| jimmyf |
| (regular) |
| Tue Feb 12 2008 11:06 AM |
help with father-in-laws hijack this log please
|
father-in-law has asked me to try and get rid of a trojan downloader on his laptop.i have used avg/trojan remover/a-squared and a registry cleaner.i think it's gone,but fifeflyer suggested i post a hijackthis log.
another persistant problem is his dial-up connection to bt yahoo is lost when outlook express tries to connect - i'm not sure if the problem is related to the trojan.the trojan was present in system32 folder as'append.dll'which seems to be gone
thanks for all help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:48, on 12/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\BT Yahoo! Internet\DialBTYahoo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/scotland/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol028.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E856656E-D2E7-4BBC-8D27-9438BE1BB8A1}: NameServer = 194.72.0.98 62.6.40.162
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Intel(R) Corporation - (no file)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 8974 bytes
| Joe_London |
| (HijackThis Helper) |
| Tue Feb 12 2008 02:28 PM |
|
|
Re: help with father-in-laws hijack this log please
|
Please disable the following programmes from running at startup:
Spybot - Search & Destroy TeaTimer
AOL Spyware Protection
TrojanScanner
You should be able to do this from within the respective programmes. make sure you do this first as these programmes may interfere with the fix.
Please uninstall the current outdated Sun java via the add/remove utility in the control panel and then download the latest Sun java update from here:
http://www.java.com/en/download/windows_ie.jsp
Reboot the computer.
Open Hijackthis, take another scan and place a checkmark next to these entries.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - (no file)
Close all open Windows except Hijackthis and click on "fix Checked".
Reboot the Computer.
- 1. Download ComboFix.exe using either of these links:
Link 1
Link 2
Link 3 - Double click on combofix.exe to run the programme & then follow the prompts.
It will create a new system restore point and registry backup.
You will be asked to type 1 (One) and then "enter" to run the programe.
Your firewall may seek permission to allow the programme to run. Check the "Remember" checkbox and click yes - When finished, it will produce a log for you. Save the log then copy and post it back here with a fresh HJT log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Please also post the following:
Open Hijackthis,
Click Config | Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.
Joe.
| jimmyf |
| (regular) |
| Tue Feb 12 2008 06:08 PM |
Re: help with father-in-laws hijack this log please
|
thanks - i think i've completed all the tasks,so here are the logs you asked for
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:05:53, on 12/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BT Yahoo! Internet\DialBTYahoo.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/scotland/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol028.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E856656E-D2E7-4BBC-8D27-9438BE1BB8A1}: NameServer = 62.6.40.162 194.72.0.98
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Intel(R) Corporation - (no file)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 8363 bytes
combofix log
ComboFix 08-02.02.2 - david douglas 2008-02-12 17:26:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.268 [GMT 0:00]
Running from: C:\Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\.protected
C:\Documents and Settings\david douglas\Application Data\Install.dat
C:\WINDOWS\.protected
C:\WINDOWS\system32\drivers\etc\.protected
.
((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.
2008-02-12 16:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 16:54 . 2008-02-12 16:55 <DIR> d-------- C:\Program Files\Java
2008-02-12 16:19 . 2008-02-12 16:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-12 12:11 . 2008-02-12 12:11 <DIR> d-------- C:\Program Files\ToniArts
2008-02-12 10:53 . 2008-02-12 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 17:31 . 2008-02-11 17:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 17:31 . 2008-02-11 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 11:29 . 2008-02-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Spybot - Search & Destroy
2008-02-10 20:49 . 2008-02-11 19:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\AVG7
2008-02-10 20:48 . 2008-02-10 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 19:10 . 2008-02-10 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 19:08 . 2008-02-10 19:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 19:06 . 2008-02-10 19:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 18:32 . 2008-02-11 13:05 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-10 18:17 . 2008-02-12 10:11 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Simply Super Software
2008-02-10 18:17 . 2008-02-12 15:50 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-10 18:17 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-10 18:17 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-10 18:17 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-10 18:17 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-10 18:17 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-10 18:14 . 2008-02-10 18:14 <DIR> d-------- C:\Program Files\AML Products
2008-02-10 18:14 . 1998-12-24 20:23 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 12:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-10 19:15 --------- d-----w C:\Documents and Settings\david douglas\Application Data\Lavasoft
2008-01-30 18:41 --------- d-----w C:\Program Files\Dl_cats
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 18:09 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 21:46 135168]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 19:36 729178]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 13:58 86016]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-19 10:39 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-19 10:40 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 07:45 430080]
"MemoryCardManager"="" []
"BTopenworld"="c:\program files\bt yahoo! internet\DialBTYahoo.exe" [2007-10-14 13:10 333472]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-11 10:25 579072]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 06:39 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 20:49 219136]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 08:19]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 17:28:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-12 17:29:02
ComboFix-quarantined-files.txt 2008-02-12 17:28:47
.
