|
|
jimmyf
regular
Reg'd: Thu
Posts: 58
|
|
father-in-law has asked me to try and get rid of a trojan downloader on his laptop.i have used avg/trojan remover/a-squared and a registry cleaner.i think it's gone,but fifeflyer suggested i post a hijackthis log.
another persistant problem is his dial-up connection to bt yahoo is lost when outlook express tries to connect - i'm not sure if the problem is related to the trojan.the trojan was present in system32 folder as'append.dll'which seems to be gone
thanks for all help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:48, on 12/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\BT Yahoo! Internet\DialBTYahoo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/scotland/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol028.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E856656E-D2E7-4BBC-8D27-9438BE1BB8A1}: NameServer = 194.72.0.98 62.6.40.162
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Intel(R) Corporation - (no file)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 8974 bytes
|
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 10265
Loc: London
|
|
Please disable the following programmes from running at startup:
Spybot - Search & Destroy TeaTimer
AOL Spyware Protection
TrojanScanner
You should be able to do this from within the respective programmes. make sure you do this first as these programmes may interfere with the fix.
Please uninstall the current outdated Sun java via the add/remove utility in the control panel and then download the latest Sun java update from here:
http://www.java.com/en/download/windows_ie.jsp
Reboot the computer.
Open Hijackthis, take another scan and place a checkmark next to these entries.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - (no file)
Close all open Windows except Hijackthis and click on "fix Checked".
Reboot the Computer.
- 1. Download ComboFix.exe using either of these links:
Link 1
Link 2
Link 3
- Double click on combofix.exe to run the programme & then follow the prompts.
It will create a new system restore point and registry backup.
You will be asked to type 1 (One) and then "enter" to run the programe.
Your firewall may seek permission to allow the programme to run. Check the "Remember" checkbox and click yes
- When finished, it will produce a log for you. Save the log then copy and post it back here with a fresh HJT log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Please also post the following:
Open Hijackthis,
Click Config | Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.
Joe.
--------------------
If I have helped you in any way, please consider a donation:
Joe's WebSite.
Member of UNITE and ASAP.
|
jimmyf
regular
Reg'd: Thu
Posts: 58
|
|
thanks - i think i've completed all the tasks,so here are the logs you asked for
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:05:53, on 12/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BT Yahoo! Internet\DialBTYahoo.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/scotland/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol028.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E856656E-D2E7-4BBC-8D27-9438BE1BB8A1}: NameServer = 62.6.40.162 194.72.0.98
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Intel(R) Corporation - (no file)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 8363 bytes
combofix log
ComboFix 08-02.02.2 - david douglas 2008-02-12 17:26:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.268 [GMT 0:00]
Running from: C:\Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\.protected
C:\Documents and Settings\david douglas\Application Data\Install.dat
C:\WINDOWS\.protected
C:\WINDOWS\system32\drivers\etc\.protected
.
((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.
2008-02-12 16:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 16:54 . 2008-02-12 16:55 <DIR> d-------- C:\Program Files\Java
2008-02-12 16:19 . 2008-02-12 16:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-12 12:11 . 2008-02-12 12:11 <DIR> d-------- C:\Program Files\ToniArts
2008-02-12 10:53 . 2008-02-12 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 17:31 . 2008-02-11 17:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 17:31 . 2008-02-11 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 11:29 . 2008-02-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Spybot - Search & Destroy
2008-02-10 20:49 . 2008-02-11 19:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\AVG7
2008-02-10 20:48 . 2008-02-10 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 19:10 . 2008-02-10 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 19:08 . 2008-02-10 19:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 19:06 . 2008-02-10 19:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 18:32 . 2008-02-11 13:05 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-10 18:17 . 2008-02-12 10:11 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Simply Super Software
2008-02-10 18:17 . 2008-02-12 15:50 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-10 18:17 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-10 18:17 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-10 18:17 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-10 18:17 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-10 18:17 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-10 18:14 . 2008-02-10 18:14 <DIR> d-------- C:\Program Files\AML Products
2008-02-10 18:14 . 1998-12-24 20:23 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 12:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-10 19:15 --------- d-----w C:\Documents and Settings\david douglas\Application Data\Lavasoft
2008-01-30 18:41 --------- d-----w C:\Program Files\Dl_cats
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 18:09 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 21:46 135168]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 19:36 729178]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 13:58 86016]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-19 10:39 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-19 10:40 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 07:45 430080]
"MemoryCardManager"="" []
"BTopenworld"="c:\program files\bt yahoo! internet\DialBTYahoo.exe" [2007-10-14 13:10 333472]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-11 10:25 579072]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 06:39 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 20:49 219136]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 08:19]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 17:28:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-12 17:29:02
ComboFix-quarantined-files.txt 2008-02-12 17:28:47
.
