how-to block ads
|
jdgreen05
join:2005-07-09
Denville, NJ
| [Trojan] No HJT Log - can not run any .exe
Got the Windows Antivirus Pro and Windows Police Pro pop-up/virus. Those windows no longer come up, but the computer is now unable to launch any .exe program except internet explorer.
>Computer will not boot in Safe Mode, goes to blue "stop" screen.
>Malwarebytes - downloaded but will not run, even if I rename it.
>Spybot Search & Destroy 1.6.2 - downloaded but will not run.
>Ad-aware AE Free - will not run.
>Windows Defender (Microsoft) - installed, ran scan, found Program:Win32/PowerRegScheduler, did not remove.
>Malicious Software Removal Tool - downloaded but will not run.
>»www.eset.com/onlinescan - ran scan, 8 infections found and cleaned/deleted. Log below.
>Trend Micro Housecall - can not load the Java-based HouseCall kernel.
>Trend Micro Hijack This - downloaded, will not run.
ESST LOG
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6208
# api_version=3.0.2
# EOSSerial=dff4521b7b6a37449fbaedafe84d0868
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-17 02:29:28
# local_time=2009-10-16 10:29:28 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=3839 16777215 0 0 0 0 0 0
# compatibility_mode=5890 16777214 0 0 0 0 0 0
# compatibility_mode=8447 16777215 0 0 0 0 0 0
# scanned=77534
# found=8
# cleaned=8
# scan_time=4949
C:\Program Files\Windows Police Pro\windows Police Pro.exe a variant of Win32/Adware.WindowsAntivirusPro.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Windows Police Pro\tmp\dbsinit.exe Win32/Adware.WinAntiVirus application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Windows Police Pro\tmp\wispex.html Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1203\A0062766.exe a variant of Win32/Adware.WindowsAntivirusPro.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1203\A0062767.exe Win32/Adware.WinAntiVirus application (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\svchasts.exe Win32/Adware.WindowsAntivirusPro application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\SYSTEM32\dddesot.dll a variant of Win32/Adware.WindowsAntivirusPro.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
THANKS in advance for all your help!!!! | |
jdgreen05
join:2005-07-09
Denville, NJ | when attempting to run any .exe file, windows error message box appears that says [file].exe is not a valid Win32 application. | |
jdgreen05
join:2005-07-09
Denville, NJ
| reply to jdgreen05
trying hijackthis now... here is the Malwarebytes log:
Malwarebytes' Anti-Malware 1.41
Database version: 2977
Windows 5.1.2600 Service Pack 2
10/17/2009 9:36:54 PM
mbam-log-2009-10-17 (21-36-54).txt
Scan type: Quick Scan
Objects scanned: 98357
Time elapsed: 9 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 5
Files Infected: 45
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmswuhrllx (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12057724 (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desote.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\12057724 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
Files Infected:
C:\WINDOWS\Temp\352.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LinDi\Local Settings\Temporary Internet Files\Content.IE5\OSVRBGTQ\setup[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12057724\12057724 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12057724\pc12057724ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\msvcm80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\msvcp80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\msvcr80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\i1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\i2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\i3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\j1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\j2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\j3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\jj1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\jj2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\jj3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\l1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\l2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\l3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\pix.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\t1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\t2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\up1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\up2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w11.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w3.jpg (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\wt1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\wt2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\wt3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\desote.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\kbiwkmownvpkig.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kbiwkmltesqbab.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully. | |
jdgreen05
join:2005-07-09
Denville, NJ
| hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:45 PM, on 10/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »update.microsoft.com/microsoftup···61796039
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos-be···nner.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
--
End of file - 6683 bytes | |
lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs:  |  Good job on getting it all going 
I'm sure someone will take a look for you shortly. | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to jdgreen05
Hi jdgreen05
I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.
Clean your Cache and Cookies in IE:
-Close all instances of Outlook Express and Internet Explorer
-Go to Control Panel > Internet Options > General tab
-Click the "Delete Cookies" button
-Next to it, Click the "Delete Files" button
-When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Private Data).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
-Go to start > run and type: cleanmgr and click ok.
-Let it scan your system for files to remove.
-Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
-Press OK to remove them.
Download exefix_xp.com utility and save to Desktop:
»windowsxp.mvps.org/exefile.htm
Double-click the file to run it.