2008-01-22 20:20:17 --- E O F ---
uninstall list
944plc32
ABBYY FineReader 6.0 Sprint
Ad-Aware SE Professional
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
AML Free Registry Cleaner 4.0
AOL UK (Choose which version to remove)
ARTEuro
a-squared Free 3.1
AVG 7.5
BitComet 0.86
BT Yahoo! Internet Connection Manager 8.0
CCleaner (remove only)
Conexant D110 MDC V.9x Modem
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 944
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
EasyCleaner
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internal Network Card Power Management
Internet Explorer Default Page
Java(TM) 6 Update 3
Learn2 Player (Uninstall Only)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Works 7.0
Modem Helper
Mozilla Firefox (1.0.6)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
NetWaiting
Picasa 2
PowerDVD 5.5
QuickSet
QuickTime
RealPlayer Basic
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3 USB Driver Installer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sygate Personal Firewall
Synaptics Pointing Device Driver
Trojan Remover 6.6.4
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Viewpoint Media Player
Vodafone 804SS USB driver Software
Wanadoo Europe Installer
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
THANKS AGAIN!
| Joe_London |
| (HijackThis Helper) |
| Wed Feb 13 2008 09:11 AM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Thanks, I'll look through your logs and get back to you ASAP
Joe.
| Joe_London |
| (HijackThis Helper) |
| Wed Feb 13 2008 05:23 PM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Please delete this foistware via the add/remove utility in the control panel.
Viewpoint Media Player
Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad*
Copy and paste all the text in the quotebox below into it:
Quote:
KillAll::
Folder::
C:\Program Files\Viewpoint
ADS::
C:\windows\system32
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"append.dll"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
If the image isn't visible Click Here to view.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This reactivates Combofix. Again follow the prompts.
It will create another System restore point.
When finished, it shall produce a log for you at C:\ComboFix.txt
Copy and paste the ComboFix.txt.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
Can you also review your securities, ideally you need one third party firewall, one anti-virus, one anti-spyware programme, Spywareblaster, Ccleaner and McAfee Site Advisor. You can have other anti-spyware programmes but only one running at startup is recommended.
I see you are still using IE 6, may I suggest updating that and the system as well.
Joe.
| jimmyf |
| (regular) |
| Thu Feb 14 2008 10:17 AM |
|
Re: help with father-in-laws hijack this log please
|
new combofix log
ComboFix 08-02-14.2 - david douglas 2008-02-14 9:58:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.242 [GMT 0:00]
Running from: C:\Documents and Settings\david douglas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\david douglas\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
i will install site advisor and spyware blaster and update IE.he has sygate firewall and avg antivirus ccleaner and a-squared installed - should that be enough?
thanks again
jim
| Joe_London |
| (HijackThis Helper) |
| Thu Feb 14 2008 10:40 AM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Quote:
new combofix log
Can you post the complete log please? That looks as if most of it is mssing.
Joe.
| jimmyf |
| (regular) |
| Fri Feb 15 2008 09:38 AM |
|
Re: help with father-in-laws hijack this log please
|
hi joe,
thats all that was saved under combofix.txt,however this has been saved as cflog
C:\>prompt $
title .