2008-01-22 20:20:17 --- E O F ---
uninstall list
944plc32
ABBYY FineReader 6.0 Sprint
Ad-Aware SE Professional
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
AML Free Registry Cleaner 4.0
AOL UK (Choose which version to remove)
ARTEuro
a-squared Free 3.1
AVG 7.5
BitComet 0.86
BT Yahoo! Internet Connection Manager 8.0
CCleaner (remove only)
Conexant D110 MDC V.9x Modem
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 944
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
EasyCleaner
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internal Network Card Power Management
Internet Explorer Default Page
Java(TM) 6 Update 3
Learn2 Player (Uninstall Only)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Works 7.0
Modem Helper
Mozilla Firefox (1.0.6)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
NetWaiting
Picasa 2
PowerDVD 5.5
QuickSet
QuickTime
RealPlayer Basic
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3 USB Driver Installer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sygate Personal Firewall
Synaptics Pointing Device Driver
Trojan Remover 6.6.4
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Viewpoint Media Player
Vodafone 804SS USB driver Software
Wanadoo Europe Installer
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
THANKS AGAIN!
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 10265
Loc: London
|
|
Thanks, I'll look through your logs and get back to you ASAP
Joe.
--------------------
If I have helped you in any way, please consider a donation:
Joe's WebSite.
Member of UNITE and ASAP.
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 10265
Loc: London
|
|
Please delete this foistware via the add/remove utility in the control panel.
Viewpoint Media Player
Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad*
Copy and paste all the text in the quotebox below into it:
Quote:
KillAll::
Folder::
C:\Program Files\Viewpoint
ADS::
C:\windows\system32
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"append.dll"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
If the image isn't visible Click Here to view.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This reactivates Combofix. Again follow the prompts.
It will create another System restore point.
When finished, it shall produce a log for you at C:\ComboFix.txt
Copy and paste the ComboFix.txt.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
Can you also review your securities, ideally you need one third party firewall, one anti-virus, one anti-spyware programme, Spywareblaster, Ccleaner and McAfee Site Advisor. You can have other anti-spyware programmes but only one running at startup is recommended.
I see you are still using IE 6, may I suggest updating that and the system as well.
Joe.
--------------------
If I have helped you in any way, please consider a donation:
Joe's WebSite.
Member of UNITE and ASAP.
|
jimmyf
regular
Reg'd: Thu
Posts: 58
|
|
new combofix log
ComboFix 08-02-14.2 - david douglas 2008-02-14 9:58:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.242 [GMT 0:00]
Running from: C:\Documents and Settings\david douglas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\david douglas\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
i will install site advisor and spyware blaster and update IE.he has sygate firewall and avg antivirus ccleaner and a-squared installed - should that be enough?
thanks again
jim
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 10265
Loc: London
|
|
Quote:
new combofix log
Can you post the complete log please? That looks as if most of it is mssing.
Joe.
--------------------
If I have helped you in any way, please consider a donation:
Joe's WebSite.
