posted 13 March 2009 - 11:54 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello B.Rodriguez,

spybot is still showing win32 and refpron


Your computer is still infected. The process of malware removal usually takes several steps.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Download ToolBar S&D < here

Double-click ToolBar S&D.exe
Choose the language, then choose Option 2 (Fix)
Wait till the end of the scan
Post the log which was created: (%SystemDrive%\TB.txt)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::

C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\mabidwe.exe

File::

C:\WINDOWS\system32\umtcdtw.sys
C:\WINDOWS\system32\dlctsd32.sys
C:\WINDOWS\system32\nxtepad.exe
C:\WINDOWS\system32\tdctxte.exe

Folder::

c:\windows\SYSTEM32\3361

Driver::

tdctxte


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Disable resident protections (Antivirus...); re-enable them after the scan

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right cklick on the jre-6u12-windows-i586-p.exe and select "Run as an Administrator.")

Thunderbird1988
  • 0

#6
b.rodriguez
Posted 13 March 2009 - 08:39 PM

b.rodriguez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
hey thunderbird

i couldn't figure out how to turn off teatimer so i one upd you and just uninstalled spybot all together till were finished with this process i hope thats cool it took me a minute to figure out the java set up but i got it and kapersky took for ever.. i found out my system is low on virtual memory..maybe you can help me with that too any way heres the logs you needed..


toolbar log

-----------\\ ToolBar S&D 1.2.8 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.40GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A10
USER : brian ( Administrator )
BOOT : Normal boot
Antivirus : McAfee VirusScan (Activated)
Firewall : McAfee Personal Firewall (Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:145 Go (Free:115 Go)
D:\ (CD or DVD)
E:\ (CD or DVD)

"C:\ToolBar SD" ( MAJ : 21-12-2008|20:47 )
Option : [2] ( Fri 03/13/2009|15:12 )

-----------\\ FIX

Deleted! - C:\Program Files\AskBarDis\bar
Deleted! - C:\Program Files\AskBarDis\unins000.dat
Deleted! - C:\Program Files\AskBarDis\unins000.exe
Deleted! - C:\Program Files\AskBarDis

-----------\\ Searching for Files - Folders ...


-----------\\ Extensions

(brian) - {E9A1DEE0-C623-4439-8932-001E7D17607D} => ajtoolbar


-----------\\ [..\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Local Page"="C:\\WINDOWS\\system32\\blank.htm"
"Start Page"="http://www.msn.com"
"Search Page"="http://www.microsoft...ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://go.microsoft..../?LinkId=69157"
"Default_Search_URL"="http://go.microsoft..../?LinkId=54896"
"Search Page"="http://go.microsoft..../?LinkId=54896"
"Start Page"="http://www.msn.com/"


--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\brian\My Documents\My Music\Eminem - Return Of The Bad Guy Pt2[2009]\04) CRACK A BOTTLE FT DR DRE 50 CENT.mp3
C:\DOCUME~1\brian\My Documents\My Music\Eminem - Return Of The Bad Guy Pt2[2009]\11) CRACK SMOKE.mp3



1 - "C:\ToolBar SD\TB_1.txt" - Fri 03/13/2009|15:14 - Option : [2]

-----------\\ Scan completed at 15:14:15.82


combofix log


ComboFix 09-03-12.01 - brian 2009-03-13 15:23:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.143 [GMT -4:00]
Running from: c:\documents and settings\brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\brian\My Documents\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\dlctsd32.sys
c:\windows\system32\nxtepad.exe
c:\windows\system32\tdctxte.exe
c:\windows\system32\umtcdtw.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\3361
c:\windows\SYSTEM32\3361\mlog
c:\windows\system32\dlctsd32.sys
c:\windows\system32\nxtepad.exe
c:\windows\system32\tdctxte.exe
c:\windows\system32\umtcdtw.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDCTXTE
-------\Service_tdctxte