Please Run Malwarebytes' Anti-Malware.
- Click the Update tab.
- Click Check for Updates.
- If an update is found, it will download and install.
- Click the Scanner tab.
- Select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
Download ComboFix© by sUBs from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix
- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.
Please post a new HijackThis log, the log from MBAM, the log from ComboFix (combofix.txt), and note any errors encountered.
--
Proud ASAP member since 2005
Microsoft MVP/Windows Security 2009 | |
jdgreen05
join:2005-07-09
Denville, NJ | Sorry for the delay, here are the logs from HJT, MBAM, and ComboFix..... | |
jdgreen05
join:2005-07-09
Denville, NJ
| HJT log....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:26 PM, on 11/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »update.microsoft.com/microsoftup···61796039
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos-be···nner.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
--
End of file - 6569 bytes | |
jdgreen05
join:2005-07-09
Denville, NJ
| reply to jdgreen05
MBAM log....
Malwarebytes' Anti-Malware 1.41
Database version: 3079
Windows 5.1.2600 Service Pack 2
11/1/2009 1:02:44 PM
mbam-log-2009-11-01 (13-02-44).txt
Scan type: Quick Scan
Objects scanned: 99801
Time elapsed: 8 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected) | |
jdgreen05
join:2005-07-09
Denville, NJ
| ComboFix log.....
ComboFix 09-10-30.01 - LinDi 11/01/2009 13:20.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.446 [GMT -5:00]
Running from: c:\documents and settings\DANDAN\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\fad.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.
2009-11-01 18:10 . 2009-11-01 18:10 3430299 ----a-r- c:\documents and settings\DANDAN\ComboFix.exe
2009-11-01 17:49 . 2009-11-01 17:49 10752 ----a-w- c:\documents and settings\DANDAN\exefix_xp.com
2009-10-18 02:18 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-18 02:16 . 2009-10-18 02:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-18 02:15 . 2009-10-18 02:15 -------- d-----w- c:\program files\Lavasoft
2009-10-18 02:13 . 2009-10-18 02:13 77086488 ----a-w- c:\documents and settings\DANDAN\Ad-AwareInstallation.exe
2009-10-18 01:43 . 2009-10-18 01:43 -------- d-----w- c:\program files\Trend Micro
2009-10-18 01:20 . 2009-10-18 01:20 -------- d-----w- c:\documents and settings\LinDi\Application Data\Malwarebytes
2009-10-18 01:20 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 01:20 . 2009-10-18 01:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 01:20 . 2009-10-18 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-18 01:20 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-18 01:17 . 2009-10-17 00:53 4045528 ----a-w- c:\documents and settings\DANDAN\Badstuff.scr
2009-10-17 03:00 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-17 02:58 . 2009-10-17 02:58 -------- d-----w- c:\program files\Windows Defender
2009-10-17 02:57 . 2009-10-17 02:57 5154304 ----a-w- c:\documents and settings\DANDAN\WindowsDefender.msi
2009-10-17 02:40 . 2009-10-17 02:40 812344 ----a-w- c:\documents and settings\DANDAN\HJTInstall.exe
2009-10-17 02:35 . 2009-10-17 02:35 714528 ----a-w- c:\documents and settings\DANDAN\JavaSetup6u16.exe
2009-10-17 01:01 . 2009-10-17 01:01 -------- d-----w- c:\program files\ESET
2009-10-17 00:57 . 2009-10-17 00:57 9092032 ----a-w- c:\documents and settings\DANDAN\windows-kb890830-v3.0.exe
2009-10-17 00:56 . 2009-10-17 00:56 16409960 ----a-w- c:\documents and settings\DANDAN\spybotsd162.exe
2009-10-17 00:53 . 2009-10-17 00:53 4045528 ----a-w- c:\documents and settings\DANDAN\mally-file.exe
2009-10-17 00:52 . 2009-11-01 18:10 -------- d-----w- c:\documents and settings\DANDAN
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 05:56 . 2004-08-24 00:32 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 03:31 . 2009-09-02 04:19 45344 ----a-w- c:\windows\system32\drivers\hki4294.sys
2009-09-04 20:45 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-16 14:58 . 2004-02-09 04:21 28256 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2009-08-06 23:24 . 2004-09-13 22:18 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-09-13 22:18 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-09-13 22:18 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2002-08-29 11:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-08-29 11:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-09-13 22:18 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-11-05 14:30 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2005-05-26 09:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2002-08-29 11:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2002-08-29 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2002-08-29 11:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2002-08-29 11:00 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 610304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 327680]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2002-11-01 208560]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-09-23 204800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-02-09 151597]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"EPSON Stylus C84 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" [2003-05-27 99840]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2002-08-28 28672]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2004-08-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [10/17/2009 9:18 PM 64288]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [2/28/2008 4:57 PM 18944]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1170768]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S0 hki4294;hki4294;\SystemRoot\\SystemRoot\System32\drivers\hki4294.sys --> \SystemRoot\\SystemRoot\System32\drivers\hki4294.sys [?]
