|
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
|
I have a desktop hijack. The screen went blue, with a yellow and green message box in the middle of the screen, with that warning on it. [or very similar wording]
I suspect that something's been going on, on here, for a few days - the pc has been really slow. I'd reduced the stuff on the startup menu, but with little effect.
This evening, I did an adaware smartscan which picked up 200+ instances of spyware, which were duly quaranteened and deleted. Shortly afterwards, I uninstalled the Smartboard software [yes, this is on my home pc] and installed the latest version. During the installation, spybot residen protection came up with some registry changes - one of which i was unable to deny. Avast had just announced a trojan [ as it also did earlier] but deleting it doesn't seem to have helped.
As i've typed this, a 'malware alert' box has appeared saying 'adware,WIN32.malwareAlarm attack! It says that it is a trojan horse. It is prompting me to click on a yes or no button, but I know that i shouldnt do that - will use the task manager to close it. I suspect that my desktop, having been changed back to my settings] is now back to the warning screen. - hmm, just checked and its partly back - the background colour has changed to blue but the error message probably doesn't appear until I close this warning box.
Anyhow, any help to sort this out would be very much appreciated. I live on my pc, when i'm not at work, and would be lost without it.
Here's my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 21:22:42, on 21/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CbEvtSvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\Drivers\SAP\FD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SMART Technologies\SMART Board Drivers\Aware.exe
C:\Program Files\SMART Technologies\SMART Board Drivers\Marker.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boxersrule.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [FD_SAP] C:\WINDOWS\System32\Drivers\SAP\FD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab?v=13,0,1609,00
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) - http://video.myhorsecam.com/rollestone/UMediaControl5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/15.11/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158511635890
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O18 - Protocol: crick - {B861500A-A326-11D3-A248-0080C8F7DE1E} - C:\WINDOWS\system32\CrickPro.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O23 - Service: SMART SNMP Agent Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corpor
Thanks alot
--------------------
Love Imp x
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28272
Loc: belfast
|
|
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
 
A computer once beat me at chess, but it was no match for me at kick boxing. 
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
|
[imp heaves a sigh of relief - the calvalry have arrived!]
My combo fix log :
ComboFix 08-04-22.1 - Deborah 2008-04-23 6:48:23.1 - NTFSx86
Running from: C:\Documents and Settings\Deborah\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\sft.res
C:\WINDOWS\winhelp.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CBEVTSVC
-------\Service_CbEvtSvc
-------\Service_grande48
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.
2008-04-22 18:40 . 2008-04-23 06:23 578 --a------ C:\WINDOWS\index.html
2008-04-22 07:37 . 2008-04-22 07:37 <DIR> d-------- C:\Documents and Settings\John\Application Data\SMART Technologies
2008-04-21 21:27 . 2008-04-21 21:27 79,872 --a------ C:\Documents and Settings\LocalService\Application Data\1657648377.exe
2008-04-21 20:14 . 2008-04-21 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SMART Technologies
2008-04-21 19:20 . 2008-04-21 19:20 <DIR> d-------- C:\Documents and Settings\Deborah\Application Data\SMART Technologies
2008-04-21 19:18 . 2008-04-21 21:27 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-04-21 19:18 . 2008-04-21 21:27 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-04-21 19:15 . 2008-04-21 20:13 <DIR> d-------- C:\Program Files\SMART Technologies
2008-04-21 19:15 . 2008-04-21 20:17 <DIR> d-------- C:\Program Files\Common Files\SMART Technologies
2008-04-21 18:33 . 2008-04-23 06:21 147,456 --a------ C:\Documents and Settings\LocalService\Application Data\907608617.exe
2008-04-21 06:20 . 2008-04-21 06:20 <DIR> dr--s---- C:\assembly
2008-04-18 13:44 . 2008-04-18 13:44 57,856 --a------ C:\Documents and Settings\LocalService\Application Data\1466730356.exe
2008-04-16 20:52 . 2008-04-16 20:52 151,552 --a------ C:\Documents and Settings\LocalService\Application Data\951192718.exe
2008-04-16 20:52 . 2008-04-16 20:52 57,856 --a------ C:\Documents and Settings\LocalService\Application Data\1462011476.exe
2008-04-15 18:11 . 2008-04-15 18:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-15 06:47 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-14 19:27 . 2008-04-14 19:28 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-14 19:26 . 2008-04-14 19:31 <DIR> d-------- C:\Program Files\Windows Live