((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-13 15:10 . 2009-03-13 15:14 <DIR> d-------- C:\ToolBar SD
2009-03-13 01:30 . 2009-03-13 01:31 <DIR> d-------- C:\Rooter$
2009-03-13 01:15 . 2009-03-13 01:15 <DIR> d-------- c:\program files\ERUNT
2009-03-13 00:40 . 2009-03-13 00:55 <DIR> d-------- c:\program files\XoftSpySE
2009-03-13 00:30 . 2009-03-13 00:30 <DIR> d-------- c:\program files\Trend Micro
2009-03-12 15:57 . 2009-03-12 15:57 0 --a------ c:\documents and settings\brian\Application Data\wklnhst.dat
2009-03-07 12:26 . 2009-03-07 12:26 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-07 12:20 . 2009-03-07 20:22 <DIR> d-------- c:\program files\NOS
2009-03-07 12:20 . 2009-03-07 20:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-06 16:31 . 2009-03-06 16:31 <DIR> d-------- c:\documents and settings\matthew\Application Data\GRETECH
2009-03-06 08:37 . 2009-03-06 08:37 <DIR> d---s---- c:\documents and settings\kids\UserData
2009-03-05 02:23 . 2009-03-05 02:23 <DIR> d-------- c:\documents and settings\brian\Application Data\GRETECH
2009-03-04 19:59 . 2009-03-04 19:59 <DIR> d-------- c:\program files\Uniblue
2009-03-04 17:09 . 2009-03-04 17:09 <DIR> d-------- c:\program files\Webteh
2009-03-04 17:09 . 2009-03-05 02:20 <DIR> d-------- c:\program files\BS.Player ControlBar
2009-03-04 17:09 . 2009-03-04 17:09 <DIR> d-------- c:\documents and settings\brian\Application Data\BSplayer Pro
2009-03-04 16:46 . 2009-03-04 16:46 <DIR> d-------- c:\program files\Innovative Solutions
2009-03-04 14:53 . 2009-03-04 14:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-03-04 08:52 . 2009-03-04 08:52 <DIR> d-------- c:\documents and settings\matthew\Application Data\Malwarebytes
2009-03-03 12:22 . 2009-03-13 15:28 10,807 --a------ c:\windows\SYSTEM32\Config.MPF
2009-03-03 12:11 . 2007-12-02 13:51 40,488 --a------ c:\windows\SYSTEM32\DRIVERS\mfesmfk.sys
2009-03-03 12:11 . 2007-11-22 07:44 35,240 --a------ c:\windows\SYSTEM32\DRIVERS\mfebopk.sys
2009-03-03 12:11 . 2007-11-22 07:44 33,832 --a------ c:\windows\SYSTEM32\DRIVERS\mferkdk.sys
2009-03-03 12:10 . 2009-03-03 12:10 <DIR> d-------- c:\program files\McAfee.com
2009-03-03 12:10 . 2009-03-03 12:10 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-03 12:10 . 2009-03-03 12:10 <DIR> d-------- C:\mcafee_mcpr
2009-03-03 12:10 . 2007-11-22 07:44 201,320 --a------ c:\windows\SYSTEM32\DRIVERS\mfehidk.sys
2009-03-03 12:10 . 2007-07-13 07:20 113,952 --a------ c:\windows\SYSTEM32\DRIVERS\Mpfp.sys
2009-03-03 12:10 . 2007-11-22 07:44 79,304 --a------ c:\windows\SYSTEM32\DRIVERS\mfeavfk.sys
2009-03-03 12:09 . 2009-03-03 12:25 <DIR> d-------- c:\program files\McAfee
2009-03-03 11:51 . 2009-03-03 12:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-03-03 00:36 . 2009-03-03 00:36 <DIR> d---s---- c:\documents and settings\LocalService\UserData
2009-03-02 18:56 . 2009-03-02 18:56 <DIR> d-------- c:\documents and settings\kids\Application Data\Malwarebytes
2009-03-01 19:19 . 2009-03-01 19:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-01 19:15 . 2004-08-08 16:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-03-01 19:15 . 2004-08-08 16:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-03-01 19:15 . 2004-08-08 16:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-03-01 19:15 . 2004-08-08 16:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Creative
2009-03-01 19:15 . 2009-03-02 17:56 <DIR> d-------- c:\documents and settings\Administrator
2009-03-01 19:08 . 2009-03-01 19:08 381 --a------ c:\windows\cdPlayer.ini