color 17
set "cfldr=327882R2FWJFW"
set param_="C:\Documents and Settings\david douglas\Desktop\CFScript.txt"
if defined param_ set param_="C:\Documents and Settings\david douglas\Desktop\CFScript.txt"
if defined param_ set param_="C:\Documents and Settings\david douglas\Desktop\CFScript.txt"
cd /d "C:\"
if not exist "327882R2FWJFW" goto Abort
if exist "C:\DOCUME~1\DAVIDD~1\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\DOCUME~1\DAVIDD~1\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" 2>nul
"327882R2FWJFW\Nircmd.com" win close ititle "ComboFix"
copy /y/b/v C:\WINDOWS\system32\cmd.exe "327882R2FWJFW\kmd.exe" 1>nul 2>&1
For /F "tokens=*" %g in ("C:\Downloads\ComboFix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)
If /I "C:\Downloads\" NEQ "C:\" If exist "C:\Downloads\kmd.exe" del "C:\Downloads\kmd.exe" 2>nul
If not defined FileName goto END
DIR /AD/B | C:\WINDOWS\System32\FindStr.exe -IVX ComboFix 1>dirname00
C:\WINDOWS\System32\FindStr.exe -LIXC:"ComboFix" dirname00 1>nul 2>&1 && call :NameChk
del /Q dirname0? 2>nul
If exist "ComboFix" DIR /AD "ComboFix" 1>nul 2>&1 && (
rd /s/q "ComboFix" 2>nul
If exist "ComboFix" (
pushd "327882R2FWJFW"
call pid.bat
popd
rd /s/q "ComboFix" 2>nul
)
If exist "ComboFix" (
"327882R2FWJFW\handle.cfexe" "C:\ComboFix" | "327882R2FWJFW\SED.cfexe" -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
for /F "tokens=1,2" %g in (temp00) do @echo.y | "327882R2FWJFW\Handle.cfexe" -p %g -c %h 1>nul
del /q temp00 2>nul
rd /s/q "ComboFix" 2>nul
)
)
If exist "ComboFix" rd /s/q "ComboFix" 2>nul
If not exist "ComboFix" Ren "327882R2FWJFW" "ComboFix" 1>nul 2>&1
If exist "327882R2FWJFW" goto AbortB
set cfldr=
Start "." /d"C:\ComboFix" "C:\ComboFix\kmd.exe" /c " "C:\ComboFix\c.bat" "C:\Documents and Settings\david douglas\Desktop\CFScript.txt" "
"ComboFix\nircmd.com" execmd del Start_.cmd
del Start_.cmd
hope thats what you require.
cheers
jim
| Joe_London |
| (HijackThis Helper) |
| Fri Feb 15 2008 01:23 PM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Hi Jim,
Not sure what happened there but the report appears to be corrupted for some reason. I want to make sure that registry key is restored to its default. Run part one again and post that report which should give me the information. Hows the Computer running?
- 1. Download ComboFix.exe using either of these links:
Link 1
Link 2
Link 3 - Double click on combofix.exe to run the programme & then follow the prompts.
It will create a new system restore point and registry backup.
You will be asked to type 1 (One) and then "enter" to run the programe.
Your firewall may seek permission to allow the programme to run. Check the "Remember" checkbox and click yes - When finished, it will produce a log for you. Save the log then copy and post it back here in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Obviously you can ignore the download part of the instructions.
Joe.
| jimmyf |
| (regular) |
| Fri Feb 15 2008 02:31 PM |
|
Re: help with father-in-laws hijack this log please
|
hi joe
here is the new log
ComboFix 08-02-14.2 - david douglas 2008-02-15 14:17:53.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.291 [GMT 0:00]
Running from: C:\Documents and Settings\david douglas\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.
