OTS.Txt 94.83KB 92 downloads
Trojan aspx.js.Win32 [Solved]
Started by
frostyr1
, Jun 03 2010 10:43 AM
#31
Posted 11 June 2010 - 02:03 PM
#32
Posted 11 June 2010 - 02:23 PM
Hmm - whilst we try to figure this out what are your current problems ?
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Then download a fresh copy of combofix
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Then download a fresh copy of combofix
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
#33
Posted 11 June 2010 - 03:17 PM
OK, it ran this time.
ComboFix.txt 12.96KB 180 downloads
ComboFix 10-06-10.06 - Al McCool 06/11/2010 16:46:13.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.446.142 [GMT -4:00]
Running from: c:\users\Al McCool\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: McAfee VirusScan *enabled* (Outdated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.
2010-06-11 20:57 . 2010-06-11 20:57 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-11 20:57 . 2010-06-11 20:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-11 20:57 . 2010-06-11 20:57 -------- d-----w- c:\users\Chris McCool\AppData\Local\temp
2010-06-11 20:57 . 2010-06-11 20:57 -------- d-----w- c:\users\Al McCool\AppData\Local\temp
2010-06-04 13:43 . 2010-06-04 13:43 -------- d-----w- C:\_OTL
2010-06-02 18:18 . 2010-06-02 18:18 -------- d-----w- C:\found.000
2010-05-17 15:29 . 2010-05-17 15:29 -------- d-----w- c:\program files\CCleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 18:11 . 2007-07-03 18:21 -------- d-----w- c:\program files\PokerStars
2010-06-11 16:17 . 2010-06-11 10:25 -------- d-----w- c:\program files\RegDefense
2010-06-11 12:47 . 2010-06-11 12:47 -------- d-----w- c:\programdata\Kaspersky Lab
2010-06-10 22:16 . 2007-07-06 13:23 2450 ----a-w- c:\users\Chris McCool\AppData\Roaming\wklnhst.dat
2010-06-09 17:27 . 2010-06-09 17:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-07 14:38 . 2007-04-26 20:37 -------- d-----w- c:\program files\Common Files\McAfee
2010-06-07 14:38 . 2007-04-26 20:37 -------- d-----w- c:\programdata\McAfee
2010-06-07 14:38 . 2007-04-26 20:37 -------- d-----w- c:\program files\McAfee
2010-06-04 20:48 . 2006-11-02 08:51 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-06-03 14:25 . 2007-07-05 15:40 5878 ----a-w- c:\users\Al McCool\AppData\Roaming\wklnhst.dat
2010-05-17 15:41 . 2009-09-11 20:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2009-09-11 20:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-09-11 20:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 17:27 . 2009-09-15 19:29 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-17 17:27 . 2010-04-17 17:27 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-14 17:23 . 2008-08-05 16:13 -------- d-----w- c:\program files\Lavasoft
2010-04-14 17:23 . 2010-04-14 17:23 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2009-08-11 13:34 . 2008-12-17 17:27 1655 ----a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log
2007-04-27 03:56 . 2007-04-27 03:56 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBC_McciTrayApp"="c:\program files\AT&T\Self Support Tool\ATTTray.exe" [2007-06-06 986208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
c:\users\Chris McCool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Reminder
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMM2007RT
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-11-12 06:19 446976 ----a-w- c:\program files\DellSupport\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-11-17 21:19 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-04-26 20:40 240640 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 15:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 15:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 17:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-11-20 21:41 4347120 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-12-08 04:25 7766016 ----a-w- c:\windows\System32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-12-08 04:25 81920 ----a-w- c:\windows\System32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2006-12-08 04:25 90191 ----a-w- c:\windows\System32\nvsvc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-02-08 05:16 303104 ----a-w- c:\windows\sttray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-02 12:33 1004136 ----a-w- c:\program files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2006-11-02 12:34 2159104 ----a-w- c:\windows\System32\oobefldr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\DRIVERS\rt2500usb.sys [2004-05-07 79616]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-09 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-06-09 1352320]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-26 22:02]
2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-26 22:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
AddRemove-OLYMPUS CAMEDIA Master 1.2 - c:\program files\OLYMPUS\CAMEDIA Master\Uninst.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 16:58
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-06-11 17:02:15
ComboFix-quarantined-files.txt 2010-06-11 21:02
Pre-Run: 113,199,656,960 bytes free
Post-Run: 113,173,393,408 bytes free
- - End Of File - - 82A262956FF6D039E917A6F7718B1FE2
ComboFix.txt 12.96KB 180 downloads
ComboFix 10-06-10.06 - Al McCool 06/11/2010 16:46:13.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.446.142 [GMT -4:00]
Running from: c:\users\Al McCool\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: McAfee VirusScan *enabled* (Outdated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.
2010-06-11 20:57 . 2010-06-11 20:57 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-11 20:57 . 2010-06-11 20:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-11 20:57 . 2010-06-11 20:57 -------- d-----w- c:\users\Chris McCool\AppData\Local\temp
2010-06-11 20:57 . 2010-06-11 20:57 -------- d-----w- c:\users\Al McCool\AppData\Local\temp
2010-06-04 13:43 . 2010-06-04 13:43 -------- d-----w- C:\_OTL
2010-06-02 18:18 . 2010-06-02 18:18 -------- d-----w- C:\found.000
2010-05-17 15:29 . 2010-05-17 15:29 -------- d-----w- c:\program files\CCleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 18:11 . 2007-07-03 18:21 -------- d-----w- c:\program files\PokerStars
2010-06-11 16:17 . 2010-06-11 10:25 -------- d-----w- c:\program files\RegDefense
2010-06-11 12:47 . 2010-06-11 12:47 -------- d-----w- c:\programdata\Kaspersky Lab
2010-06-10 22:16 . 2007-07-06 13:23 2450 ----a-w- c:\users\Chris McCool\AppData\Roaming\wklnhst.dat
2010-06-09 17:27 . 2010-06-09 17:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-07 14:38 . 2007-04-26 20:37 -------- d-----w- c:\program files\Common Files\McAfee
2010-06-07 14:38 . 2007-04-26 20:37 -------- d-----w- c:\programdata\McAfee
2010-06-07 14:38 . 2007-04-26 20:37 -------- d-----w- c:\program files\McAfee
2010-06-04 20:48 . 2006-11-02 08:51 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-06-03 14:25 . 2007-07-05 15:40 5878 ----a-w- c:\users\Al McCool\AppData\Roaming\wklnhst.dat
2010-05-17 15:41 . 2009-09-11 20:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2009-09-11 20:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-09-11 20:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 17:27 . 2009-09-15 19:29 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-17 17:27 . 2010-04-17 17:27 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-14 17:23 . 2008-08-05 16:13 -------- d-----w- c:\program files\Lavasoft
2010-04-14 17:23 . 2010-04-14 17:23 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2009-08-11 13:34 . 2008-12-17 17:27 1655 ----a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log
2007-04-27 03:56 . 2007-04-27 03:56 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBC_McciTrayApp"="c:\program files\AT&T\Self Support Tool\ATTTray.exe" [2007-06-06 986208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
c:\users\Chris McCool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Reminder
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMM2007RT
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-11-12 06:19 446976 ----a-w- c:\program files\DellSupport\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-11-17 21:19 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-04-26 20:40 240640 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 15:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 15:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 17:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-11-20 21:41 4347120 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-12-08 04:25 7766016 ----a-w- c:\windows\System32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-12-08 04:25 81920 ----a-w- c:\windows\System32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2006-12-08 04:25 90191 ----a-w- c:\windows\System32\nvsvc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-02-08 05:16 303104 ----a-w- c:\windows\sttray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-02 12:33 1004136 ----a-w- c:\program files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2006-11-02 12:34 2159104 ----a-w- c:\windows\System32\oobefldr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\DRIVERS\rt2500usb.sys [2004-05-07 79616]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-09 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-06-09 1352320]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-26 22:02]
2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-26 22:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
AddRemove-OLYMPUS CAMEDIA Master 1.2 - c:\program files\OLYMPUS\CAMEDIA Master\Uninst.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 16:58
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-06-11 17:02:15
ComboFix-quarantined-files.txt 2010-06-11 21:02
Pre-Run: 113,199,656,960 bytes free
Post-Run: 113,173,393,408 bytes free
- - End Of File - - 82A262956FF6D039E917A6F7718B1FE2
Edited by Essexboy, 11 June 2010 - 03:32 PM.
#34
Posted 11 June 2010 - 03:34 PM
As I thought one of the combofix files was corrupted
The TDSS found by AVP was the one removed by TDSSKiller
What problems do you have now ?
The TDSS found by AVP was the one removed by TDSSKiller
What problems do you have now ?
#35
Posted 14 June 2010 - 07:46 AM
I think I'm good with that, the only other thing that has been going on for quite a while, is the system takes about 15 minutes to completely get going when it is turned on, and about ten minutes after it is started, it freezes for a couple minutes until things get caught up or something. I can be using it, and it will just run, but there is no cursor or anything available to use for a couple minutes.
Also, how do I pay for the help. You have been terrific.
Thanks,
Al
Also, how do I pay for the help. You have been terrific.
Thanks,
Al
#36
Posted 14 June 2010 - 12:25 PM
The slow startup may be due to the number of programmes running at start, we will look at that once I have removed my tools. You are also low on memory - again I will visit that at the end
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems
Upgrading Java:
SPRING CLEAN
Download and run Puran Disc Defragmenter
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe
SPEED UP
To try and ease the startup try this
Download Startup Control Panel here
Instal and you will find a startup icon in the control panel - run this
If you are in doubt with something, don't hesitate to ask
MEMORY
Go to Crucial and run the system scanner. This will tell you how much extra RAM your system can take, what type and the cost (but once you have the type you may find it cheaper elsewhere )
If you wish to make a donation there is a paypal button in my signature, but it is totally up to you and not a requirement
446.00 Mb Total Physical Memory | 98.00 Mb Available Physical Memory | 22.00% Memory free
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems
Upgrading Java:
- Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 20.
- Click the "Download" button to the right.
- Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
- Click on Continue.
- Click on the link to download Windows Offline Installation (jre-6u20-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java version.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586-p.exe and select "Run as an Administrator.")
SPRING CLEAN
Download and run Puran Disc Defragmenter
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
- SpywareBlaster to help prevent spyware from installing in the first place.
Malwarebytes. Run weekly to keep your system clean
To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe
SPEED UP
To try and ease the startup try this
Download Startup Control Panel here
Instal and you will find a startup icon in the control panel - run this
- In the HKLM tab, you may disable (be careful --> "disable") all the entries except your security software
- In the HKCU tab, you may disable all entries.
- In the StartUp tab, you may disable all entries.
If you are in doubt with something, don't hesitate to ask
MEMORY
Go to Crucial and run the system scanner. This will tell you how much extra RAM your system can take, what type and the cost (but once you have the type you may find it cheaper elsewhere )
If you wish to make a donation there is a paypal button in my signature, but it is totally up to you and not a requirement
#37
Posted 16 June 2010 - 12:37 PM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users