2009-03-01 18:49 . 2009-03-01 18:52 365,672 --a------ C:\mmjb.DDF
2009-03-01 17:38 . 2009-03-01 17:38 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-01 17:34 . 2009-03-01 17:34 <DIR> d-------- c:\windows\SYSTEM32\LogFiles
2009-03-01 17:34 . 2009-03-01 17:35 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\UMDF
2009-03-01 13:11 . 2009-03-01 13:11 <DIR> d---s---- c:\windows\SYSTEM32\CONFIG\systemprofile\UserData
2009-03-01 10:21 . 2002-02-15 15:02 676,352 --a------ c:\windows\SYSTEM32\rtl60.bpl
2009-03-01 10:21 . 2009-03-01 10:21 108,336 --a------ c:\windows\SYSTEM32\MSWINSCK.OCX
2009-03-01 10:21 . 2009-03-01 18:03 227 --a------ c:\windows\SYSTEM32\hgset.ini
2009-03-01 10:21 . 2009-03-01 17:31 50 --a------ c:\windows\SYSTEM32\work.ini
2009-03-01 10:18 . 2009-03-01 19:31 <DIR> d-------- c:\windows\SYSTEM32\inf
2009-02-25 23:42 . 2009-02-25 23:42 <DIR> d-------- c:\documents and settings\brian\Application Data\Leadertech
2009-02-25 06:06 . 2009-02-25 06:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-02-23 02:46 . 2009-02-23 02:46 <DIR> d---s---- c:\documents and settings\brian\UserData
2009-02-22 21:23 . 2008-04-13 14:45 26,368 --a------ c:\windows\SYSTEM32\DLLCACHE\usbstor.sys
2009-02-21 22:21 . 2009-02-21 22:21 <DIR> d-------- c:\documents and settings\kids\Application Data\Viewpoint
2009-02-20 03:58 . 2009-02-20 03:59 <DIR> d-------- c:\program files\iTunes
2009-02-20 03:58 . 2009-02-20 03:58 <DIR> d-------- c:\program files\iPod
2009-02-20 03:58 . 2009-02-20 03:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-20 01:36 . 2009-02-20 01:36 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-02-20 01:36 . 2009-02-20 01:36 <DIR> d-------- c:\windows\SYSTEM32\en
2009-02-20 01:36 . 2009-02-20 01:36 <DIR> d-------- c:\windows\l2schemas
2009-02-19 23:44 . 2004-08-04 03:56 159,232 --a------ c:\windows\SYSTEM32\ptpusd.dll
2009-02-19 23:44 . 2008-04-13 14:45 15,104 --a------ c:\windows\SYSTEM32\DRIVERS\usbscan.sys
2009-02-19 23:44 . 2001-08-17 23:36 5,632 --a------ c:\windows\SYSTEM32\ptpusb.dll
2009-02-19 23:21 . 2008-04-17 14:12 107,368 --a------ c:\windows\SYSTEM32\GEARAspi.dll
2009-02-19 23:21 . 2008-04-17 14:12 15,464 --a------ c:\windows\SYSTEM32\DRIVERS\GEARAspiWDM.sys
2009-02-19 23:20 . 2009-02-19 23:20 <DIR> d-------- c:\program files\Bonjour
2009-02-19 23:19 . 2009-02-19 23:20 <DIR> d-------- c:\program files\QuickTime
2009-02-19 23:19 . 2009-02-19 23:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-19 23:18 . 2009-02-19 23:21 <DIR> d----c--- c:\windows\SYSTEM32\DRVSTORE
2009-02-19 23:18 . 2009-02-20 03:58 <DIR> d-------- c:\program files\Common Files\Apple
2009-02-19 23:18 . 2009-02-19 23:18 <DIR> d-------- c:\program files\Apple Software Update
2009-02-19 23:18 . 2009-02-19 23:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-19 23:18 . 2008-11-07 15:23 32,000 --a------ c:\windows\SYSTEM32\DRIVERS\usbaapl.sys
2009-02-19 00:07 . 2009-02-19 00:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 00:07 . 2009-02-19 00:07 <DIR> d-------- c:\documents and settings\brian\Application Data\Malwarebytes
2009-02-19 00:07 . 2009-02-19 00:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-19 00:07 . 2009-02-11 11:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-19 00:07 . 2009-02-11 11:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-18 22:23 . 2009-02-18 22:23 <DIR> d-------- c:\windows\Sun
2009-02-17 14:01 . 2009-02-19 18:18 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-17 14:01 . 2009-02-17 14:01 1,409 --a------ c:\windows\QTFont.for