2008-04-14 19:24 . 2008-04-14 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-14 18:37 . 2008-04-14 18:38 <DIR> d-------- C:\Program Files\iTunes
2008-04-14 18:34 . 2008-04-14 18:34 <DIR> d-------- C:\Program Files\Bonjour
2008-04-14 18:29 . 2008-04-14 18:41 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-03 02:49 . 2008-04-03 02:49 458,752 --a------ C:\WINDOWS\system32\Smart Bulb Saver.scr
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-24 16:13 . 2008-03-24 16:13 1,250,600 --a------ C:\WINDOWS\system32\SmartDocCameraIM.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 17:46 --------- d-----w C:\Program Files\SMART Technologies Inc
2008-04-21 17:44 --------- d-----w C:\Program Files\Common Files\SMART Technologies Inc
2008-04-18 21:00 --------- d-----w C:\Program Files\Google
2008-04-15 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-15 17:34 --------- d-----w C:\Program Files\Learning Essentials
2008-04-14 17:38 --------- d-----w C:\Program Files\iPod
2008-04-14 17:34 --------- d-----w C:\Program Files\QuickTime
2008-04-14 17:30 --------- d-----w C:\Program Files\Apple Software Update
2008-04-11 21:11 --------- d-----w C:\Documents and Settings\Deborah\Application Data\Skype
2008-04-04 08:25 --------- d-----w C:\Documents and Settings\Deborah\Application Data\Canon
2008-03-26 21:04 --------- d-----w C:\Program Files\Vocabulary Worksheet Factory 2.0
2008-03-04 18:24 --------- d-----w C:\Program Files\Photo Story 3 for Windows
2008-03-01 14:17 --------- d-----w C:\Program Files\Textease
2008-03-01 14:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 14:00 --------- d-----w C:\Program Files\Kudlian Soft
2008-03-01 13:57 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-01 13:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 13:57 --------- d-----w C:\Documents and Settings\Deborah\Application Data\SUPERAntiSpyware.com
2008-02-28 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 17:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-28 17:03 691,545 ----a-w C:\WINDOWS\unins000.exe
2006-06-24 23:00 5,632 --sha-w C:\Program Files\Thumbs.db
2005-09-14 09:58 20,480 ----a-w C:\Program Files\Common Files\UninstallDrv.exe
2005-08-09 19:39 558 ----a-w C:\Program Files\The Haunting.abc
2005-07-11 16:40 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2007-03-28 22:04 749,012 --sh--w C:\WINDOWS\system32\rrqss.bak1
2007-03-29 22:06 773,905 --sh--w C:\WINDOWS\system32\rrqss.bak2
2007-03-30 20:55 804,199 --sh--w C:\WINDOWS\system32\rrqss.ini2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"Aim6"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2001-03-23 15:57 995328]
"FD_SAP"="C:\WINDOWS\System32\Drivers\SAP\FD.exe" [2004-10-29 00:52 197120]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SMART Board Tools.lnk.disabled [2008-04-21 19:16:57 1999]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2004-10-13 18:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VQC4"= VQ318DEC.dll
"VIDC.JPEG"= jpegCode.dll
"VIDC.MJPG"= jpegCode.dll
"VIDC.SP54"= SP5X_32.DLL
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART Board Tools.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk
backup=C:\WINDOWS\pss\SMART Board Tools.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AnalogX\\PortMapper\\pmapper.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\SMART Technologies\\SMART Board Drivers\\SMARTSNMPAgent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:TCP"= 8000:TCP:broadcast
"6346:TCP"= 6346:TCP:*:Disabled:eTomi
"6346:UDP"= 6346:UDP:*:Disabled:eTomi
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
S2 Ca50xav;Digital Blue DMC2 Video Device;C:\WINDOWS\system32\Drivers\Ca50xav.sys [2004-10-21 13:17]
S3 CoachUsb;Coach Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2002-11-08 12:12]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockots64.dll,InitModule
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 07:04:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Documents and Settings\Deborah\Local Settings\Application Data\Microsoft\Messenger\debcadman@hotmail.com\SharingMetadata\Logs\Dfsr00004.log.gz 68686 bytes
scan completed successfully
hidden files: 155
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
C:\WINDOWS\system32\PAStiSvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-04-23 7:22:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 06:22:27
Pre-Run: 27,248,234,496 bytes free
Post-Run: 28,521,054,208 bytes free
188 --- E O F --- 2008-04-15 20:18:30
And here's my Hijack this log [new one]
Logfile of HijackThis v1.99.1
Scan saved at 07:27:00, on 23/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\Drivers\SAP\FD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boxersrule.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [FD_SAP] C:\WINDOWS\System32\Drivers\SAP\FD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SMART Board Tools.lnk.disabled
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab?v=13,0,1609,00