S1 dbb7b864.sys;dbb7b864.sys;\??\c:\windows\System32\drivers\dbb7b864.sys --> c:\windows\System32\drivers\dbb7b864.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder
2009-10-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 02:17]
2004-02-18 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 07:56]
2009-11-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-11-01 13:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???H???????x???x???????????x???????????x???x??????????? ??????????????????????????????w????????????j??w????x???x??????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-11-01 13:36
ComboFix-quarantined-files.txt 2009-11-01 18:36
Pre-Run: 4,043,063,296 bytes free
Post-Run: 4,359,483,392 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - 168A4946276FD19BD2EB111A695D39EA | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| I'm glad everything seems to be working better now. :)
Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again. - Important!
Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.
We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:
Save the file to your Desktop.
Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.
For this next step, please ensure that ComboFix.exe is on your desktop:
Please open Notepad*Do Not Use Wordpad!*(Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.
quote:
Driver::
hki4294
dbb7b864.sys
File::
c:\windows\System32\drivers\dbb7b864.sys
c:\windows\System32\drivers\hki4294.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt. Please post that log in your next reply.
Please post a new HijackThis log, the log from ComboFix (combofix.txt), and note any errors encountered.
--
Proud ASAP member since 2005
Microsoft MVP/Windows Security 2009 | |
jdgreen05
join:2005-07-09
Denville, NJ
| OK, did all of that, all seemed to work, here are the logs....
ComboFix 09-10-30.01 - LinDi 11/01/2009 17:24.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.675 [GMT -5:00]
Running from: c:\documents and settings\LinDi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\LinDi\Desktop\CFScript.txt
FILE ::
"c:\windows\System32\drivers\dbb7b864.sys"
"c:\windows\System32\drivers\hki4294.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\System32\drivers\hki4294.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_dbb7b864.sys
-------\Service_hki4294
((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.
2009-11-01 17:49 . 2009-11-01 17:49 10752 ----a-w- c:\documents and settings\DANDAN\exefix_xp.com
2009-10-18 02:18 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-18 02:16 . 2009-10-18 02:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-18 02:15 . 2009-10-18 02:15 -------- d-----w- c:\program files\Lavasoft
2009-10-18 02:13 . 2009-10-18 02:13 77086488 ----a-w- c:\documents and settings\DANDAN\Ad-AwareInstallation.exe
2009-10-18 01:43 . 2009-10-18 01:43 -------- d-----w- c:\program files\Trend Micro
2009-10-18 01:20 . 2009-10-18 01:20 -------- d-----w- c:\documents and settings\LinDi\Application Data\Malwarebytes
2009-10-18 01:20 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 01:20 . 2009-10-18 01:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 01:20 . 2009-10-18 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-18 01:20 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-18 01:17 . 2009-10-17 00:53 4045528 ----a-w- c:\documents and settings\DANDAN\Badstuff.scr
2009-10-17 03:00 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-17 02:58 . 2009-10-17 02:58 -------- d-----w- c:\program files\Windows Defender
2009-10-17 02:57 . 2009-10-17 02:57 5154304 ----a-w- c:\documents and settings\DANDAN\WindowsDefender.msi
2009-10-17 02:40 . 2009-10-17 02:40 812344 ----a-w- c:\documents and settings\DANDAN\HJTInstall.exe
2009-10-17 02:35 . 2009-10-17 02:35 714528 ----a-w- c:\documents and settings\DANDAN\JavaSetup6u16.exe
2009-10-17 01:01 . 2009-10-17 01:01 -------- d-----w- c:\program files\ESET
2009-10-17 00:57 . 2009-10-17 00:57 9092032 ----a-w- c:\documents and settings\DANDAN\windows-kb890830-v3.0.exe
2009-10-17 00:56 . 2009-10-17 00:56 16409960 ----a-w- c:\documents and settings\DANDAN\spybotsd162.exe
2009-10-17 00:53 . 2009-10-17 00:53 4045528 ----a-w- c:\documents and settings\DANDAN\mally-file.exe
2009-10-17 00:52 . 2009-11-01 22:12 -------- d-----w- c:\documents and settings\DANDAN
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 05:56 . 2004-08-24 00:32 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-04 20:45 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-16 14:58 . 2004-02-09 04:21 28256 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2009-08-06 23:24 . 2004-09-13 22:18 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-09-13 22:18 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-09-13 22:18 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2002-08-29 11:00 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-08-29 11:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-09-13 22:18 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-11-05 14:30 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2005-05-26 09:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2002-08-29 11:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2002-08-29 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2002-08-29 11:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2002-08-29 11:00 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-11-01_18.30.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-02-09 03:50 . 2009-10-18 03:59 65446 c:\windows\SYSTEM32\PERFC009.DAT