2009-02-16 09:26 . 2006-11-01 19:31 1,669,120 --------- c:\windows\SYSTEM32\DLLCACHE\setup_wm.exe
2009-02-16 09:25 . 2006-10-18 22:47 991,744 --------- c:\windows\SYSTEM32\DLLCACHE\drmv2clt.dll
2009-02-16 09:06 . 2009-02-16 09:06 <DIR> d---s---- c:\documents and settings\matthew\UserData
2009-02-15 20:00 . 2009-03-13 15:29 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-15 13:43 . 2009-03-07 12:25 <DIR> d-------- c:\program files\Common Files\Adobe
2009-02-15 11:23 . 2009-02-15 11:23 <DIR> d-------- c:\documents and settings\kids\Application Data\GRETECH
2009-02-15 10:56 . 2009-02-15 10:56 <DIR> d-------- c:\documents and settings\kids\Application Data\Flock
2009-02-14 16:57 . 2009-03-13 11:38 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-14 16:57 . 2009-03-13 11:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-14 01:53 . 2009-03-05 02:22 <DIR> d-------- c:\program files\GRETECH
2009-02-14 00:51 . 2009-02-14 00:51 <DIR> d-------- c:\program files\BitTorrent
2009-02-14 00:51 . 2009-02-14 00:51 <DIR> d-------- c:\program files\7-Zip
2009-02-14 00:51 . 2009-03-13 00:01 <DIR> d-------- c:\documents and settings\brian\Application Data\BitTorrent
2009-02-13 01:44 . 2009-02-17 11:32 45,056 --a------ c:\windows\NCUNINST.EXE
2009-02-13 01:29 . 2009-02-13 01:29 <DIR> d-------- c:\program files\Common Files\SWF Studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 17:46 --------- d-----w c:\program files\Flock
2009-03-04 20:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-03 16:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-03 16:08 --------- d-----w c:\program files\Symantec
2009-03-03 16:08 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-27 02:06 --------- d-----w c:\program files\DivX
2009-02-26 04:24 --------- d-----w c:\documents and settings\brian\Application Data\Sonic
2009-02-25 10:07 --------- d-----w c:\program files\Common Files\AOL
2009-02-25 10:06 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-23 17:30 --------- d-----w c:\program files\America Online 9.0
2009-02-12 19:18 --------- d-----w c:\documents and settings\matthew\Application Data\Move Networks
2009-02-12 08:01 --------- d-----w c:\program files\MSXML 4.0
2009-02-12 06:49 --------- d-----w c:\documents and settings\brian\Application Data\Viewpoint
2009-02-10 16:33 --------- d-----w c:\documents and settings\matthew\Application Data\Viewpoint
2009-02-10 15:51 --------- d-----w c:\documents and settings\matthew\Application Data\Flock
2009-02-10 05:33 --------- d-----w c:\documents and settings\brian\Application Data\Flock
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-13_10.56.55.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-13 14:11:36 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-03-13 18:30:07 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2009-03-13 14:11:36 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-03-13 18:30:07 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2009-02-10 5391192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-08-08 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 50688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\SYSTEM32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\SYSTEM32\CTASIO.DLL]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-08-08 36953]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 pcistub;pcistub;c:\windows\SYSTEM32\pcistub.sys [2002-08-29 2176]
.
Contents of the 'Scheduled Tasks' folder