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) - http://video.myhorsecam.com/rollestone/UMediaControl5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/15.11/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158511635890
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O18 - Protocol: crick - {B861500A-A326-11D3-A248-0080C8F7DE1E} - C:\WINDOWS\system32\CrickPro.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O23 - Service: SMART SNMP Agent Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Thank you so much for your assistance.
--------------------
Love Imp x
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28272
Loc: belfast
|
|
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Quote:
Killall::
File::
C:\Documents and Settings\LocalService\Application Data\907608617.exe
C:\Documents and Settings\LocalService\Application Data\1657648377.exe
C:\Documents and Settings\LocalService\Application Data\1466730356.exe
C:\Documents and Settings\LocalService\Application Data\951192718.exe
C:\Documents and Settings\LocalService\Application Data\1462011476.exe
C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.bak2
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\blackster.scr
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Referring to the picture above, drag CFScript.txt into ComboFix.exe.
This will start ComboFix again.(it may ask you to reboot your computer)
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please and
let me know how it is running.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
|
Right.
[I'm currently typing this from my laptop]
I've done all the above, and am now waiting for combofix to create its log. I have waited, and waited and waited - approx 30mins. The busy light was on on the front of my base unit, and the machine has just rebooted itself before generating the log. It has come up with one of those 'your system has recovered from a serious error] message boxes. Reporting the error has brought up a 'device driver error'
The problem is, now that its rebooted itself after the stop error, there's no sign of the combofix log report. I will give it a few mins, then will post again with the hijack this log.
If you know any way of getting the log report from combofix without rerunning it from the start, please let me know.
Deb
[once again, thanks for the assistance.
--------------------
Love Imp x
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
|
Hi - Back on my desktop.
There's still no sign of the combofix log - sorry.
Heres the latest Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 20:18, on 2008-04-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\Drivers\SAP\FD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boxersrule.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [FD_SAP] C:\WINDOWS\System32\Drivers\SAP\FD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SMART Board Tools.lnk.disabled
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab?v=13,0,1609,00
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) - http://video.myhorsecam.com/rollestone/UMediaControl5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/15.11/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158511635890
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O18 - Protocol: crick - {B861500A-A326-11D3-A248-0080C8F7DE1E} - C:\WINDOWS\system32\CrickPro.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe
O23 - Service: SMART SNMP Agent Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\SMART Board Drivers\WebServer.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
many thanks.
imp
xxxxxxxxxx
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
|
Help - I can't turn Avast back on!!
I cannot find anywhere on its userface that has a setting to 'switch on real time protection'.
Any ideas?
It doesn't start up on reboot like it used to.
--------------------
Love Imp x
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
|
hmmmm - seems that it is now on, and working, but the icons just are not appearing on my taskbar at the bottom of the screen. How do I put the icons back? It was fairly reassuring to see them turning round as things loaded up.
--------------------
Love Imp x
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28272
Loc: belfast
|
|
something has stillbeen running to stop combofix removing those files.
we have to make sure they are gone :-
Please download the OTMoveIt2 by OldTimer.- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Quote:
C:\Documents and Settings\LocalService\Application Data\907608617.exe
C:\Documents and Settings\LocalService\Application Data\1657648377.exe
C:\Documents and Settings\LocalService\Application Data\1466730356.exe
C:\Documents and Settings\LocalService\Application Data\951192718.exe
C:\Documents and Settings\LocalService\Application Data\1462011476.exe
C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.bak2
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\blackster.scr
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
|
Ok, I've done all that - seems like the program couldn't find the files.
Here's the log:
File/Folder C:\Documents and Settings\LocalService\Application Data\907608617.exe not found.
File/Folder C:\Documents and Settings\LocalService\Application Data\1657648377.exe not found.
File/Folder C:\Documents and Settings\LocalService\Application Data\1466730356.exe not found.
File/Folder C:\Documents and Settings\LocalService\Application Data\951192718.exe not found.
File/Folder C:\Documents and Settings\LocalService\Application Data\1462011476.exe not found.
File/Folder C:\WINDOWS\system32\rrqss.bak1 not found.
File/Folder C:\WINDOWS\system32\rrqss.bak2 not found.
File/Folder C:\WINDOWS\system32\rrqss.ini2 not found.
File/Folder C:\WINDOWS\system32\ctfmonb.bmp not found.
File/Folder C:\WINDOWS\system32\blackster.scr not found.
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04242008_064935
[you are a star, by the way!]
--------------------
Love Imp x
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28272
Loc: belfast
|
|
It looks like combofix removed them but just didn't create a log.
how is the computer running ?
do you still have the blue screen ?
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
|
The computer is vastly improved to how it was, but is still rather slow to boot up. The desktop hijacker thingy is now gone, and no sign of it in my display options for the desktop.
A couple of niggles:
1. I cannot get my system tray icons back for the Avast antivirus, despite the option to have the icons there being ticked in its options. I think its still running - but not confident without those icons giving me a visual reassurance.
2. When I turn the teatimer back on [spybot] it is likely to recognise lots of changes. Do I allow them or deny them? I suppose i'd allow them - but what if a nasty comes in just at that moment and I wrongly allow a change?
3. Under my login, the pc will not shut down. It pretends to - but hangs at the 'windows is shutting down' screen. Eventually, I press the reset button, and as soon as the black screen starts, i press the on/off button. [it will only turn the machine if pressed at this moment] Strangely, when my husband uses the pc, it turns off without a problem [or so he says]
Thank you so much for your assistance. [as always]. You are a true gent.
--------------------
Love Imp x
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28272
Loc: belfast
|
|
I've read that sometimes AVAST has a problem with combofix.
we'll get rid of it and see how it goes.
it depends what wants to make the changes in the registry whether you allow them or not, it might be easier to uninstall spybot and reinstall it.
combofix cleanup.
Time for some housekeeping
- Click START then RUN
- Now type Combofix /u in the runbox and click OK
[list] 
When shown the disclaimer, Select "2"[/list]
The above procedure will:
- Delete the following:[list]
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.[/list]
let me know how it's going after you run this.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
|
Hi - There was no disclaimer - just a little box announcing 'combofix is uninstalled'.
In the meantime, I have been on to the Avast forum - have found the right bit of avast [AshDisp.exe] and created a shortcut to it on the desktop. Clicking that starts the realtime protection, with icons on the system tray, but of course, AFTER everything else has booted up, so its not checking stuff as it loads, like it used to.
I've used msconfig to take alook at the start menu as I sometimes turn programs off from there to get my pc to load up faster [not that its made much difference lately]. Avast isn't even listed on there, nevermind unticked!!
Anyhow - I have uninstalled the combofix, so will now reboot and get back to you once I'm logged back in.
Ta everso.
--------------------
Love Imp x
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
|
Rebooted - but the same - no icons.
I have tuned teatimer back on, and have discovered that there is a 'repair' facility for Avast which you access by control panel - add and remove programs - delete/change. When you click on the delete/change for Avast, you get the option to 'repair'.
I'm going to reboot again - to see if that has worked.
fingers crossed.
--------------------
Love Imp x
|
impis
regular
Reg'd: Sat
Posts: 305
Loc: Midlands, UK
|
| |
Previous
Index
Next
Threaded
Edit
Reply
Quote