Member of UNITE and ASAP.
|
jimmyf
regular
Reg'd: Thu
Posts: 58
|
|
hi joe,
thats all that was saved under combofix.txt,however this has been saved as cflog
C:\>prompt $
title .
color 17
set "cfldr=327882R2FWJFW"
set param_="C:\Documents and Settings\david douglas\Desktop\CFScript.txt"
if defined param_ set param_="C:\Documents and Settings\david douglas\Desktop\CFScript.txt"
if defined param_ set param_="C:\Documents and Settings\david douglas\Desktop\CFScript.txt"
cd /d "C:\"
if not exist "327882R2FWJFW" goto Abort
if exist "C:\DOCUME~1\DAVIDD~1\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\DOCUME~1\DAVIDD~1\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" 2>nul
"327882R2FWJFW\Nircmd.com" win close ititle "ComboFix"
copy /y/b/v C:\WINDOWS\system32\cmd.exe "327882R2FWJFW\kmd.exe" 1>nul 2>&1
For /F "tokens=*" %g in ("C:\Downloads\ComboFix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)
If /I "C:\Downloads\" NEQ "C:\" If exist "C:\Downloads\kmd.exe" del "C:\Downloads\kmd.exe" 2>nul
If not defined FileName goto END
DIR /AD/B | C:\WINDOWS\System32\FindStr.exe -IVX ComboFix 1>dirname00
C:\WINDOWS\System32\FindStr.exe -LIXC:"ComboFix" dirname00 1>nul 2>&1 && call :NameChk
del /Q dirname0? 2>nul
If exist "ComboFix" DIR /AD "ComboFix" 1>nul 2>&1 && (
rd /s/q "ComboFix" 2>nul
If exist "ComboFix" (
pushd "327882R2FWJFW"
call pid.bat
popd
rd /s/q "ComboFix" 2>nul
)
If exist "ComboFix" (
"327882R2FWJFW\handle.cfexe" "C:\ComboFix" | "327882R2FWJFW\SED.cfexe" -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
for /F "tokens=1,2" %g in (temp00) do @echo.y | "327882R2FWJFW\Handle.cfexe" -p %g -c %h 1>nul
del /q temp00 2>nul
rd /s/q "ComboFix" 2>nul
)
)
If exist "ComboFix" rd /s/q "ComboFix" 2>nul
If not exist "ComboFix" Ren "327882R2FWJFW" "ComboFix" 1>nul 2>&1
If exist "327882R2FWJFW" goto AbortB
set cfldr=
Start "." /d"C:\ComboFix" "C:\ComboFix\kmd.exe" /c " "C:\ComboFix\c.bat" "C:\Documents and Settings\david douglas\Desktop\CFScript.txt" "
"ComboFix\nircmd.com" execmd del Start_.cmd
del Start_.cmd
hope thats what you require.
cheers
jim
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 10265
Loc: London
|
|
Hi Jim,
Not sure what happened there but the report appears to be corrupted for some reason. I want to make sure that registry key is restored to its default. Run part one again and post that report which should give me the information. Hows the Computer running?
- 1. Download ComboFix.exe using either of these links:
Link 1
Link 2
Link 3
- Double click on combofix.exe to run the programme & then follow the prompts.
It will create a new system restore point and registry backup.
You will be asked to type 1 (One) and then "enter" to run the programe.
Your firewall may seek permission to allow the programme to run. Check the "Remember" checkbox and click yes
- When finished, it will produce a log for you. Save the log then copy and post it back here in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Obviously you can ignore the download part of the instructions.
Joe.
--------------------
If I have helped you in any way, please consider a donation:
Joe's WebSite.
Member of UNITE and ASAP.
|
jimmyf
regular
Reg'd: Thu
Posts: 58
|
|
hi joe
here is the new log
ComboFix 08-02-14.2 - david douglas 2008-02-15 14:17:53.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.291 [GMT 0:00]
Running from: C:\Documents and Settings\david douglas\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.
2008-02-14 12:45 . 2008-02-15 12:40 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 13:07 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-14 10:22 . 2008-02-14 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-13 20:08 . 2008-02-13 20:08 0 --a------ C:\WINDOWS\SETUP32.INI
2008-02-13 19:55 . 2008-02-13 19:55 <DIR> d-------- C:\Program Files\directx
2008-02-13 19:51 . 2008-02-13 19:51 36 --a------ C:\WINDOWS\Tiny_Run.ini
2008-02-13 19:49 . 2008-02-13 19:49 <DIR> d-------- C:\Program Files\Zoo
2008-02-13 19:49 . 2004-02-20 22:20 131,072 -ra------ C:\WINDOWS\system32\duninstall.exe
2008-02-13 19:49 . 2008-02-13 19:49 47 --a------ C:\WINDOWS\1.0
2008-02-12 16:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 16:54 . 2008-02-12 16:55 <DIR> d-------- C:\Program Files\Java
2008-02-12 16:19 . 2008-02-12 16:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-12 12:11 . 2008-02-12 12:11 <DIR> d-------- C:\Program Files\ToniArts
2008-02-12 10:53 . 2008-02-12 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 17:31 . 2008-02-11 17:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 17:31 . 2008-02-11 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 11:29 . 2008-02-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Spybot - Search & Destroy
2008-02-10 20:49 . 2008-02-11 19:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\AVG7
2008-02-10 20:48 . 2008-02-10 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 19:10 . 2008-02-10 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 19:08 . 2008-02-10 19:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 19:06 . 2008-02-10 19:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 18:32 . 2008-02-11 13:05 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-10 18:17 . 2008-02-15 14:11 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Simply Super Software
2008-02-10 18:17 . 2008-02-12 20:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-10 18:17 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-10 18:17 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-10 18:17 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-10 18:17 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-10 18:17 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-10 18:14 . 2008-02-10 18:14 <DIR> d-------- C:\Program Files\AML Products
2008-02-10 18:14 . 1998-12-24 20:23 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 12:30 --------- d-----w C:\Program Files\BitComet
2008-02-14 08:56 --------- d-----w C:\Program Files\Dl_cats
2008-02-14 08:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-10 19:15 --------- d-----w C:\Documents and Settings\david douglas\Application Data\Lavasoft
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 18:09 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 21:46 135168]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 19:36 729178]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 13:58 86016]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-19 10:39 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-19 10:40 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 07:45 430080]
"MemoryCardManager"="" []
"BTopenworld"="c:\program files\bt yahoo! internet\DialBTYahoo.exe" [2007-10-14 13:10 333472]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-11 10:25 579072]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 06:39 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-11 13:42 726608]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-12-04 21:03 36640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 20:49 219136]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 08:19]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 14:19:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-15 14:20:20
ComboFix-quarantined-files.txt 2008-02-15 14:20:03
ComboFix2.txt 2008-02-12 17:29:03
.
2008-02-15 12:40:56 --- E O F ---
the computer is running 100 times better,maintaining internet connection, desktop has been restored and various virus/trojan/malware scans have shown nothing.
when i first tried to drag CFScript.txt into combofix it told me combofix had expired,so i had to download it again - not sure if that caused any problems.
thanks for all your time in this.
cheers
jim
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 10265
Loc: London
|
|
Hi Jim,
Quote:
the computer is running 100 times better,maintaining internet connection, desktop has been restored and various virus/trojan/malware scans have shown nothing.
Thats good to hear.
Quote:
when i first tried to drag CFScript.txt into combofix it told me combofix had expired, so i had to download it again - not sure if that caused any problems.
Its a time limited programme thats continually updated so thats fine.
Its not a major issue but unfortunately it didn't edit the registry key as I'd hoped but that may be my fault.
Let try this method:
Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad*
Copy and paste all the text in the quotebox below into it:
Quote:
KillAll::
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
If the image isn't visible Click Here to view.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This reactivates Combofix. Again follow the prompts.
It will create another System restore point.
When finished, it shall produce a log for you at C:\ComboFix.txt
Copy and paste the ComboFix.txt log in your next reply.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
Joe.
--------------------
If I have helped you in any way, please consider a donation:
Joe's WebSite.
Member of UNITE and ASAP.
|
jimmyf
regular
Reg'd: Thu
Posts: 58
|
|
here goes!
ComboFix 08-02-14.2 - david douglas 2008-02-16 10:47:59.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.309 [GMT 0:00]
Running from: C:\Documents and Settings\david douglas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\david douglas\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 13:07 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-14 10:22 . 2008-02-14 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-13 20:08 . 2008-02-13 20:08 0 --a------ C:\WINDOWS\SETUP32.INI
2008-02-13 19:55 . 2008-02-13 19:55 <DIR> d-------- C:\Program Files\directx
2008-02-13 19:51 . 2008-02-13 19:51 36 --a------ C:\WINDOWS\Tiny_Run.ini
2008-02-13 19:49 . 2008-02-13 19:49 <DIR> d-------- C:\Program Files\Zoo
2008-02-13 19:49 . 2004-02-20 22:20 131,072 -ra------ C:\WINDOWS\system32\duninstall.exe
2008-02-13 19:49 . 2008-02-13 19:49 47 --a------ C:\WINDOWS\1.0
2008-02-12 16:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 16:54 . 2008-02-12 16:55 <DIR> d-------- C:\Program Files\Java
2008-02-12 16:19 . 2008-02-12 16:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-12 12:11 . 2008-02-12 12:11 <DIR> d-------- C:\Program Files\ToniArts
2008-02-12 10:53 . 2008-02-12 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 17:31 . 2008-02-11 17:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 17:31 . 2008-02-11 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 11:29 .. 2008-02-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Spybot - Search & Destroy
2008-02-10 20:49 . 2008-02-11 19:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\AVG7
2008-02-10 20:48 . 2008-02-10 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 19:10 . 2008-02-10 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 19:08 . 2008-02-10 19:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 19:06 . 2008-02-10 19:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 18:32 . 2008-02-11 13:05 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-10 18:17 . 2008-02-16 10:53 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Simply Super Software
2008-02-10 18:17 . 2008-02-12 20:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-10 18:17 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-10 18:17 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-10 18:17 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-10 18:17 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-10 18:17 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-10 18:14 . 2008-02-10 18:14 <DIR> d-------- C:\Program Files\AML Products
2008-02-10 18:14 . 1998-12-24 20:23 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 12:30 --------- d-----w C:\Program Files\BitComet
2008-02-14 08:56 --------- d-----w C:\Program Files\Dl_cats
2008-02-14 08:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-10 19:15 --------- d-----w C:\Documents and Settings\david douglas\Application Data\Lavasoft
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 18:09 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 21:46 135168]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 19:36 729178]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 13:58 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 07:45 430080]
"MemoryCardManager"="" []
"BTopenworld"="c:\program files\bt yahoo! internet\DialBTYahoo.exe" [2007-10-14 13:10 333472]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-11 10:25 579072]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 06:39 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-11 13:42 726608]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-12-04 21:03 36640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 20:49 219136]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 08:19]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 10:54:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ....
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\system32\SNDVOL32.EXE
.
**************************************************************************
.
Completion time: 2008-02-16 10:56:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-16 10:56:23
ComboFix2.txt 2008-02-15 14:20:20
ComboFix3.txt 2008-02-12 17:29:03
.
2008-02-16 10:29:37 --- E O F ---
cheers
jim
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 10265
Loc: London
|
|
Still not worked Jim.
Please ensure TeaTimer is disabled, it can be re-activated at the end of this fix.
- Open Spybot Search & Destroy.
- In the Mode menu click "Advanced mode" if not already selected.
- Choose "Yes" at the Warning prompt.
- Expand the "Tools" menu.
- Click "Resident</
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