2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-03-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-03-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mWindow Title =
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 15:27:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???8???????x???x???????????x???????????x???x???????????@????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-13 15:31:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-13 19:31:26
ComboFix2.txt 2009-03-13 14:59:17

Pre-Run: 124,067,356,672 bytes free
Post-Run: 124,050,165,760 bytes free

285 --- E O F --- 2009-03-11 23:18:27



and the kaspersky log



KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 13, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 13, 2009 23:04:11
Records in database: 1897746
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 58968
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 03:51:33


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sopidkc.exe.vir Infected: Trojan.Win32.Agent2.enz 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000164.exe Infected: Trojan.Win32.Agent2.enz 1
C:\WINDOWS\SYSTEM32\nctedit.exe Infected: Trojan.Win32.Agent2.fde 1
C:\WINDOWS\SYSTEM32\tmp1_723411552751.bk.old Infected: Trojan-Downloader.Win32.Elly.f 1

The selected area was scanned.
  • 0

#7
Thunderbird1988
Posted 14 March 2009 - 02:26 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello B. Rodriguez,

Please run Rooter.exe again and post a new log from it.

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Thunderbird1988
  • 0

#8
b.rodriguez
Posted 14 March 2009 - 04:38 AM

b.rodriguez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
alright thunderbird here you go and i almost couldnt figure out the delldomains. i had to use ie for it to work, but i think were good to go.

by the way i did the rooter before i did the domains.



Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:148993 Mo/Free:1828 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Sat 03/14/2009| 6:15

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
---------- C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
---------- C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
---------- C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
---------- C:\WINDOWS\system32\CTHELPER.EXE
---------- C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Dell\Media Experience\PCMService.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\WINDOWS\system32\dla\tfswctrl.exe
---------- C:\WINDOWS\System32\CTsvcCDA.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Real\RealPlayer\RealPlay.exe
---------- C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
---------- C:\Program Files\Common Files\Dell\EUSW\Support.exe
---------- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
---------- c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
---------- C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
---------- C:\Program Files\McAfee\MPF\MPFSrv.exe
---------- C:\WINDOWS\System32\nvsvc32.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\wanmpsvc.exe
---------- C:\WINDOWS\System32\MsPMSPSv.exe
---------- c:\PROGRA~1\mcafee.com\agent\mcagent.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
---------- C:\Program Files\BitTorrent\bittorrent.exe
---------- C:\WINDOWS\system32\wuauclt.exe
---------- C:\Program Files\Flock\flock.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

HKLM\SYSTEM\ControlSet004\Services\seneka


1 - "C:\Rooter$\Rooter_1.txt" - Fri 03/13/2009| 1:31
2 - "C:\Rooter$\Rooter_2.txt" - Sat 03/14/2009| 6:15

----------------------\\ Scan completed at 6:15
  • 0

#9
Thunderbird1988
Posted 16 March 2009 - 01:55 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\SYSTEM32\nctedit.exe
C:\WINDOWS\SYSTEM32\tmp1_723411552751.bk.old


Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\seneka


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Please post also a new log of OTListIt
  • 0

#10
b.rodriguez
Posted 16 March 2009 - 10:27 AM

b.rodriguez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
hey TB here you go

ComboFix 09-03-12.01 - brian 2009-03-16 12:17:20.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.232 [GMT -4:00]
Running from: c:\documents and settings\brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\brian\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\nctedit.exe
c:\windows\SYSTEM32\tmp1_723411552751.bk.old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\nctedit.exe
c:\windows\SYSTEM32\tmp1_723411552751.bk.old