2008-02-14 12:45 . 2008-02-15 12:40 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 13:07 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-14 10:22 . 2008-02-14 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-13 20:08 . 2008-02-13 20:08 0 --a------ C:\WINDOWS\SETUP32.INI
2008-02-13 19:55 . 2008-02-13 19:55 <DIR> d-------- C:\Program Files\directx
2008-02-13 19:51 . 2008-02-13 19:51 36 --a------ C:\WINDOWS\Tiny_Run.ini
2008-02-13 19:49 . 2008-02-13 19:49 <DIR> d-------- C:\Program Files\Zoo
2008-02-13 19:49 . 2004-02-20 22:20 131,072 -ra------ C:\WINDOWS\system32\duninstall.exe
2008-02-13 19:49 . 2008-02-13 19:49 47 --a------ C:\WINDOWS\1.0
2008-02-12 16:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 16:54 . 2008-02-12 16:55 <DIR> d-------- C:\Program Files\Java
2008-02-12 16:19 . 2008-02-12 16:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-12 12:11 . 2008-02-12 12:11 <DIR> d-------- C:\Program Files\ToniArts
2008-02-12 10:53 . 2008-02-12 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 17:31 . 2008-02-11 17:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 17:31 . 2008-02-11 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 11:29 . 2008-02-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Spybot - Search & Destroy
2008-02-10 20:49 . 2008-02-11 19:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\AVG7
2008-02-10 20:48 . 2008-02-10 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 19:10 . 2008-02-10 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 19:08 . 2008-02-10 19:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 19:06 . 2008-02-10 19:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 18:32 . 2008-02-11 13:05 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-10 18:17 . 2008-02-15 14:11 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Simply Super Software
2008-02-10 18:17 . 2008-02-12 20:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-10 18:17 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-10 18:17 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-10 18:17 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-10 18:17 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-10 18:17 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-10 18:14 . 2008-02-10 18:14 <DIR> d-------- C:\Program Files\AML Products
2008-02-10 18:14 . 1998-12-24 20:23 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 12:30 --------- d-----w C:\Program Files\BitComet
2008-02-14 08:56 --------- d-----w C:\Program Files\Dl_cats
2008-02-14 08:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-10 19:15 --------- d-----w C:\Documents and Settings\david douglas\Application Data\Lavasoft
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 18:09 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 21:46 135168]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 19:36 729178]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 13:58 86016]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-19 10:39 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-19 10:40 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 07:45 430080]
"MemoryCardManager"="" []
"BTopenworld"="c:\program files\bt yahoo! internet\DialBTYahoo.exe" [2007-10-14 13:10 333472]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-11 10:25 579072]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 06:39 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-11 13:42 726608]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-12-04 21:03 36640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 20:49 219136]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 08:19]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 14:19:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-15 14:20:20
ComboFix-quarantined-files.txt 2008-02-15 14:20:03
ComboFix2.txt 2008-02-12 17:29:03
.
2008-02-15 12:40:56 --- E O F ---
the computer is running 100 times better,maintaining internet connection, desktop has been restored and various virus/trojan/malware scans have shown nothing.
when i first tried to drag CFScript.txt into combofix it told me combofix had expired,so i had to download it again - not sure if that caused any problems.
thanks for all your time in this.
cheers
jim
| Joe_London |
| (HijackThis Helper) |
| Fri Feb 15 2008 04:06 PM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Hi Jim,
Quote:
the computer is running 100 times better,maintaining internet connection, desktop has been restored and various virus/trojan/malware scans have shown nothing.
Thats good to hear.
Quote:
when i first tried to drag CFScript.txt into combofix it told me combofix had expired, so i had to download it again - not sure if that caused any problems.
Its a time limited programme thats continually updated so thats fine.
Its not a major issue but unfortunately it didn't edit the registry key as I'd hoped but that may be my fault.
Let try this method:
Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad*
Copy and paste all the text in the quotebox below into it:
Quote:
KillAll::
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
If the image isn't visible Click Here to view.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This reactivates Combofix. Again follow the prompts.
It will create another System restore point.
When finished, it shall produce a log for you at C:\ComboFix.txt
Copy and paste the ComboFix.txt log in your next reply.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
Joe.
| jimmyf |
| (regular) |
| Sat Feb 16 2008 11:19 AM |
|
Re: help with father-in-laws hijack this log please
|
here goes!
ComboFix 08-02-14.2 - david douglas 2008-02-16 10:47:59.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.309 [GMT 0:00]
Running from: C:\Documents and Settings\david douglas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\david douglas\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 13:07 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-14 10:22 . 2008-02-14 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-13 20:08 . 2008-02-13 20:08 0 --a------ C:\WINDOWS\SETUP32.INI
2008-02-13 19:55 . 2008-02-13 19:55 <DIR> d-------- C:\Program Files\directx
2008-02-13 19:51 . 2008-02-13 19:51 36 --a------ C:\WINDOWS\Tiny_Run.ini
2008-02-13 19:49 . 2008-02-13 19:49 <DIR> d-------- C:\Program Files\Zoo
2008-02-13 19:49 . 2004-02-20 22:20 131,072 -ra------ C:\WINDOWS\system32\duninstall.exe
2008-02-13 19:49 . 2008-02-13 19:49 47 --a------ C:\WINDOWS\1.0
2008-02-12 16:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 16:54 . 2008-02-12 16:55 <DIR> d-------- C:\Program Files\Java
2008-02-12 16:19 . 2008-02-12 16:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-12 12:11 . 2008-02-12 12:11 <DIR> d-------- C:\Program Files\ToniArts
2008-02-12 10:53 . 2008-02-12 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 17:31 . 2008-02-11 17:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 17:31 . 2008-02-11 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 11:29 .. 2008-02-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Spybot - Search & Destroy
2008-02-10 20:49 . 2008-02-11 19:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\AVG7
2008-02-10 20:48 . 2008-02-10 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 19:10 . 2008-02-10 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 19:08 . 2008-02-10 19:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 19:06 . 2008-02-10 19:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 18:32 . 2008-02-11 13:05 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-10 18:17 . 2008-02-16 10:53 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Simply Super Software
2008-02-10 18:17 . 2008-02-12 20:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-10 18:17 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-10 18:17 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-10 18:17 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-10 18:17 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-10 18:17 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-10 18:14 . 2008-02-10 18:14 <DIR> d-------- C:\Program Files\AML Products
2008-02-10 18:14 . 1998-12-24 20:23 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 12:30 --------- d-----w C:\Program Files\BitComet
2008-02-14 08:56 --------- d-----w C:\Program Files\Dl_cats
2008-02-14 08:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-10 19:15 --------- d-----w C:\Documents and Settings\david douglas\Application Data\Lavasoft
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 18:09 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 21:46 135168]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 19:36 729178]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 13:58 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 07:45 430080]
"MemoryCardManager"="" []
"BTopenworld"="c:\program files\bt yahoo! internet\DialBTYahoo.exe" [2007-10-14 13:10 333472]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-11 10:25 579072]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 06:39 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-11 13:42 726608]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-12-04 21:03 36640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 20:49 219136]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 08:19]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 10:54:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ....
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\system32\SNDVOL32.EXE
.
**************************************************************************
.
Completion time: 2008-02-16 10:56:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-16 10:56:23
ComboFix2.txt 2008-02-15 14:20:20
ComboFix3.txt 2008-02-12 17:29:03
.
2008-02-16 10:29:37 --- E O F ---
cheers
jim
| Joe_London |
| (HijackThis Helper) |
| Sat Feb 16 2008 06:23 PM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Still not worked Jim.
Please ensure TeaTimer is disabled, it can be re-activated at the end of this fix.
- Open Spybot Search & Destroy.
- In the Mode menu click "Advanced mode" if not already selected.
- Choose "Yes" at the Warning prompt.
- Expand the "Tools" menu.
- Click "Resident".
- Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
- In the File menu click "Exit" to exit Spybot Search & Destroy.
I'll make a couple of changes in case that dll file is still on the hard drive.
Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad*
Copy and paste all the text in the quotebox below into it:
Quote:
KillAll::
rootkit::
c:\windows\system32\append.dll
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
If the image isn't visible Click Here to view.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This reactivates Combofix. Again follow the prompts.
It will create another System restore point.
When finished, it shall produce a log for you at C:\ComboFix.txt
Copy and paste the ComboFix.txt in your next reply.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
Joe.
| jimmyf |
| (regular) |
| Sun Feb 17 2008 10:01 AM |
|
Re: help with father-in-laws hijack this log please
|
hope this is it,i've disabled spybot as instructed.i did notice that when i ran combofix on it's own it shows completed stages 1-stages 43,but when cfscript is added the completed list runs from stage 2-stage 43,not sure if that matters.
ComboFix 08-02-14.2 - david douglas 2008-02-17 9:46:19.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.306 [GMT 0:00]
Running from: C:\Documents and Settings\david douglas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\david douglas\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\append.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 13:07 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-14 10:22 . 2008-02-14 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-13 20:08 . 2008-02-13 20:08 0 --a------ C:\WINDOWS\SETUP32.INI
2008-02-13 19:55 . 2008-02-13 19:55 <DIR> d-------- C:\Program Files\directx
2008-02-13 19:51 . 2008-02-13 19:51 36 --a------ C:\WINDOWS\Tiny_Run.ini
2008-02-13 19:49 . 2008-02-13 19:49 <DIR> d-------- C:\Program Files\Zoo
2008-02-13 19:49 . 2004-02-20 22:20 131,072 -ra------ C:\WINDOWS\system32\duninstall.exe
2008-02-13 19:49 . 2008-02-13 19:49 47 --a------ C:\WINDOWS\1.0
2008-02-12 16:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 16:54 . 2008-02-12 16:55 <DIR> d-------- C:\Program Files\Java
2008-02-12 16:19 . 2008-02-12 16:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-12 12:11 . 2008-02-12 12:11 <DIR> d-------- C:\Program Files\ToniArts
2008-02-12 10:53 . 2008-02-12 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 17:31 . 2008-02-11 17:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 17:31 . 2008-02-11 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 11:29 . 2008-02-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Spybot - Search & Destroy
2008-02-10 20:49 . 2008-02-11 19:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\AVG7
2008-02-10 20:48 . 2008-02-10 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 19:10 . 2008-02-10 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 19:08 . 2008-02-10 19:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 19:06 . 2008-02-10 19:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 18:32 . 2008-02-11 13:05 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-10 18:17 . 2008-02-17 09:30 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Simply Super Software
2008-02-10 18:17 . 2008-02-12 20:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-10 18:17 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-10 18:17 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-10 18:17 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-10 18:17 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-10 18:17 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-10 18:14 . 2008-02-10 18:14 <DIR> d-------- C:\Program Files\AML Products
2008-02-10 18:14 . 1998-12-24 20:23 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 12:30 --------- d-----w C:\Program Files\BitComet
2008-02-14 08:56 --------- d-----w C:\Program Files\Dl_cats
2008-02-14 08:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-10 19:15 --------- d-----w C:\Documents and Settings\david douglas\Application Data\Lavasoft
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 18:09 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 21:46 135168]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 19:36 729178]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 13:58 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 07:45 430080]
"MemoryCardManager"="" []
"BTopenworld"="c:\program files\bt yahoo! internet\DialBTYahoo.exe" [2007-10-14 13:10 333472]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 06:39 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-12-04 21:03 36640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 20:49 219136]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 08:19]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 09:51:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
.
**************************************************************************
.
Completion time: 2008-02-17 9:53:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 09:53:25
ComboFix2.txt 2008-02-16 10:56:32
ComboFix3.txt 2008-02-15 14:20:20
ComboFix4.txt 2008-02-12 17:29:03
.
2008-02-16 10:29:37 --- E O F ---
thanks again
jim
| Joe_London |
| (HijackThis Helper) |
| Sun Feb 17 2008 07:09 PM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Hi Jim,
The append.dll was still present and is now deleted so we made some progress that time. However it still failed to edit the registry as it should.
Try this:
Open Notepad, (Start | Run, type in Notepad)
Copy ALL the bold text below to notepad.
Click File | Save As
Change the Save as type to *All Files*
Save it to your desktop as fixme.reg
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.
Reboot your computer.
Delete the fixme.reg
- 1. Download ComboFix.exe using either of these links: (You shouldn't need to download the programme again, I hope.)
Link 1
Link 2
Link 3 - Double click on combofix.exe to run the programme & then follow the prompts.
It will create a new system restore point and registry backup.
You will be asked to type 1 (One) and then "enter" to run the programe.
Your firewall may seek permission to allow the programme to run. Check the "Remember" checkbox and click yes - When finished, it will produce a log for you. Save the log then copy and post it back here in your reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Joe.
| jimmyf |
| (regular) |
| Mon Feb 18 2008 01:05 PM |
|
Re: help with father-in-laws hijack this log please
|
hi joe,
here's the new log after the fixme.reg
ComboFix 08-02-14.2 - david douglas 2008-02-18 12:55:20.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.209 [GMT 0:00]
Running from: C:\Documents and Settings\david douglas\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 13:07 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-14 10:22 . 2008-02-14 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-13 20:08 . 2008-02-13 20:08 0 --a------ C:\WINDOWS\SETUP32.INI
2008-02-13 19:55 . 2008-02-13 19:55 <DIR> d-------- C:\Program Files\directx
2008-02-13 19:51 . 2008-02-13 19:51 36 --a------ C:\WINDOWS\Tiny_Run.ini
2008-02-13 19:49 . 2008-02-13 19:49 <DIR> d-------- C:\Program Files\Zoo
2008-02-13 19:49 . 2004-02-20 22:20 131,072 -ra------ C:\WINDOWS\system32\duninstall.exe
2008-02-13 19:49 . 2008-02-13 19:49 47 --a------ C:\WINDOWS\1.0
2008-02-12 16:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 16:54 . 2008-02-12 16:55 <DIR> d-------- C:\Program Files\Java
2008-02-12 16:19 . 2008-02-12 16:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-12 12:11 . 2008-02-12 12:11 <DIR> d-------- C:\Program Files\ToniArts
2008-02-12 10:53 . 2008-02-12 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 17:31 . 2008-02-11 17:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 17:31 . 2008-02-11 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 11:29 . 2008-02-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Spybot - Search & Destroy
2008-02-10 20:49 . 2008-02-11 19:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\AVG7
2008-02-10 20:48 . 2008-02-10 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 19:10 . 2008-02-10 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 19:08 . 2008-02-10 19:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 19:06 . 2008-02-10 19:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 18:32 . 2008-02-11 13:05 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-10 18:17 . 2008-02-17 09:30 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Simply Super Software
2008-02-10 18:17 . 2008-02-12 20:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-10 18:17 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-10 18:17 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-10 18:17 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-10 18:17 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-10 18:17 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-10 18:14 . 2008-02-10 18:14 <DIR> d-------- C:\Program Files\AML Products
2008-02-10 18:14 . 1998-12-24 20:23 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 12:30 --------- d-----w C:\Program Files\BitComet
2008-02-14 08:56 --------- d-----w C:\Program Files\Dl_cats
2008-02-14 08:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-10 19:15 --------- d-----w C:\Documents and Settings\david douglas\Application Data\Lavasoft
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 18:09 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 21:46 135168]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 19:36 729178]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 13:58 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 07:45 430080]
"MemoryCardManager"="" []
"BTopenworld"="c:\program files\bt yahoo! internet\DialBTYahoo.exe" [2007-10-14 13:10 333472]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 06:39 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-12-04 21:03 36640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 20:49 219136]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll,schannel.dll,digest.dll,msnsspc.dll
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 08:19]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 12:57:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-18 12:57:50
ComboFix-quarantined-files.txt 2008-02-18 12:57:34
ComboFix2.txt 2008-02-17 09:53:35
ComboFix3.txt 2008-02-16 10:56:32
ComboFix4.txt 2008-02-15 14:20:20
ComboFix5.txt 2008-02-12 17:29:03
.
2008-02-16 10:29:37 --- E O F ---
cheers
jim
| Joe_London |
| (HijackThis Helper) |
| Mon Feb 18 2008 02:38 PM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Thats got it Jim.
OK, lets move on now.
Update if necessary and run Ccleaner next.
Here are the full instructions:
Download CCleaner from here to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location.
Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
Click Run Cleaner to run the program.
Caution: Uncheck the 'Issues' tab as it's not necessary for the purpose of this fix.
After it has completed it's process, click Exit.
Please see: CCleaner Beginner's Guide
Now run AVG Anti-Spyware. here are the full instructions, if you already have this make sure its fully updated with the latest definations.
Download and install AVG Anti-Spyware 7.5
(This is Ewido 4.0 renamed. If you already have Ewido installed, please update to AVG Anti-Spyware which has a special "clean driver" for removing persistent malware)
- After download, double click on the file to launch the install process.
- Choose a language, click "OK" and then click "Next".
- Read the "License Agreement" and click "I Agree".
- Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
- After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
- The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
- Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
- Go to Start > Run and type: services.msc
- Press "OK".
- Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
- When you find the guard service, double-click on it.
- In the Properties Window > General Tab that opens, click the "Stop" button.
- From the drop-down menu next to "Startup Type", click on "Manual".
- Now click "Apply", then "OK" and close the Services window.
Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Scan with AVG Anti-Spyware as follows:- Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
- Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
- Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
- Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?
5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 6. Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Then do an online scan here:
- Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, click the See Report button, then Save Report and save it to a convenient location.
- Post the log here in your next response.
Then post both logs please.
Joe.
| jimmyf |
| (regular) |
| Tue Feb 19 2008 04:41 PM |
|
Re: help with father-in-laws hijack this log please
|
hi joe,
followed your instructions re avg anti-spyware last night.it took approx 1hr 15mins to go through the test and it found 4 threats - which were dealt with when i clicked on apply all actions,unfortunately it would not allow me to click on save report and although 'create report after each scan' is checked it didnt. i'm currently scanning again in safe mode and will let you know how that goes.
thanks again
jim
| Joe_London |
| (HijackThis Helper) |
| Tue Feb 19 2008 04:44 PM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Thats fine Jim, they can sometimes be slow.
Joe.
| jimmyf |
| (regular) |
| Tue Feb 19 2008 08:56 PM |
|
Re: help with father-in-laws hijack this log please
|
hi joe, avg saved my 2nd scan which now shows no problems,however the panda scan shows 4 problems.both scans below
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 16:56:19 19/02/2008
+ Scan result:
Nothing found.
::Report end
Incident Status Location
Potentially unwanted tool:Application/MyWay Not disinfected C:\Config.Msi\1dac91.rbf
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\david douglas\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\david douglas\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe cheers
jim
| Joe_London |
| (HijackThis Helper) |
| Tue Feb 19 2008 10:08 PM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Hi jim,
About this entry flaged up by panda:
Potentially unwanted tool:Application/MyWay Not disinfected C:\Config.Msi\1dac91.rbf
Myway is pre installed on Dell Computers so its best to leave it if its not causing any problems.
The .RBF files and the config.msi folder are used by the Windows Installer rollback process. The rollback script (.RBS) file is always stored in the Config.Msi folder on the drive where the operating system is installed. The .RBF files are stored in the Config.Msi folder located on the drive where the application that is being backed up currently resides. This is done so that there is no crossing of drives when backing up the application files. Files with a RBS file extension are rollback script files and files with a RBF file extension are backups of existing files. All rollback files and the Config.Msi folder are deleted when the installation completes successfully
The other entries are all associated with Combofix which you can now remove:
combofix cleanup.
- Click START then RUN
- Now type Combofix /u in the runbox and click OK ](case insensitive)
- When shown the disclaimer, Select "2"
The above procedure will - Delete ComboFix and its associated files and folders.
Please go to the add/remove utility in the control panel anf uninstall
Java(TM) 6 Update 3
Please download the latest Sun java update (Update 4) from MajorGeeks: http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html.
You also need to review your protections. I can see the following present:
Ad-Aware SE Professional
a-squared Free 3.1
AVG AntiSpyware
Trojan Remover 6.6.4
AVG AntiVirus
BT Yahoo! Internet\ModemLock.exe
BT Yahoo! Internet\Watchdog.exe
Spybot - Search & Destroy\TeaTimer.exe
What Firewall do you have?
Ideally you need one good third party firewall such as Comodo, one Anti-Virus, AVG is fine. You can have several anti-Spyware programmes on the hard drive as you want but make sure just one is running. I recommend installing the following as well:
Install Spywareblaster
SpywareBlaster doesn't scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.
MacAffee Site advisor.
http://www.siteadvisor.com/
Joe.
| jimmyf |
| (regular) |
| Thu Feb 21 2008 07:42 PM |
|
Re: help with father-in-laws hijack this log please
|
hi joe
i have deleted combofix as above and i am downloading the java update.
i have installed site advisor and spyware blaster,he has sygate firewall and avg antivirus, ccleaner,spybot,easycleaner,trojan remover and a-squared installed - should i leave the avg anti-spyware as it is,or set it to start with windows etc?
thanks again
jim
| Joe_London |
| (HijackThis Helper) |
| Fri Feb 22 2008 09:26 AM |
|
|
|
Re: help with father-in-laws hijack this log please
|
Hi jim,
he has sygate firewall <-- Great programme but no longer supported unfortunately. Leave as is for now. I'm personally using Comodo, Just installed it so its too early to express an opinion but I'm pleased so