+ 2004-02-09 03:50 . 2009-11-01 22:33 65446 c:\windows\SYSTEM32\PERFC009.DAT
+ 2004-02-09 03:50 . 2009-11-01 22:33 411142 c:\windows\SYSTEM32\PERFH009.DAT
- 2004-02-09 03:50 . 2009-10-18 03:59 411142 c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 610304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 327680]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2002-11-01 208560]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-09-23 204800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-02-09 151597]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"EPSON Stylus C84 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" [2003-05-27 99840]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2002-08-28 28672]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2004-08-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [10/17/2009 9:18 PM 64288]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [2/28/2008 4:57 PM 18944]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1170768]
--- Other Services/Drivers In Memory ---
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-10-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 02:17]
2004-02-18 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 07:56]
2009-11-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-11-01 17:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???H???????x???x???????????x???????????x???x??????????? ??????????????????????????????w????????????j??w????x???x??????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-11-01 17:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-01 22:42
Pre-Run: 4,376,596,480 bytes free
Post-Run: 4,263,858,176 bytes free
- - End Of File - - 93FD8D63BCDA05A7D0A551BD78583B73
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:30 PM, on 11/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »update.microsoft.com/microsoftup···61796039
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos-be···nner.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
--
End of file - 6484 bytes | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
1 edit | Go to start > run and copy and paste next command in the field:
ComboFix /uninstall
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Create a Restore Point
•Go to Start > Programs > Accessories > System Tools > System Restore
•Select Create a Restore Point and then Next.
•In the box for "Restore point description", enter a descriptive name and press Create
•When the "Restore Point Created" window appears, click Close
Run Disk Cleanup
•Go to Start > Run and type the below line:
cleanmgr
•Click OK
•If you have more than one drive, select the drive Windows is installed on
•Click OK
•When Disk Cleanup opens, select the More Options tab
•In the System Restore section (bottom of window), click Cleanup
•In the confirmation window that opens, click Yes[
Now click on the Disk Cleanup tab and select the following items:
•Downloaded Program Files
•Temporary Internet Files
•Recycle Bin
•Temporary Files
Click OK
in the confirmation window, select Yes (Disk Cleanup will close).
To help keep malware off your system:
- Keep Windows updated at Windows Update or Microsoft Update.
- Keep your other applications updated, there are vulnerabilities that rely on exploits through other programs like Java, Microsoft Office, Adobe Reader, Flash, and others.
- Run a program like Secunia Software Inspector Scan to see what programs need to be updated.
- Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.
- Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.
- Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.
- Don't click on links received in instant message programs.
- In place of Internet Explorer, browse with Firefox with the NoScript and AdBlock Plus add-ons.
- A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at »www.mvps.org/winhelp2002/hosts.htm.
- A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at »www.javacoolsoftware.com/products.html.
- I recommend reading Tony Klein's article So How did I get Infected in the First Place? at »www.spywareinfoforum.com/index.p···ic=60955
Does your problem appear resolved?
--
Proud ASAP member since 2005
Microsoft MVP/Windows Security 2009 | |
jdgreen05
join:2005-07-09
Denville, NJ | Thanks much - appreciate all the help! | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA | I'm glad I could help. | |
-
|