.
((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-13 16:27 . 2009-03-13 16:27 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2009-03-13 16:04 . 2009-03-13 16:27 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-03-13 15:10 . 2009-03-13 15:14 <DIR> d-------- C:\ToolBar SD
2009-03-13 01:30 . 2009-03-14 06:15 <DIR> d-------- C:\Rooter$
2009-03-13 01:15 . 2009-03-13 01:15 <DIR> d-------- c:\program files\ERUNT
2009-03-13 00:40 . 2009-03-13 00:55 <DIR> d-------- c:\program files\XoftSpySE
2009-03-13 00:30 . 2009-03-13 00:30 <DIR> d-------- c:\program files\Trend Micro
2009-03-12 15:57 . 2009-03-12 15:57 0 --a------ c:\documents and settings\brian\Application Data\wklnhst.dat
2009-03-07 12:26 . 2009-03-07 12:26 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-07 12:20 . 2009-03-07 20:22 <DIR> d-------- c:\program files\NOS
2009-03-07 12:20 . 2009-03-07 20:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-06 16:31 . 2009-03-06 16:31 <DIR> d-------- c:\documents and settings\matthew\Application Data\GRETECH
2009-03-06 08:37 . 2009-03-06 08:37 <DIR> d---s---- c:\documents and settings\kids\UserData
2009-03-05 02:23 . 2009-03-05 02:23 <DIR> d-------- c:\documents and settings\brian\Application Data\GRETECH
2009-03-04 17:09 . 2009-03-04 17:09 <DIR> d-------- c:\program files\Webteh
2009-03-04 17:09 . 2009-03-05 02:20 <DIR> d-------- c:\program files\BS.Player ControlBar
2009-03-04 17:09 . 2009-03-04 17:09 <DIR> d-------- c:\documents and settings\brian\Application Data\BSplayer Pro
2009-03-04 16:46 . 2009-03-04 16:46 <DIR> d-------- c:\program files\Innovative Solutions
2009-03-04 14:53 . 2009-03-04 14:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-03-04 08:52 . 2009-03-04 08:52 <DIR> d-------- c:\documents and settings\matthew\Application Data\Malwarebytes
2009-03-03 12:22 . 2009-03-15 23:41 12,483 --a------ c:\windows\SYSTEM32\Config.MPF
2009-03-03 12:11 . 2007-12-02 13:51 40,488 --a------ c:\windows\SYSTEM32\DRIVERS\mfesmfk.sys
2009-03-03 12:11 . 2007-11-22 07:44 35,240 --a------ c:\windows\SYSTEM32\DRIVERS\mfebopk.sys
2009-03-03 12:11 . 2007-11-22 07:44 33,832 --a------ c:\windows\SYSTEM32\DRIVERS\mferkdk.sys
2009-03-03 12:10 . 2009-03-03 12:10 <DIR> d-------- c:\program files\McAfee.com
2009-03-03 12:10 . 2009-03-03 12:10 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-03 12:10 . 2009-03-03 12:10 <DIR> d-------- C:\mcafee_mcpr
2009-03-03 12:10 . 2007-11-22 07:44 201,320 --a------ c:\windows\SYSTEM32\DRIVERS\mfehidk.sys
2009-03-03 12:10 . 2007-07-13 07:20 113,952 --a------ c:\windows\SYSTEM32\DRIVERS\Mpfp.sys
2009-03-03 12:10 . 2007-11-22 07:44 79,304 --a------ c:\windows\SYSTEM32\DRIVERS\mfeavfk.sys
2009-03-03 12:09 . 2009-03-03 12:25 <DIR> d-------- c:\program files\McAfee
2009-03-03 11:51 . 2009-03-03 12:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-03-03 00:36 . 2009-03-03 00:36 <DIR> d---s---- c:\documents and settings\LocalService\UserData
2009-03-02 18:56 . 2009-03-02 18:56 <DIR> d-------- c:\documents and settings\kids\Application Data\Malwarebytes
2009-03-01 19:19 . 2009-03-01 19:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-01 19:15 . 2004-08-08 16:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-03-01 19:15 . 2004-08-08 16:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-03-01 19:15 . 2004-08-08 16:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-03-01 19:15 . 2004-08-08 16:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Creative
2009-03-01 19:15 . 2009-03-02 17:56 <DIR> d-------- c:\documents and settings\Administrator
2009-03-01 19:08 . 2009-03-01 19:08 381 --a------ c:\windows\cdPlayer.ini
2009-03-01 18:49 . 2009-03-01 18:52 365,672 --a------ C:\mmjb.DDF
2009-03-01 17:38 . 2009-03-01 17:38 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-01 17:34 . 2009-03-01 17:34 <DIR> d-------- c:\windows\SYSTEM32\LogFiles
2009-03-01 17:34 . 2009-03-01 17:35 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\UMDF
2009-03-01 13:11 . 2009-03-01 13:11 <DIR> d---s---- c:\windows\SYSTEM32\CONFIG\systemprofile\UserData
2009-03-01 10:21 . 2002-02-15 15:02 676,352 --a------ c:\windows\SYSTEM32\rtl60.bpl
2009-03-01 10:21 . 2009-03-01 10:21 108,336 --a------ c:\windows\SYSTEM32\MSWINSCK.OCX
2009-03-01 10:21 . 2009-03-01 18:03 227 --a------ c:\windows\SYSTEM32\hgset.ini
2009-03-01 10:21 . 2009-03-01 17:31 50 --a------ c:\windows\SYSTEM32\work.ini
2009-03-01 10:18 . 2009-03-01 19:31 <DIR> d-------- c:\windows\SYSTEM32\inf
2009-02-25 23:42 . 2009-02-25 23:42 <DIR> d-------- c:\documents and settings\brian\Application Data\Leadertech
2009-02-25 06:06 . 2009-02-25 06:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-02-23 02:46 . 2009-02-23 02:46 <DIR> d---s---- c:\documents and settings\brian\UserData
2009-02-22 21:23 . 2008-04-13 14:45 26,368 --a------ c:\windows\SYSTEM32\DLLCACHE\usbstor.sys
2009-02-21 22:21 . 2009-02-21 22:21 <DIR> d-------- c:\documents and settings\kids\Application Data\Viewpoint
2009-02-20 03:58 . 2009-02-20 03:59 <DIR> d-------- c:\program files\iTunes
2009-02-20 03:58 . 2009-02-20 03:58 <DIR> d-------- c:\program files\iPod
2009-02-20 03:58 . 2009-02-20 03:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-20 01:36 . 2009-02-20 01:36 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-02-20 01:36 . 2009-02-20 01:36 <DIR> d-------- c:\windows\SYSTEM32\en
2009-02-20 01:36 . 2009-02-20 01:36 <DIR> d-------- c:\windows\l2schemas
2009-02-19 23:44 . 2004-08-04 03:56 159,232 --a------ c:\windows\SYSTEM32\ptpusd.dll
2009-02-19 23:44 . 2008-04-13 14:45 15,104 --a------ c:\windows\SYSTEM32\DRIVERS\usbscan.sys
2009-02-19 23:44 . 2001-08-17 23:36 5,632 --a------ c:\windows\SYSTEM32\ptpusb.dll
2009-02-19 23:21 . 2008-04-17 14:12 107,368 --a------ c:\windows\SYSTEM32\GEARAspi.dll
2009-02-19 23:21 . 2008-04-17 14:12 15,464 --a------ c:\windows\SYSTEM32\DRIVERS\GEARAspiWDM.sys
2009-02-19 23:20 . 2009-02-19 23:20 <DIR> d-------- c:\program files\Bonjour
2009-02-19 23:19 . 2009-02-19 23:20 <DIR> d-------- c:\program files\QuickTime
2009-02-19 23:19 . 2009-02-19 23:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-19 23:18 . 2009-02-19 23:21 <DIR> d----c--- c:\windows\SYSTEM32\DRVSTORE
2009-02-19 23:18 . 2009-02-20 03:58 <DIR> d-------- c:\program files\Common Files\Apple
2009-02-19 23:18 . 2009-02-19 23:18 <DIR> d-------- c:\program files\Apple Software Update
2009-02-19 23:18 . 2009-02-19 23:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-19 23:18 . 2008-11-07 15:23 32,000 --a------ c:\windows\SYSTEM32\DRIVERS\usbaapl.sys
2009-02-19 00:07 . 2009-02-19 00:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 00:07 . 2009-02-19 00:07 <DIR> d-------- c:\documents and settings\brian\Application Data\Malwarebytes
2009-02-19 00:07 . 2009-02-19 00:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-19 00:07 . 2009-02-11 11:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-19 00:07 . 2009-02-11 11:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-18 22:23 . 2009-02-18 22:23 <DIR> d-------- c:\windows\Sun
2009-02-17 14:01 . 2009-02-19 18:18 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-17 14:01 . 2009-02-17 14:01 1,409 --a------ c:\windows\QTFont.for
2009-02-16 09:26 . 2006-11-01 19:31 1,669,120 --------- c:\windows\SYSTEM32\DLLCACHE\setup_wm.exe
2009-02-16 09:25 . 2006-10-18 22:47 991,744 --------- c:\windows\SYSTEM32\DLLCACHE\drmv2clt.dll
2009-02-16 09:06 . 2009-02-16 09:06 <DIR> d---s---- c:\documents and settings\matthew\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 16:13 --------- d-----w c:\program files\Flock
2009-03-16 04:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-14 23:58 --------- d-----w c:\program files\Microsoft ActiveSync
2009-03-14 20:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-14 19:54 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-14 18:15 --------- d-----w c:\documents and settings\brian\Application Data\BitTorrent
2009-03-13 20:27 --------- d-----w c:\program files\Java
2009-03-07 16:25 --------- d-----w c:\program files\Common Files\Adobe
2009-03-05 06:22 --------- d-----w c:\program files\GRETECH
2009-03-04 20:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-03 16:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-03 16:08 --------- d-----w c:\program files\Symantec
2009-03-03 16:08 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-27 02:06 --------- d-----w c:\program files\DivX
2009-02-26 04:24 --------- d-----w c:\documents and settings\brian\Application Data\Sonic
2009-02-25 10:07 --------- d-----w c:\program files\Common Files\AOL
2009-02-25 10:06 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-23 17:30 --------- d-----w c:\program files\America Online 9.0
2009-02-17 15:32 45,056 ----a-w c:\windows\NCUNINST.EXE
2009-02-15 15:23 --------- d-----w c:\documents and settings\kids\Application Data\GRETECH
2009-02-15 14:56 --------- d-----w c:\documents and settings\kids\Application Data\Flock
2009-02-14 04:51 --------- d-----w c:\program files\BitTorrent
2009-02-14 04:51 --------- d-----w c:\program files\7-Zip
2009-02-13 05:29 --------- d-----w c:\program files\Common Files\SWF Studio
2009-02-12 19:18 --------- d-----w c:\documents and settings\matthew\Application Data\Move Networks
2009-02-12 08:01 --------- d-----w c:\program files\MSXML 4.0
2009-02-12 06:49 --------- d-----w c:\documents and settings\brian\Application Data\Viewpoint
2009-02-10 16:33 --------- d-----w c:\documents and settings\matthew\Application Data\Viewpoint
2009-02-10 15:51 --------- d-----w c:\documents and settings\matthew\Application Data\Flock
2009-02-10 05:33 --------- d-----w c:\documents and settings\brian\Application Data\Flock
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-13_10.56.55.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-14 23:58:48 22,486 ----a-r c:\windows\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\ARPPRODUCTICON.exe
+ 2009-03-14 23:58:48 22,486 ----a-r c:\windows\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\WCESMgrIcon.exe
+ 2006-11-13 17:38:40 22,824 ----a-w c:\windows\SYSTEM32\ceutil.dll
- 2009-03-13 14:11:36 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-03-16 13:53:39 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2009-03-13 14:11:36 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-03-16 13:53:39 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2003-11-19 21:36:26 24,681 -c--a-w c:\windows\SYSTEM32\java.exe
+ 2009-03-13 20:27:35 144,792 ----a-w c:\windows\SYSTEM32\java.exe
- 2003-11-19 21:36:30 28,779 -c--a-w c:\windows\SYSTEM32\javaw.exe
+ 2009-03-13 20:27:35 144,792 ----a-w c:\windows\SYSTEM32\javaw.exe
+ 2009-03-13 20:27:35 148,888 ----a-w c:\windows\SYSTEM32\javaws.exe
- 2009-03-10 05:00:38 63,016 ----a-w c:\windows\SYSTEM32\PERFC009.DAT
+ 2009-03-15 00:01:48 63,016 ----a-w c:\windows\SYSTEM32\PERFC009.DAT
- 2009-03-10 05:00:39 402,406 ----a-w c:\windows\SYSTEM32\PERFH009.DAT
+ 2009-03-15 00:01:48 402,406 ----a-w c:\windows\SYSTEM32\PERFH009.DAT
+ 2006-11-13 17:39:28 138,024 ----a-w c:\windows\SYSTEM32\rapi.dll
+ 2009-03-16 03:58:15 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6a0.dat
+ 2005-09-23 05:16:02 1,093,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80.dll
+ 2005-09-23 05:16:06 1,079,808 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80u.dll
+ 2005-09-23 05:16:08 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80.dll
+ 2005-09-23 05:16:10 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80u.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2009-02-10 5391192]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-08-08 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 50688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-13 148888]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\SYSTEM32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\SYSTEM32\CTASIO.DLL]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-08-08 36953]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 pcistub;pcistub;c:\windows\SYSTEM32\pcistub.sys [2002-08-29 2176]
.
Contents of the 'Scheduled Tasks' folder

2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-03-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-03-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mWindow Title =
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 12:20:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???8???????x???x???????????x???????????x???x???????????@????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-16 12:22:02
ComboFix-quarantined-files.txt 2009-03-16 16:21:59
ComboFix2.txt 2009-03-13 19:31:33
ComboFix3.txt 2009-03-13 14:59:17

Pre-Run: 118,713,229,312 bytes free
Post-Run: 118,735,011,840 bytes free

269 --- E O F --- 2009-03-11 23:18:27
  • 0

#11
Thunderbird1988
Posted 18 March 2009 - 01:16 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello b.rodriguez,

Do you still have problmes with your computer?

Thunderbird1988
  • 0

#12
b.rodriguez
Posted 21 March 2009 - 11:57 AM

b.rodriguez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
hey thunderbird.
sorry ive been m.i.a. but yeah your are the man. the computer is running fine and no malware has been detected... thanks a million..
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP