Sign In
Create Account
2
I've got a TDSS infection that keeps coming back. MBAM says it removes it, but it keeps showing up again. When it gets fully locked in, it blocks MBAM.EXE as well as redirecting web site accesses to 127.0.0.1
Also have run SpyBot S&D as well as Dr. WebCureit, but these don't seem to shoot it either.
MBAM log:
Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 5.1.2600 Service Pack 3
1/3/2009 5:06:50 PM
mbam-log-2009-01-03 (17-06-50).txt
Scan type: Full Scan (C:\|)
Objects scanned: 163259
Time elapsed: 1 hour(s), 19 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Chelsea\DoctorWeb\Quarantine\TDSSe958.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSixgp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSproc.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSwkod.log (Trojan.TDSS) -> Quarantined and deleted successfully.
Panda Log (This took forever to run):
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2009-01-04 09:24:47
PROTECTIONS: 1
MALWARE: 92
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
AVG Anti-Virus Free 8.0 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent28.zip
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@trafficmp[2].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@trafficmp[2].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@casalemedia[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@casalemedia[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@atdmt[2].txt
00145348 Cookie/Gator TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@gator[1].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@tradedoubler[1].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@tradedoubler[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@247realmedia[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@247realmedia[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@247realmedia[2].txt
00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@bfast[2].txt
00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@bfast[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@tribalfusion[1].txt
00145732 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@as-eu.falkag[2].txt
00145732 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@as-eu.falkag[2].txt
00145732 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@as-eu.falkag[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@mediaplex[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@mediaplex[1].txt
00145745 Cookie/OfferOptimizer TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@offeroptimizer[1].txt
00145745 Cookie/OfferOptimizer TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@offeroptimizer[1].txt
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@centrport[1].txt
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@centrport[1].txt
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@centrport[1].txt
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@linksynergy[1].txt
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@linksynergy[2].txt
00146967 Cookie/PayCounter TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@paycounter[1].txt
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@maxserving[2].txt
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@maxserving[2].txt
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@maxserving[2].txt
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@ccbill[1].txt
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@belnk[1].txt
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@belnk[1].txt
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@belnk[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@revenue[2].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@revenue[2].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@revenue[3].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@revenue[2].txt
00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@dist.belnk[2].txt
00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@dist.belnk[2].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@www.myaffiliateprogram[2].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@www.myaffiliateprogram[2].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@www.myaffiliateprogram[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@com[2].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@yadro[1].txt
00167665 Cookie/Clicktracks TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@stats1.clicktracks[2].txt
00167665 Cookie/Clicktracks TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@stats1.clicktracks[2].txt
00167665 Cookie/Clicktracks TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@stats1.clicktracks[2].txt
00167670 Cookie/Seeq TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@seeq[1].txt
00167670 Cookie/Seeq TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@seeq[1].txt
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@landing.domainsponsor[1].txt
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@landing.domainsponsor[1].txt
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@landing.domainsponsor[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@xiti[1].txt
00167706 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@counter3.sextracker[1].txt
00167726 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@tickle[2].txt
00167730 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@ehg.hitbox[2].txt
00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@z1.adserver[1].txt
00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@z1.adserver[1].txt
00167744 Cookie/GoStats TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@gostats[1].txt
00167744 Cookie/GoStats TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@gostats[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@azjmp[2].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@azjmp[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@azjmp[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@azjmp[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@statcounter[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@statcounter[1].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@counter.hitslink[2].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@counter.hitslink[2].txt
00167765 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@hg1.hitbox[2].txt
00167783 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@counter6.sextracker[1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@perf.overture[1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@perf.overture[1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@ad.yieldmanager[1].txt
00168058 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@counter4.sextracker[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@apmebf[3].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@burstnet[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@burstnet[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@burstnet[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@burstnet[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@serving-sys[3].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@serving-sys[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@bs.serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@bs.serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@bs.serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@www.burstbeacon[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@www.burstbeacon[1].txt
00168101 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@as-us.falkag[2].txt
00168101 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@as-us.falkag[2].txt
00168101 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@as-us.falkag[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@server.iad.liveperson[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@server.iad.liveperson[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@server.iad.liveperson[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@stat.onestat[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@stat.onestat[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@advertising[3].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@advertising[1].txt
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@sextracker[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@media.adrevolver[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@media.adrevolver[2].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@media.adrevolver[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@statse.webtrendslive[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@statse.webtrendslive[3].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@statse.webtrendslive[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@ads.pointroll[3].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@ads.pointroll[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@ads.pointroll[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@ads.pointroll[1].txt
00170535 Cookie/GoClick TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@c.goclick[2].txt
00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@hc2.humanclick[4].txt
00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@hc2.humanclick[1].txt
00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@hc2.humanclick[1].txt
00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@hc2.humanclick[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@overture[3].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@overture[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@overture[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@realmedia[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@realmedia[3].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@questionmarket[3].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@zedo[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@zedo[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@zedo[3].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@bluestreak[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@bluestreak[3].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@bluestreak[1].txt
00175950 Cookie/cs.sexcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@cs.sexcounter[2].txt
00175950 Cookie/cs.sexcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@cs.sexcounter[2].txt
00179067 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@a.as-us.falkag[2].txt
00179067 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@a.as-us.falkag[2].txt
00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@xxxcounter[2].txt
00182104 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@phg.hitbox[2].txt
00182104 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@phg.hitbox[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@adrevolver[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@adrevolver[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@adrevolver[2].txt
00186469 Cookie/Reliablestats TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@stats1.reliablestats[2].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@bravenet[1].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@bravenet[1].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@bravenet[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@adultfriendfinder[1].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@adultfriendfinder[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@adultfriendfinder[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@adultfriendfinder[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@go[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@go[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@go[2].txt
00199981 Cookie/Seeq TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@www48.seeq[1].txt
00199981 Cookie/Seeq TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@www48.seeq[1].txt
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@valueclick[2].txt
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@valueclick[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@searchportal.information[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@searchportal.information[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@target[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@target[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@target[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@target[2].txt
00207712 Cookie/360i TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@ct.360i[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@did-it[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@did-it[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@did-it[2].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@adviva[2].txt
00213141 Cookie/GoStats TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@c3.gostats[2].txt
00213141 Cookie/GoStats TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@c3.gostats[2].txt
00248163 Adware/TopRebates Adware No 0 Yes No C:\WINDOWS\Downloaded Program Files\MyPointsPointAlert_InstallSilent.inf
00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@cgi-bin[1].txt
00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@cgi-bin[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@atwola[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Local Settings\Temp\Cookies\maureen@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@atwola[2].txt
00262024 Cookie/ErrorSafe TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@www.errorsafe[1].txt
00262024 Cookie/ErrorSafe TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@www.errorsafe[1].txt
00262025 Cookie/ErrorSafe TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@errorsafe[2].txt
00262025 Cookie/ErrorSafe TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@errorsafe[2].txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@ehg-dig.hitbox[2].txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@ehg-dig.hitbox[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@ads.addynamix[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@ads.addynamix[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@ads.addynamix[1].txt
00296582 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@www.drivecleaner[2].txt
00296582 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@www.drivecleaner[2].txt
00296583 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@stats.drivecleaner[2].txt
00296583 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@stats.drivecleaner[2].txt
00296584 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Eugene\Cookies\eugene@drivecleaner[1].txt
00296584 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@drivecleaner[1].txt
00296584 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@drivecleaner[2].txt
00296584 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@drivecleaner[1].txt
00320978 Cookie/Winantivirus TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@winantivirus[2].txt
00320978 Cookie/Winantivirus TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@winantivirus[1].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Cookies\maureen@citi.bridgetrack[1].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Cookies\chelsea@citi.bridgetrack[1].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Chelsea\Application Data\Earthlink\6.0\jded35@earthlink.net\Cookies\chelsea@citi.bridgetrack[1].txt
00505449 Cookie/Winantivirus TrackingCookie No 0 Yes No C:\Documents and Settings\Maureen\Local Settings\Temp\Cookies\maureen@winantispyware[2].txt
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location i$
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description i$
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
HiJack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:16 AM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Chelsea\Application Data\U3\00001675C67131F4\LaunchPad.exe
F:\HiJackThis-202.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...20Installer.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark....ort/ScriptX.cab
O16 - DPF: {19D3515E-1618-9B6F-7500-A20729FB601B} - http://performanceoptimizer.com/files/Perf...e_Installer.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {EEA3945F-2702-45A0-BBE1-BC88E252AED1} (CPlayFirstDDPrilosecControl Object) - http://www.lifetimetv.com/games/dinerdash/...ec.1.0.0.30.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 13932 bytes
-
This topic is locked
Back to top
#2
Posted 04 January 2009 - 03:44 PM
-
- Moderators
-
- 4,234 posts
Eradicator de logiciels malveillants
- Gender:Male
- Location:USA
- Interests:Security, Windows, Windows Update, malware prevention
Hello and welcome to MalwareBytes forum.
Your system obviously has a very resistant cluster of infectors. Please get started with doing the following. If this works well, we will have a safety net in place, in case it's needed later. And there will be much more to do after this. Please keep a notebook and pen at hand, as you may very well have to take notes (as per my notes down below).
You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member Dale K only. If you are a lurker, do NOT try this on your system!
If you are not Dale K and have a similar problem, do NOT post here; start your own topic
Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.
"CHECK" (turn on) Display the contents of system folders.
Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.
=
Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}
=
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
This should apply to AVG8:
To disable the Resident Shield, please:
open AVG User Interface
double-click on the Resident Shield
un-tick the option "Resident Shield active"
save the changes.
If you have a prior copy of Combofix, delete it now !
Download ComboFix from one of these locations, saving to DESKTOP:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.
IF you should see a message like this:
then, be sure to write down fully and also copy that into your next reply here and then await for my response.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------
A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=
IF and only IF the Combofix has worked without exceptions, only then, do the following. IF it has exceptions, then please provide all details and put that in a reply pronto, and STOP, and await my reply.
Only if Combofix has a "good" finish:
I'm going to have you get and run a special tool. It will hopefully take out most remains of this beast. Keep in mind that not all files I list here will be found on your system; so do not be alarmed. This is a general-type list of typical infectors.
Download The Avenger by Swandog46 from here.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
Please then reply with a copy of C:\Combofix.txt,
C:\Avenger.txt,
and a new HijackThis,
and advise, How is your system now?
RE-Enable your AntiVirus and AntiSpyware applications.
Your system obviously has a very resistant cluster of infectors. Please get started with doing the following. If this works well, we will have a safety net in place, in case it's needed later. And there will be much more to do after this. Please keep a notebook and pen at hand, as you may very well have to take notes (as per my notes down below).
You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member Dale K only. If you are a lurker, do NOT try this on your system!
If you are not Dale K and have a similar problem, do NOT post here; start your own topic
Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.
"CHECK" (turn on) Display the contents of system folders.
Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.
=
Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}
=
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
This should apply to AVG8:
To disable the Resident Shield, please:
open AVG User Interface
double-click on the Resident Shield
un-tick the option "Resident Shield active"
save the changes.
If you have a prior copy of Combofix, delete it now !Download ComboFix from one of these locations, saving to DESKTOP:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on Combo-Fix.exe & follow the prompts.
- If and only if you are prompted to download a "new" version of Combofix, reply NO .
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.
IF you should see a message like this:
then, be sure to write down fully and also copy that into your next reply here and then await for my response.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------
A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=
IF and only IF the Combofix has worked without exceptions, only then, do the following. IF it has exceptions, then please provide all details and put that in a reply pronto, and STOP, and await my reply.
Only if Combofix has a "good" finish:
I'm going to have you get and run a special tool. It will hopefully take out most remains of this beast. Keep in mind that not all files I list here will be found on your system; so do not be alarmed. This is a general-type list of typical infectors.
Download The Avenger by Swandog46 from here.
- Unzip/extract it to a folder on your desktop.
- Double click on avenger.exe to run The Avenger.
- Click OK.
- Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
- Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Files to delete: C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\SYSTEM32\TDSSixgp.dll C:\WINDOWS\SYSTEM32\TDSSproc.log C:\WINDOWS\SYSTEM32\TDSSwkod.log C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp c:\windows\system32\drivers\msqpdxserv.sys C:\resycled D:\resycled e:\resycled f:\resycled g:\resycled c:\windows\system32\TDSSweat.dat C:\WINDOWS\system32\drivers\TDSSmqlt.sys C:\windows\system32\drivers\tdssserv.sys C:\WINDOWS\system32\drivers\TDSSmact.sys C:\WINDOWS\system32\TDSSfpmp.dll C:\WINDOWS\system32\TDSSwpyd.dat C:\WINDOWS\system32\TDSStkdv.log C:\WINDOWS\system32\TDSSotxb.dll C:\WINDOWS\system32\TDSScrrn.dll C:\WINDOWS\system32\TDSSbvqh.dll C:\WINDOWS\system32\TDSSjnmx.dll c:\windows\system32\TDSShrxr.dll c:\windows\system32\TDSSkkbi.log c:\windows\system32\TDSSlrvd.dat c:\windows\system32\TDSSlxwp.dll c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSoiqt.dll c:\windows\system32\TDSSrhyp.log c:\windows\system32\TDSSrtqp.dll c:\windows\system32\TDSSsihc.dll c:\windows\system32\TDSSxfum.dll c:\windows\system32\TDSSmtve.dat c:\windows\system32\TDSSnirj.dat Drivers to delete: tdss tdssserv TDSSserv.SYS Service_TDSSSERV.SYS Legacy_TDSSSERV.SYS msqpdxserv.sys msqpdxserv Registry keys to delete: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata HKEY_LOCAL_MACHINE\SOFTWARE\tdss HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV
- In the avenger window, click the Paste Script from Clipboard icon,
button. - :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
- Click the Execute button.
- You will be asked Are you sure you want to execute the current script?.
- Click Yes.
- You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
- Click Yes.
- Your PC will now be rebooted.
- Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
- If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
- After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
Please then reply with a copy of C:\Combofix.txt,
C:\Avenger.txt,
and a new HijackThis,
and advise, How is your system now?
RE-Enable your AntiVirus and AntiSpyware applications.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)
MS-MVP (Oct 2002 - Sept 2010)
#3
Posted 04 January 2009 - 08:33 PM
-
- Members
-
- 13 posts
New Member
Got all the way through to the end, but had some strangeness after Avenger ran. The Avenger log opened up, but the mouse buttons wouldn't work, nor would the keyboard...
ComboFix Log:
ComboFix 09-01-02.01 - Chelsea 2009-01-04 14:46:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.251 [GMT -5:00]
Running from: c:\documents and settings\Chelsea\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Chelsea\err.log
c:\documents and settings\Chelsea\Local Settings\Temporary Internet Files\sekabimy.pif
c:\documents and settings\Chelsea\Local Settings\Temporary Internet Files\ujihyve._dl
c:\documents and settings\Chelsea\Local Settings\Temporary Internet Files\yqika.bin
c:\documents and settings\Eugene\err.log
c:\windows\system32\drivers\fad.sys
c:\windows\system32\TDSSmtpe.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FOPN
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.
2009-01-04 14:35 . 2009-01-04 14:35 268 --ah----- C:\sqmdata10.sqm
2009-01-04 14:35 . 2009-01-04 14:35 244 --ah----- C:\sqmnoopt10.sqm
2009-01-03 17:11 . 2008-06-19 17:24 28,544 --a------ c:\windows\SYSTEM32\DRIVERS\pavboot.sys
2009-01-03 17:10 . 2009-01-03 17:10 <DIR> d-------- c:\program files\Panda Security
2009-01-03 08:08 . 2009-01-03 08:39 <DIR> d-------- c:\documents and settings\Chelsea\DoctorWeb
2009-01-02 09:44 . 2009-01-02 10:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-02 09:44 . 2009-01-02 09:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 00:27 . 2009-01-03 08:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 00:27 . 2008-12-03 19:53 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-01 00:27 . 2008-12-03 19:53 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\SYSTEM32\scripting
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\SYSTEM32\en
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\l2schemas
2008-12-31 10:42 . 2008-12-31 10:42 268 --ah----- C:\sqmdata09.sqm
2008-12-31 10:42 . 2008-12-31 10:42 244 --ah----- C:\sqmnoopt09.sqm
2008-12-28 21:37 . 2008-12-28 23:40 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-28 20:53 . 2009-01-04 14:54 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2008-12-28 20:53 . 2008-12-28 20:53 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2008-12-28 20:53 . 2008-12-28 20:53 76,040 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2008-12-28 20:53 . 2008-12-28 20:53 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2008-12-28 18:43 . 2008-12-28 18:43 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\Malwarebytes
2008-12-28 18:43 . 2008-12-28 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-28 17:01 . 2008-12-28 17:01 <DIR> d-------- c:\program files\AVG
2008-12-28 17:01 . 2008-12-28 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-28 16:35 . 2009-01-04 14:23 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\U3
2008-12-28 16:32 . 2008-12-28 16:32 268 --ah----- C:\sqmdata08.sqm
2008-12-28 16:32 . 2008-12-28 16:32 244 --ah----- C:\sqmnoopt08.sqm
2008-12-28 16:20 . 2008-04-13 19:11 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-12-28 16:20 . 2008-04-13 13:39 14,592 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-12-28 16:20 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2008-12-28 16:20 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys
2008-12-13 02:38 . 2008-12-13 02:38 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\HP
2008-12-13 02:33 . 2008-12-13 02:32 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\program files\Tencent
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\Tencent
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\QQ Games
2008-12-11 17:28 . 2008-12-11 17:28 <DIR> d-------- c:\program files\AIMTunes
2008-12-11 17:02 . 2008-12-11 17:02 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\program files\AIM Toolbar
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-11 16:50 . 2008-12-18 17:57 2,242 --ah----- C:\IPH.PH
2008-12-10 07:01 . 2008-12-10 07:01 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 18:30 --------- d-----w c:\program files\MyPoints_PointAlert
2008-12-29 03:50 --------- d-----w c:\program files\vol_toolbar
2008-12-13 07:32 --------- d-----w c:\program files\Java
2008-12-11 22:47 --------- d-----w c:\program files\AIM6
2008-12-11 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-11 21:57 --------- d-----w c:\program files\Viewpoint
2008-12-11 21:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-11 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-11 03:52 --------- d-----w c:\program files\dl_Cats
2008-11-14 02:31 --------- d-----w c:\program files\Agent
2008-11-14 01:58 19,549 ----a-w c:\program files\Common Files\wavoridely.dll
2008-11-14 01:58 18,357 ----a-w c:\program files\Common Files\qohywera._sy
2008-11-14 01:58 17,171 ----a-w c:\program files\Common Files\nopihawory.inf
2008-11-14 01:58 15,814 ----a-w c:\windows\ihytaxo.reg
2008-11-14 01:58 13,144 ----a-w c:\documents and settings\All Users\Application Data\ynukoqyroq.pif
2008-11-14 01:58 11,881 ----a-w c:\documents and settings\All Users\Application Data\ohufaral.vbs
2008-11-14 01:58 11,148 ----a-w c:\windows\ubunokeg.dll
2008-11-14 01:58 10,757 ----a-w c:\windows\yrogux.exe
2008-11-12 22:01 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-11-12 21:56 --------- d-----w c:\documents and settings\Eugene\Application Data\VersionTracker Pro
2008-11-11 23:56 --------- d-----w c:\program files\Sun
2008-11-11 22:16 18,595 ----a-w c:\windows\usec.exe
2008-11-11 22:16 18,112 ----a-w c:\windows\inelebam.com
2008-11-11 22:16 16,183 ----a-w c:\documents and settings\All Users\Application Data\jogahobegu.exe
2008-11-11 22:16 15,616 ----a-w c:\documents and settings\Chelsea\Application Data\akif.scr
2008-11-11 22:16 15,186 ----a-w c:\documents and settings\All Users\Application Data\zunuqoly.pif
2008-11-11 22:16 14,507 ----a-w c:\windows\nadolubim.vbs
2008-11-11 22:16 13,669 ----a-w c:\documents and settings\Chelsea\Application Data\fyzutevyzo.bat
2008-11-11 22:16 12,784 ----a-w c:\program files\Common Files\qatyracy.dl
2008-11-11 22:16 12,344 ----a-w c:\program files\Common Files\egopinil._sy
2008-11-11 22:16 10,628 ----a-w c:\windows\etuca.reg
2008-11-11 22:16 10,623 ----a-w c:\documents and settings\All Users\Application Data\aticon.vbs
2008-11-11 22:16 10,442 ----a-w c:\program files\Common Files\bapib.sys
2008-11-09 12:04 19,609 ----a-w c:\program files\Common Files\qufacosyky.exe
2008-11-09 12:04 17,640 ----a-w c:\documents and settings\All Users\Application Data\uqeci.vbs
2008-11-09 12:04 16,128 ----a-w c:\windows\retowemo.dll
2008-11-09 12:04 14,703 ----a-w c:\windows\ikuquwapax.vbs
2008-11-09 12:04 14,437 ----a-w c:\windows\egit.bat
2008-11-09 12:04 12,751 ----a-w c:\program files\Common Files\hili.db
2008-11-09 12:04 10,621 ----a-w c:\windows\podoby.pif
2008-09-18 00:32 61,224 ----a-w c:\documents and settings\Chelsea\GoToAssistDownloadHelper.exe
2005-10-13 23:24 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2003-05-19 577536]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"mmtask"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-09-16 274432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-09 155648]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 73728]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-11-16 2065648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-28 1261336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-08-07 36953]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 54512]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat,avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 13:03 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-17 13:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-09 21:34 155648 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-09-18 11:24 26112 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-05-13 16:01 100056 c:\progra~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\dlcdcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\icuii\\icuii4\\icuii4.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\nanoCom Corporation\\iSpQ VideoChat\\iSpQ VideoChat.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2009-01-03 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-12-28 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-28 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-28 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-12-28 76040]
R4 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-11 24652]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\SYSTEM32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 PAC207;PC Camer@;c:\windows\SYSTEM32\DRIVERS\PFC027.SYS [2007-04-12 507264]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\SYSTEM32\dllhost.exe [2004-03-19 5120]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77b582fa-d997-11dd-b018-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
*Newly Created Service* - PAVBOOT
.
Contents of the 'Scheduled Tasks' folder
2009-01-04 c:\windows\Tasks\User_Feed_Synchronization-{67706B46-A1FC-4F17-A6BF-8A9B738E6AAB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: &Search
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: MyPoints - file://c:\program files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html
- c:\windows\Downloaded Program Files\ScriptX.inf
c:\windows\Downloaded Program Files\PerformanceOptimizerPre_Installer.exe - O16 -: {19D3515E-1618-9B6F-7500-A20729FB601B}
hxxp://performanceoptimizer.com/files/PerformanceOptimizerPre_Installer.cab
c:\windows\Downloaded Program Files\PerformanceOptimizerPre_Installer.inf
c:\windows\Downloaded Program Files\DDPrilosec.1.0.0.30.dll - O16 -: {EEA3945F-2702-45A0-BBE1-BC88E252AED1}
hxxp://www.lifetimetv.com/games/dinerdash/DDPrilosec.1.0.0.30.cab
c:\windows\Downloaded Program Files\DDPrilosec.1.0.0.30.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 14:52:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\BRSS01A.EXE
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\windows\SYSTEM32\dlcdcoms.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\AOL\AOL Toolbar 4.0\AolTbServer.exe
.
**************************************************************************
.
Completion time: 2009-01-04 15:02:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 20:01:41
Pre-Run: 20,483,346,432 bytes free
Post-Run: 20,408,725,504 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
305 --- E O F --- 2009-01-03 03:00:58
Avenger Log:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\brsvc01a.exe" deleted successfully.
File "C:\WINDOWS\system32\brss01a.exe" deleted successfully.
Error: file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\TDSSproc.log" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSproc.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp" not found!
Deletion of file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!
Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\resycled" not found!
Deletion of file "C:\resycled" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not open file "D:\resycled"
Deletion of file "D:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "e:\resycled"
Deletion of file "e:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "f:\resycled"
Deletion of file "f:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "g:\resycled"
Deletion of file "g:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: file "c:\windows\system32\TDSSweat.dat" not found!
Deletion of file "c:\windows\system32\TDSSweat.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!
Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!
Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSShrxr.dll" not found!
Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSkkbi.log" not found!
Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSlrvd.dat" not found!
Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSlxwp.dll" not found!
Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSnmxh.log" not found!
Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSoiqt.dll" not found!
Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSrhyp.log" not found!
Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSrtqp.dll" not found!
Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSsihc.dll" not found!
Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSxfum.dll" not found!
Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSmtve.dat" not found!
Deletion of file "c:\windows\system32\TDSSmtve.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSnirj.dat" not found!
Deletion of file "c:\windows\system32\TDSSnirj.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!
Deletion of driver "tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!
Deletion of driver "tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!
Deletion of driver "TDSSserv.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!
Deletion of driver "Service_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!
Deletion of driver "Legacy_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!
Deletion of driver "msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!
Deletion of driver "msqpdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
HiJack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:01 PM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
F:\HiJackThis-202.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...20Installer.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark....ort/ScriptX.cab
O16 - DPF: {19D3515E-1618-9B6F-7500-A20729FB601B} - http://performanceoptimizer.com/files/Perf...e_Installer.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {EEA3945F-2702-45A0-BBE1-BC88E252AED1} (CPlayFirstDDPrilosecControl Object) - http://www.lifetimetv.com/games/dinerdash/...ec.1.0.0.30.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - Unknown owner - C:\WINDOWS\system32\brsvc01a.exe (file missing)
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 13966 bytes
Things are OK at the moment, but still waiting to see if it pops up again...
ComboFix Log:
ComboFix 09-01-02.01 - Chelsea 2009-01-04 14:46:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.251 [GMT -5:00]
Running from: c:\documents and settings\Chelsea\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Chelsea\err.log
c:\documents and settings\Chelsea\Local Settings\Temporary Internet Files\sekabimy.pif
c:\documents and settings\Chelsea\Local Settings\Temporary Internet Files\ujihyve._dl
c:\documents and settings\Chelsea\Local Settings\Temporary Internet Files\yqika.bin
c:\documents and settings\Eugene\err.log
c:\windows\system32\drivers\fad.sys
c:\windows\system32\TDSSmtpe.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FOPN
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.
2009-01-04 14:35 . 2009-01-04 14:35 268 --ah----- C:\sqmdata10.sqm
2009-01-04 14:35 . 2009-01-04 14:35 244 --ah----- C:\sqmnoopt10.sqm
2009-01-03 17:11 . 2008-06-19 17:24 28,544 --a------ c:\windows\SYSTEM32\DRIVERS\pavboot.sys
2009-01-03 17:10 . 2009-01-03 17:10 <DIR> d-------- c:\program files\Panda Security
2009-01-03 08:08 . 2009-01-03 08:39 <DIR> d-------- c:\documents and settings\Chelsea\DoctorWeb
2009-01-02 09:44 . 2009-01-02 10:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-02 09:44 . 2009-01-02 09:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 00:27 . 2009-01-03 08:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 00:27 . 2008-12-03 19:53 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-01 00:27 . 2008-12-03 19:53 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\SYSTEM32\scripting
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\SYSTEM32\en
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\l2schemas
2008-12-31 10:42 . 2008-12-31 10:42 268 --ah----- C:\sqmdata09.sqm
2008-12-31 10:42 . 2008-12-31 10:42 244 --ah----- C:\sqmnoopt09.sqm
2008-12-28 21:37 . 2008-12-28 23:40 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-28 20:53 . 2009-01-04 14:54 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2008-12-28 20:53 . 2008-12-28 20:53 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2008-12-28 20:53 . 2008-12-28 20:53 76,040 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2008-12-28 20:53 . 2008-12-28 20:53 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2008-12-28 18:43 . 2008-12-28 18:43 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\Malwarebytes
2008-12-28 18:43 . 2008-12-28 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-28 17:01 . 2008-12-28 17:01 <DIR> d-------- c:\program files\AVG
2008-12-28 17:01 . 2008-12-28 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-28 16:35 . 2009-01-04 14:23 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\U3
2008-12-28 16:32 . 2008-12-28 16:32 268 --ah----- C:\sqmdata08.sqm
2008-12-28 16:32 . 2008-12-28 16:32 244 --ah----- C:\sqmnoopt08.sqm
2008-12-28 16:20 . 2008-04-13 19:11 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-12-28 16:20 . 2008-04-13 13:39 14,592 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-12-28 16:20 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2008-12-28 16:20 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys
2008-12-13 02:38 . 2008-12-13 02:38 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\HP
2008-12-13 02:33 . 2008-12-13 02:32 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\program files\Tencent
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\Tencent
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\QQ Games
2008-12-11 17:28 . 2008-12-11 17:28 <DIR> d-------- c:\program files\AIMTunes
2008-12-11 17:02 . 2008-12-11 17:02 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\program files\AIM Toolbar
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-11 16:50 . 2008-12-18 17:57 2,242 --ah----- C:\IPH.PH
2008-12-10 07:01 . 2008-12-10 07:01 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 18:30 --------- d-----w c:\program files\MyPoints_PointAlert
2008-12-29 03:50 --------- d-----w c:\program files\vol_toolbar
2008-12-13 07:32 --------- d-----w c:\program files\Java
2008-12-11 22:47 --------- d-----w c:\program files\AIM6
2008-12-11 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-11 21:57 --------- d-----w c:\program files\Viewpoint
2008-12-11 21:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-11 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-11 03:52 --------- d-----w c:\program files\dl_Cats
2008-11-14 02:31 --------- d-----w c:\program files\Agent
2008-11-14 01:58 19,549 ----a-w c:\program files\Common Files\wavoridely.dll
2008-11-14 01:58 18,357 ----a-w c:\program files\Common Files\qohywera._sy
2008-11-14 01:58 17,171 ----a-w c:\program files\Common Files\nopihawory.inf
2008-11-14 01:58 15,814 ----a-w c:\windows\ihytaxo.reg
2008-11-14 01:58 13,144 ----a-w c:\documents and settings\All Users\Application Data\ynukoqyroq.pif
2008-11-14 01:58 11,881 ----a-w c:\documents and settings\All Users\Application Data\ohufaral.vbs
2008-11-14 01:58 11,148 ----a-w c:\windows\ubunokeg.dll
2008-11-14 01:58 10,757 ----a-w c:\windows\yrogux.exe
2008-11-12 22:01 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-11-12 21:56 --------- d-----w c:\documents and settings\Eugene\Application Data\VersionTracker Pro
2008-11-11 23:56 --------- d-----w c:\program files\Sun
2008-11-11 22:16 18,595 ----a-w c:\windows\usec.exe
2008-11-11 22:16 18,112 ----a-w c:\windows\inelebam.com
2008-11-11 22:16 16,183 ----a-w c:\documents and settings\All Users\Application Data\jogahobegu.exe
2008-11-11 22:16 15,616 ----a-w c:\documents and settings\Chelsea\Application Data\akif.scr
2008-11-11 22:16 15,186 ----a-w c:\documents and settings\All Users\Application Data\zunuqoly.pif
2008-11-11 22:16 14,507 ----a-w c:\windows\nadolubim.vbs
2008-11-11 22:16 13,669 ----a-w c:\documents and settings\Chelsea\Application Data\fyzutevyzo.bat
2008-11-11 22:16 12,784 ----a-w c:\program files\Common Files\qatyracy.dl
2008-11-11 22:16 12,344 ----a-w c:\program files\Common Files\egopinil._sy
2008-11-11 22:16 10,628 ----a-w c:\windows\etuca.reg
2008-11-11 22:16 10,623 ----a-w c:\documents and settings\All Users\Application Data\aticon.vbs
2008-11-11 22:16 10,442 ----a-w c:\program files\Common Files\bapib.sys
2008-11-09 12:04 19,609 ----a-w c:\program files\Common Files\qufacosyky.exe
2008-11-09 12:04 17,640 ----a-w c:\documents and settings\All Users\Application Data\uqeci.vbs
2008-11-09 12:04 16,128 ----a-w c:\windows\retowemo.dll
2008-11-09 12:04 14,703 ----a-w c:\windows\ikuquwapax.vbs
2008-11-09 12:04 14,437 ----a-w c:\windows\egit.bat
2008-11-09 12:04 12,751 ----a-w c:\program files\Common Files\hili.db
2008-11-09 12:04 10,621 ----a-w c:\windows\podoby.pif
2008-09-18 00:32 61,224 ----a-w c:\documents and settings\Chelsea\GoToAssistDownloadHelper.exe
2005-10-13 23:24 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2003-05-19 577536]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"mmtask"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-09-16 274432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-09 155648]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 73728]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-11-16 2065648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-28 1261336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-08-07 36953]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 54512]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat,avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 13:03 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-17 13:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-09 21:34 155648 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-09-18 11:24 26112 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-05-13 16:01 100056 c:\progra~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\dlcdcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\icuii\\icuii4\\icuii4.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\nanoCom Corporation\\iSpQ VideoChat\\iSpQ VideoChat.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2009-01-03 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-12-28 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-28 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-28 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-12-28 76040]
R4 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-11 24652]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\SYSTEM32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 PAC207;PC Camer@;c:\windows\SYSTEM32\DRIVERS\PFC027.SYS [2007-04-12 507264]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\SYSTEM32\dllhost.exe [2004-03-19 5120]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77b582fa-d997-11dd-b018-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
*Newly Created Service* - PAVBOOT
.
Contents of the 'Scheduled Tasks' folder
2009-01-04 c:\windows\Tasks\User_Feed_Synchronization-{67706B46-A1FC-4F17-A6BF-8A9B738E6AAB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: &Search
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: MyPoints - file://c:\program files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html
- c:\windows\Downloaded Program Files\ScriptX.inf
c:\windows\Downloaded Program Files\PerformanceOptimizerPre_Installer.exe - O16 -: {19D3515E-1618-9B6F-7500-A20729FB601B}
hxxp://performanceoptimizer.com/files/PerformanceOptimizerPre_Installer.cab
c:\windows\Downloaded Program Files\PerformanceOptimizerPre_Installer.inf
c:\windows\Downloaded Program Files\DDPrilosec.1.0.0.30.dll - O16 -: {EEA3945F-2702-45A0-BBE1-BC88E252AED1}
hxxp://www.lifetimetv.com/games/dinerdash/DDPrilosec.1.0.0.30.cab
c:\windows\Downloaded Program Files\DDPrilosec.1.0.0.30.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 14:52:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\BRSS01A.EXE
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\windows\SYSTEM32\dlcdcoms.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\AOL\AOL Toolbar 4.0\AolTbServer.exe
.
**************************************************************************
.
Completion time: 2009-01-04 15:02:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 20:01:41
Pre-Run: 20,483,346,432 bytes free
Post-Run: 20,408,725,504 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
305 --- E O F --- 2009-01-03 03:00:58
Avenger Log:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\brsvc01a.exe" deleted successfully.
File "C:\WINDOWS\system32\brss01a.exe" deleted successfully.
Error: file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\TDSSproc.log" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSproc.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp" not found!
Deletion of file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!
Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\resycled" not found!
Deletion of file "C:\resycled" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not open file "D:\resycled"
Deletion of file "D:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "e:\resycled"
Deletion of file "e:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "f:\resycled"
Deletion of file "f:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "g:\resycled"
Deletion of file "g:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: file "c:\windows\system32\TDSSweat.dat" not found!
Deletion of file "c:\windows\system32\TDSSweat.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!
Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!
Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSShrxr.dll" not found!
Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSkkbi.log" not found!
Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSlrvd.dat" not found!
Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSlxwp.dll" not found!
Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSnmxh.log" not found!
Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSoiqt.dll" not found!
Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSrhyp.log" not found!
Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSrtqp.dll" not found!
Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSsihc.dll" not found!
Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSxfum.dll" not found!
Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSmtve.dat" not found!
Deletion of file "c:\windows\system32\TDSSmtve.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSnirj.dat" not found!
Deletion of file "c:\windows\system32\TDSSnirj.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!
Deletion of driver "tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!
Deletion of driver "tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!
Deletion of driver "TDSSserv.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!
Deletion of driver "Service_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!
Deletion of driver "Legacy_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!
Deletion of driver "msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!
Deletion of driver "msqpdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
HiJack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:01 PM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
F:\HiJackThis-202.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...20Installer.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark....ort/ScriptX.cab
O16 - DPF: {19D3515E-1618-9B6F-7500-A20729FB601B} - http://performanceoptimizer.com/files/Perf...e_Installer.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {EEA3945F-2702-45A0-BBE1-BC88E252AED1} (CPlayFirstDDPrilosecControl Object) - http://www.lifetimetv.com/games/dinerdash/...ec.1.0.0.30.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - Unknown owner - C:\WINDOWS\system32\brsvc01a.exe (file missing)
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 13966 bytes
Things are OK at the moment, but still waiting to see if it pops up again...
#4
Posted 04 January 2009 - 08:52 PM
-
- Moderators
-
- 4,234 posts
Eradicator de logiciels malveillants
- Gender:Male
- Location:USA
- Interests:Security, Windows, Windows Update, malware prevention
If I have not asked you to get this before:
Please download the OTMoveIt3 by OldTimer.
Do not be concerned if the files are not found by the OTMoveIt procedure above.
=
Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 1610 or later.
When done, click the Scanner tab.
Do a FULL Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.
=
Using Internet Explorer browser only, go to ESET Online Scanner website:
http://www.eset.com/onlinescan/
Re-enable your antivirus program.
Reply with a copy of the OTMOveIt3 log and the new MBAM log, and the Eset scan log, and
advise us, How is the system now ?
Please download the OTMoveIt3 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:files c:\windows\system32\karna.* C:\windows\karna.* C:\karna.* C:\resycled D:\resycled E:\resycled F:\resycled :commands [EmptyTemp]
- Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Do not be concerned if the files are not found by the OTMoveIt procedure above.
=
Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 1610 or later.
When done, click the Scanner tab.
Do a FULL Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.
=
Using Internet Explorer browser only, go to ESET Online Scanner website:
http://www.eset.com/onlinescan/
- Accept the Terms of Use and press Start button;
- Disable your antivirus program.
- Approve the install of the required ActiveX Control, then follow on-screen instructions;
- Enable (check) the Remove found threats option, and run the scan.
- After the scan completes, the Details tab in the Results window will display what was found and removed.
- A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/...c4.php?page=faq
- From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
Otherwise the scan will take twice as long to do:
everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result. - It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
(And the prompt re-enabling when finished.) - If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
Re-enable your antivirus program.
Reply with a copy of the OTMOveIt3 log and the new MBAM log, and the Eset scan log, and
advise us, How is the system now ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)
MS-MVP (Oct 2002 - Sept 2010)
#5
Posted 04 January 2009 - 08:54 PM
-
- Members
-
- 13 posts
New Member
I guess things aren't quite as OK as I thought. It appears that the messaging clients (AIM, Yahoo, MSN, etc) now hang. AIM6 also reports that it can't load its plugins either.
AVG doesn't appear to be blocked like it used to be, so that is good.
AVG doesn't appear to be blocked like it used to be, so that is good.
#6
Posted 04 January 2009 - 09:00 PM
-
- Moderators
-
- 4,234 posts
Eradicator de logiciels malveillants
- Gender:Male
- Location:USA
- Interests:Security, Windows, Windows Update, malware prevention
Have you rebooted the system? If not, please do so.
We can cover the IM programs in the next round.
Meantime, go ahead with my last procedures.
We can cover the IM programs in the next round.
Meantime, go ahead with my last procedures.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)
MS-MVP (Oct 2002 - Sept 2010)
#7
Posted 04 January 2009 - 09:57 PM
-
- Moderators
-
- 4,234 posts
Eradicator de logiciels malveillants
- Gender:Male
- Location:USA
- Interests:Security, Windows, Windows Update, malware prevention
When you get to a stopping point, please look for this ZIP file in the Avenger folder.
It should be at C:\Avenger\backup.zip
This zip file should contain 2 and only 2 exe files
Open the zip file. Make sure it only contains
brsvc01a.exe
brss01a.exe
Those are Brother printer programs. Assuming you still have a Brother printer, these 2 need to be extracted & placed in this folder
C:\WINDOWS\system32
My sincere apologies to you for the inconvenience and oversight on my part.
~~ Added these since last post ~~ Maurice
I also would suggest you do these things to clear up any internet access redirections.
Close all applications and windows.
If you have an older copy of SDFix, delete it now.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
Steps to follow for the MVP Hosts file:
1) Download and SAVE the zip file to a temporary folder
2) Unzip (extract the contents) in the same folder
3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides
typically, C:\WINDOWS\system32\drivers\etc
and after that copy is saved, it replaces the old Hosts with the new one.
And you should see (in the blue background command window) the following:
Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts
The latter is the same folder that had mvps.bat
=
Reply with a copy of the C:\SDFIX\Report.txt
It should be at C:\Avenger\backup.zip
This zip file should contain 2 and only 2 exe files
Open the zip file. Make sure it only contains
brsvc01a.exe
brss01a.exe
Those are Brother printer programs. Assuming you still have a Brother printer, these 2 need to be extracted & placed in this folder
C:\WINDOWS\system32
My sincere apologies to you for the inconvenience and oversight on my part.
~~ Added these since last post ~~ Maurice
I also would suggest you do these things to clear up any internet access redirections.
Close all applications and windows.
If you have an older copy of SDFix, delete it now.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual user account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back in a Reply here.
Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
Steps to follow for the MVP Hosts file:
1) Download and SAVE the zip file to a temporary folder
2) Unzip (extract the contents) in the same folder
3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides
typically, C:\WINDOWS\system32\drivers\etc
and after that copy is saved, it replaces the old Hosts with the new one.
And you should see (in the blue background command window) the following:
Quote
_________________________________________________
¦ +---+¦
¦ THE MVPS HOSTS FILE IS NOW UPDATED ¦ v ¦¦
¦ +---+¦
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯
Previous version saved and renamed to HOSTS.MVP
Press any key to continue . . .
¦ +---+¦
¦ THE MVPS HOSTS FILE IS NOW UPDATED ¦ v ¦¦
¦ +---+¦
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯
Previous version saved and renamed to HOSTS.MVP
Press any key to continue . . .
Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts
The latter is the same folder that had mvps.bat
=
Reply with a copy of the C:\SDFIX\Report.txt
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)
MS-MVP (Oct 2002 - Sept 2010)
#8
Posted 05 January 2009 - 01:29 AM
-
- Members
-
- 13 posts
New Member
Maurice Naggar, on Jan 4 2009, 03:52 PM, said:
If I have not asked you to get this before:
Please download the OTMoveIt3 by OldTimer.
Do not be concerned if the files are not found by the OTMoveIt procedure above.
=
Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 1610 or later.
When done, click the Scanner tab.
Do a FULL Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.
=
Using Internet Explorer browser only, go to ESET Online Scanner website:
http://www.eset.com/onlinescan/
Re-enable your antivirus program.
Reply with a copy of the OTMOveIt3 log and the new MBAM log, and the Eset scan log, and
advise us, How is the system now ?
Please download the OTMoveIt3 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:files c:\windows\system32\karna.* C:\windows\karna.* C:\karna.* C:\resycled D:\resycled E:\resycled F:\resycled :commands [EmptyTemp]
- Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Do not be concerned if the files are not found by the OTMoveIt procedure above.
=
Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 1610 or later.
When done, click the Scanner tab.
Do a FULL Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.
=
Using Internet Explorer browser only, go to ESET Online Scanner website:
http://www.eset.com/onlinescan/
- Accept the Terms of Use and press Start button;
- Disable your antivirus program.
- Approve the install of the required ActiveX Control, then follow on-screen instructions;
- Enable (check) the Remove found threats option, and run the scan.
- After the scan completes, the Details tab in the Results window will display what was found and removed.
- A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/...c4.php?page=faq
- From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
Otherwise the scan will take twice as long to do:
everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result. - It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
(And the prompt re-enabling when finished.) - If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
Re-enable your antivirus program.
Reply with a copy of the OTMOveIt3 log and the new MBAM log, and the Eset scan log, and
advise us, How is the system now ?
Looks like we had posts passing mid-stream...
Ran OTMoveIt3. Log file is here:
========== FILES ==========
File/Folder c:\windows\system32\karna.* not found.
File/Folder C:\windows\karna.* not found.
File/Folder C:\karna.* not found.
File/Folder C:\resycled not found.
File/Folder D:\resycled not found.
File/Folder E:\resycled not found.
File/Folder F:\resycled not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Chelsea\LOCALS~1\Temp\bbassistant.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Chelsea\LOCALS~1\Temp\Perflib_Perfdata_9a8.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4f4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b38.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01042009_200005
Files moved on Reboot...
C:\DOCUME~1\Chelsea\LOCALS~1\Temp\bbassistant.log moved successfully.
File C:\DOCUME~1\Chelsea\LOCALS~1\Temp\Perflib_Perfdata_9a8.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_4f4.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_b38.dat moved successfully.
Files moved on Reboot...
File C:\DOCUME~1\Chelsea\LOCALS~1\Temp\bbassistant.log not found!
File C:\DOCUME~1\Chelsea\LOCALS~1\Temp\Perflib_Perfdata_9a8.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_4f4.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_b38.dat not found!
Then things got real strange. I ran MBAM, but when I tried to do the update, it hung. Since I was already at 1610, I tried to go ahead and fun the full scan. The scan would say "Currently scanning. Preparing for the scan.", but the time would hang at a time elapsed of 7seconds and just stall there.
Holding up here waiting for you direction...
#9
Posted 05 January 2009 - 01:45 AM
-
- Members
-
- 13 posts
New Member
Dale K, on Jan 4 2009, 08:29 PM, said:
Looks like we had posts passing mid-stream...
Ran OTMoveIt3. Log file is here:
========== FILES ==========
File/Folder c:\windows\system32\karna.* not found.
File/Folder C:\windows\karna.* not found.
File/Folder C:\karna.* not found.
File/Folder C:\resycled not found.
File/Folder D:\resycled not found.
File/Folder E:\resycled not found.
File/Folder F:\resycled not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Chelsea\LOCALS~1\Temp\bbassistant.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Chelsea\LOCALS~1\Temp\Perflib_Perfdata_9a8.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4f4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b38.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01042009_200005
Files moved on Reboot...
C:\DOCUME~1\Chelsea\LOCALS~1\Temp\bbassistant.log moved successfully.
File C:\DOCUME~1\Chelsea\LOCALS~1\Temp\Perflib_Perfdata_9a8.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_4f4.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_b38.dat moved successfully.
Files moved on Reboot...
File C:\DOCUME~1\Chelsea\LOCALS~1\Temp\bbassistant.log not found!
File C:\DOCUME~1\Chelsea\LOCALS~1\Temp\Perflib_Perfdata_9a8.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_4f4.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_b38.dat not found!
Then things got real strange. I ran MBAM, but when I tried to do the update, it hung. Since I was already at 1610, I tried to go ahead and fun the full scan. The scan would say "Currently scanning. Preparing for the scan.", but the time would hang at a time elapsed of 7seconds and just stall there.
Holding up here waiting for you direction...
Ran OTMoveIt3. Log file is here:
========== FILES ==========
File/Folder c:\windows\system32\karna.* not found.
File/Folder C:\windows\karna.* not found.
File/Folder C:\karna.* not found.
File/Folder C:\resycled not found.
File/Folder D:\resycled not found.
File/Folder E:\resycled not found.
File/Folder F:\resycled not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Chelsea\LOCALS~1\Temp\bbassistant.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Chelsea\LOCALS~1\Temp\Perflib_Perfdata_9a8.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4f4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b38.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01042009_200005
Files moved on Reboot...
C:\DOCUME~1\Chelsea\LOCALS~1\Temp\bbassistant.log moved successfully.
File C:\DOCUME~1\Chelsea\LOCALS~1\Temp\Perflib_Perfdata_9a8.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_4f4.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_b38.dat moved successfully.
Files moved on Reboot...
File C:\DOCUME~1\Chelsea\LOCALS~1\Temp\bbassistant.log not found!
File C:\DOCUME~1\Chelsea\LOCALS~1\Temp\Perflib_Perfdata_9a8.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_4f4.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_b38.dat not found!
Then things got real strange. I ran MBAM, but when I tried to do the update, it hung. Since I was already at 1610, I tried to go ahead and fun the full scan. The scan would say "Currently scanning. Preparing for the scan.", but the time would hang at a time elapsed of 7seconds and just stall there.
Holding up here waiting for you direction...
This is very strange. I left the computer sit idle and went away for a while, came back, and it appears that MBAM is now running the scan. Will post results and move forward when it finishes.
#10
Posted 05 January 2009 - 02:48 AM
-
- Members
-
- 13 posts
New Member
MBAM complete. Log is here:
Malwarebytes' Anti-Malware 1.31
Database version: 1610
Windows 5.1.2600 Service Pack 3
1/4/2009 9:43:41 PM
mbam-log-2009-01-04 (21-43-41).txt
Scan type: Full Scan (C:\|)
Objects scanned: 141019
Time elapsed: 1 hour(s), 20 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Moving on to running ESET.
Malwarebytes' Anti-Malware 1.31
Database version: 1610
Windows 5.1.2600 Service Pack 3
1/4/2009 9:43:41 PM
mbam-log-2009-01-04 (21-43-41).txt
Scan type: Full Scan (C:\|)
Objects scanned: 141019
Time elapsed: 1 hour(s), 20 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Moving on to running ESET.
#11
Posted 05 January 2009 - 04:43 AM
-
- Members
-
- 13 posts
New Member
ESET Log:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3735 (20090104)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=0ba192d80c434748992bf6485fc67f25
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2009-01-05 04:14:34
# local_time=2009-01-04 11:14:34 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=451882
# found=5
# scan_time=4655
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent16.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent28.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent51.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Chelsea\DoctorWeb\Quarantine\msimg32.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP896\A0313311.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3735 (20090104)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=0ba192d80c434748992bf6485fc67f25
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2009-01-05 04:14:34
# local_time=2009-01-04 11:14:34 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=451882
# found=5
# scan_time=4655
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent16.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent28.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent51.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Chelsea\DoctorWeb\Quarantine\msimg32.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP896\A0313311.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
#12
Posted 05 January 2009 - 01:27 PM
-
- Members
-
- 13 posts
New Member
Maurice Naggar, on Jan 4 2009, 04:57 PM, said:
When you get to a stopping point, please look for this ZIP file in the Avenger folder.
It should be at C:\Avenger\backup.zip
This zip file should contain 2 and only 2 exe files
Open the zip file. Make sure it only contains
brsvc01a.exe
brss01a.exe
Those are Brother printer programs. Assuming you still have a Brother printer, these 2 need to be extracted & placed in this folder
C:\WINDOWS\system32
My sincere apologies to you for the inconvenience and oversight on my part.
~~ Added these since last post ~~ Maurice
I also would suggest you do these things to clear up any internet access redirections.
Close all applications and windows.
If you have an older copy of SDFix, delete it now.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
Steps to follow for the MVP Hosts file:
1) Download and SAVE the zip file to a temporary folder
2) Unzip (extract the contents) in the same folder
3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides
typically, C:\WINDOWS\system32\drivers\etc
and after that copy is saved, it replaces the old Hosts with the new one.
And you should see (in the blue background command window) the following:
Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts
The latter is the same folder that had mvps.bat
=
Reply with a copy of the C:\SDFIX\Report.txt
It should be at C:\Avenger\backup.zip
This zip file should contain 2 and only 2 exe files
Open the zip file. Make sure it only contains
brsvc01a.exe
brss01a.exe
Those are Brother printer programs. Assuming you still have a Brother printer, these 2 need to be extracted & placed in this folder
C:\WINDOWS\system32
My sincere apologies to you for the inconvenience and oversight on my part.
~~ Added these since last post ~~ Maurice
I also would suggest you do these things to clear up any internet access redirections.
Close all applications and windows.
If you have an older copy of SDFix, delete it now.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual user account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back in a Reply here.
Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
Steps to follow for the MVP Hosts file:
1) Download and SAVE the zip file to a temporary folder
2) Unzip (extract the contents) in the same folder
3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides
typically, C:\WINDOWS\system32\drivers\etc
and after that copy is saved, it replaces the old Hosts with the new one.
And you should see (in the blue background command window) the following:
Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts
The latter is the same folder that had mvps.bat
=
Reply with a copy of the C:\SDFIX\Report.txt
I found the c:\avenger\backup.zip file, but it appears to be encrypted/locked. I can't extract the files from it...
Report.Txt:
SDFix: Version 1.240
Run by Chelsea on Sun 01/04/2009 at 11:57 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Documents and Settings\All Users\Documents\unazog.scr - Deleted
C:\Program Files\Common Files\egopinil._sy - Deleted
C:\Program Files\Common Files\qohywera._sy - Deleted
C:\WINDOWS\adysez._sy - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 08:10:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmxoe.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmxoe.sys"
"TDSSl"="\systemroot\system32\TDSSoitu.dll"
"tdssservers"="\systemroot\system32\TDSSmtpe.dat"
"tdssmain"="\systemroot\system32\TDSScrxx.dll"
"tdsslog"="\systemroot\system32\TDSSyaqu.dll"
"tdssadw"="\systemroot\system32\TDSSnpur.dll"
"tdssinit"="\systemroot\system32\TDSSixgp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdsserrors"="\systemroot\system32\TDSSehys.log"
"TDSSproc"="\systemroot\system32\TDSSwkod.log"
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe"="C:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe:*:Enabled:Super Gem Drop"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\SYSTEM32\\dlcdcoms.exe"="C:\\WINDOWS\\SYSTEM32\\dlcdcoms.exe:*:Enabled:Dell 944 Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\icuii\\icuii4\\icuii4.exe"="C:\\Program Files\\icuii\\icuii4\\icuii4.exe:*:Enabled:icuii4"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:TaskPanl"
"C:\\Program Files\\nanoCom Corporation\\iSpQ VideoChat\\iSpQ VideoChat.exe"="C:\\Program Files\\nanoCom Corporation\\iSpQ VideoChat\\iSpQ VideoChat.exe:*:Enabled:iSpQ VideoChat"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Thu 18 May 2006 4 A..H. --- "C:\WINDOWS\uccspecb.sys"
Sat 9 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Sat 9 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Sat 9 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Fri 23 Feb 2007 225,380 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Sun 1 Apr 2007 146,432 ..SHR --- "C:\Program Files\PhoTags Express\Setup.exe"
Wed 9 Mar 2005 39,936 A.SHR --- "C:\Program Files\PhoTags Express\_Setupx.dll"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Thu 13 Oct 2005 848 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Sat 16 Aug 2008 11,108 ...H. --- "C:\WINDOWS\SYSTEM32\ncvutil40.dll"
Sat 8 Jul 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 17 Jan 2006 30,720 A..H. --- "C:\Documents and Settings\Maureen\My Documents\~WRL1654.tmp"
Mon 16 Oct 2006 0 A..H. --- "C:\Documents and Settings\Maureen\My Documents\~WRL2631.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Chelsea\Application Data\U3\temp\Launchpad Removal.exe"
Sun 1 Jul 2007 20,480 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL0901.tmp"
Sun 1 Jul 2007 33,280 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL1092.tmp"
Sun 1 Jul 2007 35,328 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL1677.tmp"
Sun 1 Jul 2007 23,040 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL1700.tmp"
Sun 1 Jul 2007 24,064 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL1919.tmp"
Sun 1 Jul 2007 22,016 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL1986.tmp"
Sun 1 Jul 2007 27,648 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL2201.tmp"
Sun 1 Jul 2007 31,744 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL2301.tmp"
Sun 1 Jul 2007 39,936 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL2829.tmp"
Sun 1 Jul 2007 26,112 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL3507.tmp"
Sun 1 Jul 2007 28,160 ...H. --- "C:\Documents and Settings\Eugene\Application Data\Microsoft\Word\~WRL3924.tmp"
Sat 9 Aug 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Tue 24 Jul 2007 8 A..H. --- "C:\Documents and Settings\Chelsea\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Tue 24 Jul 2007 8 A..H. --- "C:\Documents and Settings\Chelsea\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Tue 24 Jul 2007 8 A..H. --- "C:\Documents and Settings\Chelsea\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Tue 24 Jul 2007 8 A..H. --- "C:\Documents and Settings\Chelsea\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sun 9 Sep 2007 8 A..H. --- "C:\Documents and Settings\Eugene\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 9 Sep 2007 8 A..H. --- "C:\Documents and Settings\Eugene\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sun 9 Sep 2007 8 A..H. --- "C:\Documents and Settings\Eugene\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 9 Sep 2007 8 A..H. --- "C:\Documents and Settings\Eugene\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Finished!
The machine appears to be a little happier now. MBAM will now update (this was broken before).
AIM still appears to be broken.
Do you want the newer MBAM run or HJT log?
#13
Posted 05 January 2009 - 07:40 PM
-
- Moderators
-
- 4,234 posts
Eradicator de logiciels malveillants
- Gender:Male
- Location:USA
- Interests:Security, Windows, Windows Update, malware prevention
The Eset scan did not find new items, but rather, items already in quarantine. That is good.
The SDFIX found traces of TDSS and removed 4 trojan items. Not good news, but cureable.
I have previously had you download The Avenger program and it still should be on your Desktop.
If not present, download it again.
There are remnants of TDSS rootkit which we need to squash.
Make sure to disable your antivirus app & other anti-malware apps before you start Avenger.
Download The Avenger by Swandog46 from here.
=
After that is done, and assuming the system has been rebooted/restarted one time, I would much prefer for you to do another FULL Scan with MBAM --- but only after you have done the Update procedure ( by clicking Check for Updates). Watch to be sure the updates are all complete. There's a version 1.32 just recently released).
Please do a FULL Scan.
~~ Added the following ~~ Maurice
And next, one more run of Combofix. This time a fresh download and a rename of it before running it.
But first, delete the prior copy of Combo-fix.exe on your desktop ! We need to be sure to have latest copy.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3
--------------------------------------------------------------------
After it is saved:
Double click on Combo-Fix.exe to start it & follow the prompts.
Download the Microsoft Malicious Software Removal Tool from the Microsoft Download Center and then run it.
http://www.microsoft.com/downloads/details...;displaylang=en
Additional information on this tool is here http://support.micro...om/?kbid=890830
=
Then when done, be sure your antivirus app is enabled again.
Reply with copy of the C:\Avenger.txt
latest MBAM log,
copy of C:\Combofix.txt
and a NEW HIJACKTHIS log.
The SDFIX found traces of TDSS and removed 4 trojan items. Not good news, but cureable.
I have previously had you download The Avenger program and it still should be on your Desktop.
If not present, download it again.
There are remnants of TDSS rootkit which we need to squash.
Make sure to disable your antivirus app & other anti-malware apps before you start Avenger.
Download The Avenger by Swandog46 from here.
- Unzip/extract it to a folder on your desktop.
- Double click on avenger.exe to run The Avenger.
- Click OK.
- Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
- Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Files to delete: c:\windows\system32\drivers\TDSSmxoe.sys C:\windows\system32\TDSSoitu.dll C:\windows\system32\TDSSmtpe.dat C:\windows\system32\TDSScrxx.dll C:\windows\system32\TDSSyaqu.dll C:\windows\system32\TDSSnpur.dll C:\windows\system32\TDSSixgp.dll C:\windows\system32\TDSSnmxh.log C:\windows\system32\TDSSsahc.dll C:\windows\system32\TDSSehys.log C:\windows\system32\TDSSwkod.log C:\WINDOWS\SYSTEM32\TDSSixgp.dll C:\WINDOWS\SYSTEM32\TDSSproc.log C:\WINDOWS\SYSTEM32\TDSSwkod.log c:\windows\system32\drivers\msqpdxserv.sys C:\resycled D:\resycled e:\resycled f:\resycled g:\resycled c:\windows\system32\TDSSweat.dat C:\WINDOWS\system32\drivers\TDSSmqlt.sys C:\windows\system32\drivers\tdssserv.sys C:\WINDOWS\system32\drivers\TDSSmact.sys C:\WINDOWS\system32\TDSSfpmp.dll C:\WINDOWS\system32\TDSSwpyd.dat C:\WINDOWS\system32\TDSStkdv.log C:\WINDOWS\system32\TDSSotxb.dll C:\WINDOWS\system32\TDSScrrn.dll C:\WINDOWS\system32\TDSSbvqh.dll C:\WINDOWS\system32\TDSSjnmx.dll c:\windows\system32\TDSShrxr.dll c:\windows\system32\TDSSkkbi.log c:\windows\system32\TDSSlrvd.dat c:\windows\system32\TDSSlxwp.dll c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSoiqt.dll c:\windows\system32\TDSSrhyp.log c:\windows\system32\TDSSrtqp.dll c:\windows\system32\TDSSsihc.dll c:\windows\system32\TDSSxfum.dll c:\windows\system32\TDSSmtve.dat c:\windows\system32\TDSSnirj.dat Drivers to delete: TDSSmxoe.sys TDSSmxoe tdss tdssserv TDSSserv.SYS Service_TDSSSERV.SYS Legacy_TDSSSERV.SYS msqpdxserv.sys msqpdxserv Registry keys to delete: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata HKEY_LOCAL_MACHINE\SOFTWARE\tdss HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV
- In the avenger window, click the Paste Script from Clipboard icon, button.
- :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
- Click the Execute button.
- You will be asked Are you sure you want to execute the current script?.
- Click Yes.
- You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
- Click Yes.
- Your PC will now be rebooted.
- Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
- If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
- After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
=
After that is done, and assuming the system has been rebooted/restarted one time, I would much prefer for you to do another FULL Scan with MBAM --- but only after you have done the Update procedure ( by clicking Check for Updates). Watch to be sure the updates are all complete. There's a version 1.32 just recently released).
Please do a FULL Scan.
~~ Added the following ~~ Maurice
And next, one more run of Combofix. This time a fresh download and a rename of it before running it.
But first, delete the prior copy of Combo-fix.exe on your desktop ! We need to be sure to have latest copy.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3
--------------------------------------------------------------------
After it is saved:
Double click on Combo-Fix.exe to start it & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt in your next reply.
Download the Microsoft Malicious Software Removal Tool from the Microsoft Download Center and then run it.
http://www.microsoft.com/downloads/details...;displaylang=en
Additional information on this tool is here http://support.micro...om/?kbid=890830
=
Then when done, be sure your antivirus app is enabled again.
Reply with copy of the C:\Avenger.txt
latest MBAM log,
copy of C:\Combofix.txt
and a NEW HIJACKTHIS log.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)
MS-MVP (Oct 2002 - Sept 2010)
#14
Posted 05 January 2009 - 08:26 PM
-
- Members
-
- 13 posts
New Member
Avenger.Txt:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "c:\windows\system32\drivers\TDSSmxoe.sys" not found!
Deletion of file "c:\windows\system32\drivers\TDSSmxoe.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSoitu.dll" not found!
Deletion of file "C:\windows\system32\TDSSoitu.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSmtpe.dat" not found!
Deletion of file "C:\windows\system32\TDSSmtpe.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSScrxx.dll" not found!
Deletion of file "C:\windows\system32\TDSScrxx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSyaqu.dll" not found!
Deletion of file "C:\windows\system32\TDSSyaqu.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSnpur.dll" not found!
Deletion of file "C:\windows\system32\TDSSnpur.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSixgp.dll" not found!
Deletion of file "C:\windows\system32\TDSSixgp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSnmxh.log" not found!
Deletion of file "C:\windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSsahc.dll" not found!
Deletion of file "C:\windows\system32\TDSSsahc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSehys.log" not found!
Deletion of file "C:\windows\system32\TDSSehys.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSwkod.log" not found!
Deletion of file "C:\windows\system32\TDSSwkod.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\TDSSproc.log" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSproc.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!
Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\resycled" not found!
Deletion of file "C:\resycled" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not open file "D:\resycled"
Deletion of file "D:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "e:\resycled"
Deletion of file "e:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "f:\resycled"
Deletion of file "f:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "g:\resycled"
Deletion of file "g:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: file "c:\windows\system32\TDSSweat.dat" not found!
Deletion of file "c:\windows\system32\TDSSweat.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!
Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!
Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSShrxr.dll" not found!
Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSkkbi.log" not found!
Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSlrvd.dat" not found!
Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSlxwp.dll" not found!
Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSnmxh.log" not found!
Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSoiqt.dll" not found!
Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSrhyp.log" not found!
Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSrtqp.dll" not found!
Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSsihc.dll" not found!
Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSxfum.dll" not found!
Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSmtve.dat" not found!
Deletion of file "c:\windows\system32\TDSSmtve.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSnirj.dat" not found!
Deletion of file "c:\windows\system32\TDSSnirj.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSmxoe.sys" not found!
Deletion of driver "TDSSmxoe.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSmxoe" not found!
Deletion of driver "TDSSmxoe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!
Deletion of driver "tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!
Deletion of driver "tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!
Deletion of driver "TDSSserv.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!
Deletion of driver "Service_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!
Deletion of driver "Legacy_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!
Deletion of driver "msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!
Deletion of driver "msqpdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys" deleted successfully.
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
Updated MBAM is now running. Will post output plus HJT logs when it finishes
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "c:\windows\system32\drivers\TDSSmxoe.sys" not found!
Deletion of file "c:\windows\system32\drivers\TDSSmxoe.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSoitu.dll" not found!
Deletion of file "C:\windows\system32\TDSSoitu.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSmtpe.dat" not found!
Deletion of file "C:\windows\system32\TDSSmtpe.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSScrxx.dll" not found!
Deletion of file "C:\windows\system32\TDSScrxx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSyaqu.dll" not found!
Deletion of file "C:\windows\system32\TDSSyaqu.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSnpur.dll" not found!
Deletion of file "C:\windows\system32\TDSSnpur.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSixgp.dll" not found!
Deletion of file "C:\windows\system32\TDSSixgp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSnmxh.log" not found!
Deletion of file "C:\windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSsahc.dll" not found!
Deletion of file "C:\windows\system32\TDSSsahc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSehys.log" not found!
Deletion of file "C:\windows\system32\TDSSehys.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\TDSSwkod.log" not found!
Deletion of file "C:\windows\system32\TDSSwkod.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\TDSSproc.log" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSproc.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!
Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\resycled" not found!
Deletion of file "C:\resycled" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not open file "D:\resycled"
Deletion of file "D:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "e:\resycled"
Deletion of file "e:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "f:\resycled"
Deletion of file "f:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "g:\resycled"
Deletion of file "g:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: file "c:\windows\system32\TDSSweat.dat" not found!
Deletion of file "c:\windows\system32\TDSSweat.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!
Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!
Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSShrxr.dll" not found!
Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSkkbi.log" not found!
Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSlrvd.dat" not found!
Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSlxwp.dll" not found!
Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSnmxh.log" not found!
Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSoiqt.dll" not found!
Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSrhyp.log" not found!
Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSrtqp.dll" not found!
Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSsihc.dll" not found!
Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSxfum.dll" not found!
Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSmtve.dat" not found!
Deletion of file "c:\windows\system32\TDSSmtve.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\TDSSnirj.dat" not found!
Deletion of file "c:\windows\system32\TDSSnirj.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSmxoe.sys" not found!
Deletion of driver "TDSSmxoe.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSmxoe" not found!
Deletion of driver "TDSSmxoe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!
Deletion of driver "tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!
Deletion of driver "tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!
Deletion of driver "TDSSserv.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!
Deletion of driver "Service_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!
Deletion of driver "Legacy_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!
Deletion of driver "msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!
Deletion of driver "msqpdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys" deleted successfully.
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
Updated MBAM is now running. Will post output plus HJT logs when it finishes
#15
Posted 05 January 2009 - 10:07 PM
-
- Members
-
- 13 posts
New Member
MBAM Log:
Malwarebytes' Anti-Malware 1.32
Database version: 1619
Windows 5.1.2600 Service Pack 3
1/5/2009 4:55:31 PM
mbam-log-2009-01-05 (16-55-31).txt
Scan type: Full Scan (C:\|)
Objects scanned: 142331
Time elapsed: 59 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ComboFix is running now.
Malwarebytes' Anti-Malware 1.32
Database version: 1619
Windows 5.1.2600 Service Pack 3
1/5/2009 4:55:31 PM
mbam-log-2009-01-05 (16-55-31).txt
Scan type: Full Scan (C:\|)
Objects scanned: 142331
Time elapsed: 59 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ComboFix is running now.
#16
Posted 06 January 2009 - 12:40 AM
-
- Members
-
- 13 posts
New Member
ComboFix Log:
ComboFix 09-01-05.02 - Chelsea 2009-01-05 17:03:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.318 [GMT -5:00]
Running from: c:\documents and settings\Chelsea\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.
2009-01-05 15:11 . 2001-11-23 00:00 57,344 --a------ c:\windows\SYSTEM32\brsvc01a.exe
2009-01-05 15:11 . 2001-12-13 00:01 45,056 --a------ c:\windows\SYSTEM32\brss01a.exe
2009-01-04 23:55 . 2009-01-04 23:55 578,560 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2009-01-04 23:51 . 2009-01-04 23:51 <DIR> d-------- c:\windows\ERUNT
2009-01-04 23:46 . 2009-01-05 08:15 <DIR> d-------- C:\SDFix
2009-01-04 21:46 . 2009-01-04 23:14 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-04 14:35 . 2009-01-04 14:35 268 --ah----- C:\sqmdata10.sqm
2009-01-04 14:35 . 2009-01-04 14:35 244 --ah----- C:\sqmnoopt10.sqm
2009-01-03 17:11 . 2008-06-19 17:24 28,544 --a------ c:\windows\SYSTEM32\DRIVERS\pavboot.sys
2009-01-03 17:10 . 2009-01-03 17:10 <DIR> d-------- c:\program files\Panda Security
2009-01-03 08:08 . 2009-01-03 08:39 <DIR> d-------- c:\documents and settings\Chelsea\DoctorWeb
2009-01-02 09:44 . 2009-01-02 10:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-02 09:44 . 2009-01-02 09:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 00:27 . 2009-01-05 08:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 00:27 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-01 00:27 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\SYSTEM32\scripting
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\SYSTEM32\en
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\l2schemas
2008-12-31 10:42 . 2008-12-31 10:42 268 --ah----- C:\sqmdata09.sqm
2008-12-31 10:42 . 2008-12-31 10:42 244 --ah----- C:\sqmnoopt09.sqm
2008-12-28 21:37 . 2008-12-28 23:40 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-28 20:53 . 2009-01-05 08:08 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2008-12-28 20:53 . 2008-12-28 20:53 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2008-12-28 20:53 . 2008-12-28 20:53 76,040 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2008-12-28 20:53 . 2008-12-28 20:53 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2008-12-28 18:43 . 2008-12-28 18:43 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\Malwarebytes
2008-12-28 18:43 . 2008-12-28 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-28 17:01 . 2008-12-28 17:01 <DIR> d-------- c:\program files\AVG
2008-12-28 17:01 . 2008-12-28 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-28 16:35 . 2009-01-04 14:23 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\U3
2008-12-28 16:32 . 2008-12-28 16:32 268 --ah----- C:\sqmdata08.sqm
2008-12-28 16:32 . 2008-12-28 16:32 244 --ah----- C:\sqmnoopt08.sqm
2008-12-28 16:20 . 2008-04-13 19:11 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-12-28 16:20 . 2008-04-13 13:39 14,592 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-12-28 16:20 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2008-12-28 16:20 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys
2008-12-13 02:38 . 2008-12-13 02:38 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\HP
2008-12-13 02:33 . 2008-12-13 02:32 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\program files\Tencent
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\Tencent
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\QQ Games
2008-12-11 17:28 . 2008-12-11 17:28 <DIR> d-------- c:\program files\AIMTunes
2008-12-11 17:02 . 2008-12-11 17:02 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\program files\AIM Toolbar
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-11 16:50 . 2008-12-18 17:57 2,242 --ah----- C:\IPH.PH
2008-12-10 07:01 . 2008-12-10 07:01 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 18:30 --------- d-----w c:\program files\MyPoints_PointAlert
2008-12-29 03:50 --------- d-----w c:\program files\vol_toolbar
2008-12-13 07:32 --------- d-----w c:\program files\Java
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 22:47 --------- d-----w c:\program files\AIM6
2008-12-11 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-11 21:57 --------- d-----w c:\program files\Viewpoint
2008-12-11 21:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-11 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-11 03:52 --------- d-----w c:\program files\dl_Cats
2008-11-14 02:31 --------- d-----w c:\program files\Agent
2008-11-14 01:58 19,549 ----a-w c:\program files\Common Files\wavoridely.dll
2008-11-14 01:58 17,171 ----a-w c:\program files\Common Files\nopihawory.inf
2008-11-14 01:58 15,814 ----a-w c:\windows\ihytaxo.reg
2008-11-14 01:58 13,144 ----a-w c:\documents and settings\All Users\Application Data\ynukoqyroq.pif
2008-11-14 01:58 11,952 ----a-w c:\windows\SYSTEM32\oxirew.exe
2008-11-14 01:58 11,881 ----a-w c:\documents and settings\All Users\Application Data\ohufaral.vbs
2008-11-14 01:58 11,841 ----a-w c:\windows\SYSTEM32\raquzyceg.dll
2008-11-14 01:58 11,148 ----a-w c:\windows\ubunokeg.dll
2008-11-14 01:58 10,757 ----a-w c:\windows\yrogux.exe
2008-11-12 22:01 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-11-12 21:56 --------- d-----w c:\documents and settings\Eugene\Application Data\VersionTracker Pro
2008-11-11 23:56 --------- d-----w c:\program files\Sun
2008-11-11 22:16 18,595 ----a-w c:\windows\usec.exe
2008-11-11 22:16 18,112 ----a-w c:\windows\inelebam.com
2008-11-11 22:16 16,183 ----a-w c:\documents and settings\All Users\Application Data\jogahobegu.exe
2008-11-11 22:16 15,616 ----a-w c:\documents and settings\Chelsea\Application Data\akif.scr
2008-11-11 22:16 15,186 ----a-w c:\documents and settings\All Users\Application Data\zunuqoly.pif
2008-11-11 22:16 14,507 ----a-w c:\windows\nadolubim.vbs
2008-11-11 22:16 14,341 ----a-w c:\windows\SYSTEM32\kufinow.bin
2008-11-11 22:16 13,669 ----a-w c:\documents and settings\Chelsea\Application Data\fyzutevyzo.bat
2008-11-11 22:16 12,784 ----a-w c:\program files\Common Files\qatyracy.dl
2008-11-11 22:16 10,628 ----a-w c:\windows\etuca.reg
2008-11-11 22:16 10,623 ----a-w c:\documents and settings\All Users\Application Data\aticon.vbs
2008-11-11 22:16 10,442 ----a-w c:\program files\Common Files\bapib.sys
2008-11-09 12:04 19,609 ----a-w c:\program files\Common Files\qufacosyky.exe
2008-11-09 12:04 17,640 ----a-w c:\documents and settings\All Users\Application Data\uqeci.vbs
2008-11-09 12:04 16,128 ----a-w c:\windows\retowemo.dll
2008-11-09 12:04 15,874 ----a-w c:\windows\SYSTEM32\mewo.bat
2008-11-09 12:04 14,703 ----a-w c:\windows\ikuquwapax.vbs
2008-11-09 12:04 14,437 ----a-w c:\windows\egit.bat
2008-11-09 12:04 12,751 ----a-w c:\program files\Common Files\hili.db
2008-11-09 12:04 10,621 ----a-w c:\windows\podoby.pif
2008-10-24 11:21 455,296 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-09-18 00:32 61,224 ----a-w c:\documents and settings\Chelsea\GoToAssistDownloadHelper.exe
2005-10-13 23:24 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2009-01-04_14.58.57.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-01-05 04:51:59 7,168,000 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-01-05 04:51:59 204,800 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-01-05 04:51:40 7,168,000 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-01-05 04:51:41 204,800 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2009-01-01 02:07:13 209,696 ----a-w c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2009-01-05 04:49:16 209,696 ----a-w c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2007-07-27 19:49:02 196,683 ----a-w c:\windows\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 19:49:02 225,355 ----a-w c:\windows\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 00:25:22 139,264 ----a-w c:\windows\SYSTEM32\lnod32umc.dll
+ 2005-12-05 17:37:10 106,496 ----a-w c:\windows\SYSTEM32\lnod32upd.dll
+ 2008-02-11 14:39:26 253,952 ----a-w c:\windows\SYSTEM32\OnlineScannerDLLA.dll
+ 2008-02-11 14:39:18 237,568 ----a-w c:\windows\SYSTEM32\OnlineScannerDLLW.dll
+ 2008-02-08 18:53:46 110,592 ----a-w c:\windows\SYSTEM32\OnlineScannerLang.dll
+ 2008-02-05 13:48:04 77,824 ----a-w c:\windows\SYSTEM32\OnlineScannerUninstaller.exe
+ 2009-01-05 20:18:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_27c.dat
+ 2009-01-05 20:19:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b60.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2003-05-19 577536]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"mmtask"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-09-16 274432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-09 155648]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 73728]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-11-16 2065648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-28 1261336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-08-07 36953]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 54512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat,avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 13:03 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-17 13:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-09 21:34 155648 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-09-18 11:24 26112 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-05-13 16:01 100056 c:\progra~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\dlcdcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\icuii\\icuii4\\icuii4.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\nanoCom Corporation\\iSpQ VideoChat\\iSpQ VideoChat.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2009-01-03 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-12-28 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-28 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-28 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-12-28 76040]
R4 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-11 24652]
S0 blmzwnjk;blmzwnjk;c:\windows\system32\drivers\utkptonn.sys --> c:\windows\system32\drivers\utkptonn.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\SYSTEM32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 PAC207;PC Camer@;c:\windows\SYSTEM32\DRIVERS\PFC027.SYS [2007-04-12 507264]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\SYSTEM32\dllhost.exe [2004-03-19 5120]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{494da8d0-d527-11dd-b008-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77b582fa-d997-11dd-b018-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-05 c:\windows\Tasks\User_Feed_Synchronization-{67706B46-A1FC-4F17-A6BF-8A9B738E6AAB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: &Search
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: MyPoints - file://c:\program files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html
- c:\windows\Downloaded Program Files\ScriptX.inf
c:\windows\Downloaded Program Files\PerformanceOptimizerPre_Installer.exe - O16 -: {19D3515E-1618-9B6F-7500-A20729FB601B}
hxxp://performanceoptimizer.com/files/PerformanceOptimizerPre_Installer.cab
c:\windows\Downloaded Program Files\PerformanceOptimizerPre_Installer.inf
c:\windows\Downloaded Program Files\DDPrilosec.1.0.0.30.dll - O16 -: {EEA3945F-2702-45A0-BBE1-BC88E252AED1}
hxxp://www.lifetimetv.com/games/dinerdash/DDPrilosec.1.0.0.30.cab
c:\windows\Downloaded Program Files\DDPrilosec.1.0.0.30.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 17:07:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\avgrsstx.dll
- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-05 17:10:57
ComboFix-quarantined-files.txt 2009-01-05 22:10:16
Pre-Run: 20,213,305,344 bytes free
Post-Run: 20,156,407,808 bytes free
315 --- E O F --- 2009-01-03 03:00:58
MS Tool didn't detect anything
HiJack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:55 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
F:\HiJackThis-202.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...20Installer.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark....ort/ScriptX.cab
O16 - DPF: {19D3515E-1618-9B6F-7500-A20729FB601B} - http://performanceoptimizer.com/files/Perf...e_Installer.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {EEA3945F-2702-45A0-BBE1-BC88E252AED1} (CPlayFirstDDPrilosecControl Object) - http://www.lifetimetv.com/games/dinerdash/...ec.1.0.0.30.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 14143 bytes
The machine seems to be running OK. I am going to leave it on for a bit to see if anything re-appears or not.
ComboFix 09-01-05.02 - Chelsea 2009-01-05 17:03:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.318 [GMT -5:00]
Running from: c:\documents and settings\Chelsea\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.
2009-01-05 15:11 . 2001-11-23 00:00 57,344 --a------ c:\windows\SYSTEM32\brsvc01a.exe
2009-01-05 15:11 . 2001-12-13 00:01 45,056 --a------ c:\windows\SYSTEM32\brss01a.exe
2009-01-04 23:55 . 2009-01-04 23:55 578,560 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2009-01-04 23:51 . 2009-01-04 23:51 <DIR> d-------- c:\windows\ERUNT
2009-01-04 23:46 . 2009-01-05 08:15 <DIR> d-------- C:\SDFix
2009-01-04 21:46 . 2009-01-04 23:14 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-04 14:35 . 2009-01-04 14:35 268 --ah----- C:\sqmdata10.sqm
2009-01-04 14:35 . 2009-01-04 14:35 244 --ah----- C:\sqmnoopt10.sqm
2009-01-03 17:11 . 2008-06-19 17:24 28,544 --a------ c:\windows\SYSTEM32\DRIVERS\pavboot.sys
2009-01-03 17:10 . 2009-01-03 17:10 <DIR> d-------- c:\program files\Panda Security
2009-01-03 08:08 . 2009-01-03 08:39 <DIR> d-------- c:\documents and settings\Chelsea\DoctorWeb
2009-01-02 09:44 . 2009-01-02 10:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-02 09:44 . 2009-01-02 09:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 00:27 . 2009-01-05 08:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 00:27 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-01 00:27 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\SYSTEM32\scripting
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\SYSTEM32\en
2008-12-31 17:56 . 2008-12-31 17:56 <DIR> d-------- c:\windows\l2schemas
2008-12-31 10:42 . 2008-12-31 10:42 268 --ah----- C:\sqmdata09.sqm
2008-12-31 10:42 . 2008-12-31 10:42 244 --ah----- C:\sqmnoopt09.sqm
2008-12-28 21:37 . 2008-12-28 23:40 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-28 20:53 . 2009-01-05 08:08 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2008-12-28 20:53 . 2008-12-28 20:53 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2008-12-28 20:53 . 2008-12-28 20:53 76,040 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2008-12-28 20:53 . 2008-12-28 20:53 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2008-12-28 18:43 . 2008-12-28 18:43 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\Malwarebytes
2008-12-28 18:43 . 2008-12-28 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-28 17:01 . 2008-12-28 17:01 <DIR> d-------- c:\program files\AVG
2008-12-28 17:01 . 2008-12-28 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-28 16:35 . 2009-01-04 14:23 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\U3
2008-12-28 16:32 . 2008-12-28 16:32 268 --ah----- C:\sqmdata08.sqm
2008-12-28 16:32 . 2008-12-28 16:32 244 --ah----- C:\sqmnoopt08.sqm
2008-12-28 16:20 . 2008-04-13 19:11 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-12-28 16:20 . 2008-04-13 13:39 14,592 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-12-28 16:20 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2008-12-28 16:20 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys
2008-12-13 02:38 . 2008-12-13 02:38 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\HP
2008-12-13 02:33 . 2008-12-13 02:32 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\program files\Tencent
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\Tencent
2008-12-11 17:46 . 2008-12-11 17:46 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\QQ Games
2008-12-11 17:28 . 2008-12-11 17:28 <DIR> d-------- c:\program files\AIMTunes
2008-12-11 17:02 . 2008-12-11 17:02 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\program files\AIM Toolbar
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-12-11 16:57 . 2008-12-11 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-11 16:50 . 2008-12-18 17:57 2,242 --ah----- C:\IPH.PH
2008-12-10 07:01 . 2008-12-10 07:01 <DIR> d-------- c:\documents and settings\Chelsea\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 18:30 --------- d-----w c:\program files\MyPoints_PointAlert
2008-12-29 03:50 --------- d-----w c:\program files\vol_toolbar
2008-12-13 07:32 --------- d-----w c:\program files\Java
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 22:47 --------- d-----w c:\program files\AIM6
2008-12-11 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-11 21:57 --------- d-----w c:\program files\Viewpoint
2008-12-11 21:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-11 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-11 03:52 --------- d-----w c:\program files\dl_Cats
2008-11-14 02:31 --------- d-----w c:\program files\Agent
2008-11-14 01:58 19,549 ----a-w c:\program files\Common Files\wavoridely.dll
2008-11-14 01:58 17,171 ----a-w c:\program files\Common Files\nopihawory.inf
2008-11-14 01:58 15,814 ----a-w c:\windows\ihytaxo.reg
2008-11-14 01:58 13,144 ----a-w c:\documents and settings\All Users\Application Data\ynukoqyroq.pif
2008-11-14 01:58 11,952 ----a-w c:\windows\SYSTEM32\oxirew.exe
2008-11-14 01:58 11,881 ----a-w c:\documents and settings\All Users\Application Data\ohufaral.vbs
2008-11-14 01:58 11,841 ----a-w c:\windows\SYSTEM32\raquzyceg.dll
2008-11-14 01:58 11,148 ----a-w c:\windows\ubunokeg.dll
2008-11-14 01:58 10,757 ----a-w c:\windows\yrogux.exe
2008-11-12 22:01 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-11-12 21:56 --------- d-----w c:\documents and settings\Eugene\Application Data\VersionTracker Pro
2008-11-11 23:56 --------- d-----w c:\program files\Sun
2008-11-11 22:16 18,595 ----a-w c:\windows\usec.exe
2008-11-11 22:16 18,112 ----a-w c:\windows\inelebam.com
2008-11-11 22:16 16,183 ----a-w c:\documents and settings\All Users\Application Data\jogahobegu.exe
2008-11-11 22:16 15,616 ----a-w c:\documents and settings\Chelsea\Application Data\akif.scr
2008-11-11 22:16 15,186 ----a-w c:\documents and settings\All Users\Application Data\zunuqoly.pif
2008-11-11 22:16 14,507 ----a-w c:\windows\nadolubim.vbs
2008-11-11 22:16 14,341 ----a-w c:\windows\SYSTEM32\kufinow.bin
2008-11-11 22:16 13,669 ----a-w c:\documents and settings\Chelsea\Application Data\fyzutevyzo.bat
2008-11-11 22:16 12,784 ----a-w c:\program files\Common Files\qatyracy.dl
2008-11-11 22:16 10,628 ----a-w c:\windows\etuca.reg
2008-11-11 22:16 10,623 ----a-w c:\documents and settings\All Users\Application Data\aticon.vbs
2008-11-11 22:16 10,442 ----a-w c:\program files\Common Files\bapib.sys
2008-11-09 12:04 19,609 ----a-w c:\program files\Common Files\qufacosyky.exe
2008-11-09 12:04 17,640 ----a-w c:\documents and settings\All Users\Application Data\uqeci.vbs
2008-11-09 12:04 16,128 ----a-w c:\windows\retowemo.dll
2008-11-09 12:04 15,874 ----a-w c:\windows\SYSTEM32\mewo.bat
2008-11-09 12:04 14,703 ----a-w c:\windows\ikuquwapax.vbs
2008-11-09 12:04 14,437 ----a-w c:\windows\egit.bat
2008-11-09 12:04 12,751 ----a-w c:\program files\Common Files\hili.db
2008-11-09 12:04 10,621 ----a-w c:\windows\podoby.pif
2008-10-24 11:21 455,296 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-09-18 00:32 61,224 ----a-w c:\documents and settings\Chelsea\GoToAssistDownloadHelper.exe
2005-10-13 23:24 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2009-01-04_14.58.57.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-01-05 04:51:59 7,168,000 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-01-05 04:51:59 204,800 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-01-05 04:51:40 7,168,000 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-01-05 04:51:41 204,800 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2009-01-01 02:07:13 209,696 ----a-w c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2009-01-05 04:49:16 209,696 ----a-w c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2007-07-27 19:49:02 196,683 ----a-w c:\windows\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 19:49:02 225,355 ----a-w c:\windows\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 00:25:22 139,264 ----a-w c:\windows\SYSTEM32\lnod32umc.dll
+ 2005-12-05 17:37:10 106,496 ----a-w c:\windows\SYSTEM32\lnod32upd.dll
+ 2008-02-11 14:39:26 253,952 ----a-w c:\windows\SYSTEM32\OnlineScannerDLLA.dll
+ 2008-02-11 14:39:18 237,568 ----a-w c:\windows\SYSTEM32\OnlineScannerDLLW.dll
+ 2008-02-08 18:53:46 110,592 ----a-w c:\windows\SYSTEM32\OnlineScannerLang.dll
+ 2008-02-05 13:48:04 77,824 ----a-w c:\windows\SYSTEM32\OnlineScannerUninstaller.exe
+ 2009-01-05 20:18:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_27c.dat
+ 2009-01-05 20:19:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b60.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2003-05-19 577536]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"mmtask"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-09-16 274432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-09 155648]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 73728]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-11-16 2065648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-28 1261336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-08-07 36953]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 54512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat,avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 13:03 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-17 13:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-09 21:34 155648 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-09-18 11:24 26112 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-05-13 16:01 100056 c:\progra~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\dlcdcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\icuii\\icuii4\\icuii4.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\nanoCom Corporation\\iSpQ VideoChat\\iSpQ VideoChat.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2009-01-03 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-12-28 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-28 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-28 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-12-28 76040]
R4 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-11 24652]
S0 blmzwnjk;blmzwnjk;c:\windows\system32\drivers\utkptonn.sys --> c:\windows\system32\drivers\utkptonn.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\SYSTEM32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 PAC207;PC Camer@;c:\windows\SYSTEM32\DRIVERS\PFC027.SYS [2007-04-12 507264]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\SYSTEM32\dllhost.exe [2004-03-19 5120]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{494da8d0-d527-11dd-b008-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77b582fa-d997-11dd-b018-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-05 c:\windows\Tasks\User_Feed_Synchronization-{67706B46-A1FC-4F17-A6BF-8A9B738E6AAB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: &Search
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: MyPoints - file://c:\program files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html
- c:\windows\Downloaded Program Files\ScriptX.inf
c:\windows\Downloaded Program Files\PerformanceOptimizerPre_Installer.exe - O16 -: {19D3515E-1618-9B6F-7500-A20729FB601B}
hxxp://performanceoptimizer.com/files/PerformanceOptimizerPre_Installer.cab
c:\windows\Downloaded Program Files\PerformanceOptimizerPre_Installer.inf
c:\windows\Downloaded Program Files\DDPrilosec.1.0.0.30.dll - O16 -: {EEA3945F-2702-45A0-BBE1-BC88E252AED1}
hxxp://www.lifetimetv.com/games/dinerdash/DDPrilosec.1.0.0.30.cab
c:\windows\Downloaded Program Files\DDPrilosec.1.0.0.30.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 17:07:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\avgrsstx.dll
- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-05 17:10:57
ComboFix-quarantined-files.txt 2009-01-05 22:10:16
Pre-Run: 20,213,305,344 bytes free
Post-Run: 20,156,407,808 bytes free
315 --- E O F --- 2009-01-03 03:00:58
MS Tool didn't detect anything
HiJack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:55 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
F:\HiJackThis-202.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...20Installer.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark....ort/ScriptX.cab
O16 - DPF: {19D3515E-1618-9B6F-7500-A20729FB601B} - http://performanceoptimizer.com/files/Perf...e_Installer.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {EEA3945F-2702-45A0-BBE1-BC88E252AED1} (CPlayFirstDDPrilosecControl Object) - http://www.lifetimetv.com/games/dinerdash/...ec.1.0.0.30.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 14143 bytes
The machine seems to be running OK. I am going to leave it on for a bit to see if anything re-appears or not.
#17
Posted 06 January 2009 - 01:28 AM
-
- Moderators
-
- 4,234 posts
Eradicator de logiciels malveillants
- Gender:Male
- Location:USA
- Interests:Security, Windows, Windows Update, malware prevention
Hello Dale,
De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com.../readstep2.html
Did this pc at one time have Norton Personal Firewall and Norton/Symantec Internet Security?
There is one component of it left as indicated by the HJT log (and prior entries) but was not critical while we were clearing the TDSS issues (which are now gone).
Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Please advise if you've removed Norton/Symantec apps.
Download DDS and save it to your desktop from http://www.techsuppo...ctools/sUBs/dds here or
http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds
Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Please include just Attach.txt in your next reply.
Re-enable any antivirus component you had disabled.
=
I beliveve you'd told me this system has a Brother printer. I see the 2 drivers are back in place, which is a relief.
The results of the Avenger run are great, and of course the MBAM is all clear. The TDSS is all gone.
Sometime soon, I'll give you directions to remove the tools we used. Wait for that and don't remove any on your own.
De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com.../readstep2.html
Did this pc at one time have Norton Personal Firewall and Norton/Symantec Internet Security?
There is one component of it left as indicated by the HJT log (and prior entries) but was not critical while we were clearing the TDSS issues (which are now gone).
Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Please advise if you've removed Norton/Symantec apps.
Download DDS and save it to your desktop from http://www.techsuppo...ctools/sUBs/dds here or
http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds
Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
- When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
Please include just Attach.txt in your next reply.
Re-enable any antivirus component you had disabled.
=
I beliveve you'd told me this system has a Brother printer. I see the 2 drivers are back in place, which is a relief.
The results of the Avenger run are great, and of course the MBAM is all clear. The TDSS is all gone.
Sometime soon, I'll give you directions to remove the tools we used. Wait for that and don't remove any on your own.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)
MS-MVP (Oct 2002 - Sept 2010)
#18
Posted 06 January 2009 - 02:18 PM
-
- Members
-
- 13 posts
New Member
Maurice Naggar, on Jan 5 2009, 08:28 PM, said:
Hello Dale,
De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com.../readstep2.html
Did this pc at one time have Norton Personal Firewall and Norton/Symantec Internet Security?
There is one component of it left as indicated by the HJT log (and prior entries) but was not critical while we were clearing the TDSS issues (which are now gone).
Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Please advise if you've removed Norton/Symantec apps.
Download DDS and save it to your desktop from http://www.techsuppo...ctools/sUBs/dds here or
http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds
Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Please include just Attach.txt in your next reply.
Re-enable any antivirus component you had disabled.
=
I beliveve you'd told me this system has a Brother printer. I see the 2 drivers are back in place, which is a relief.
The results of the Avenger run are great, and of course the MBAM is all clear. The TDSS is all gone.
Sometime soon, I'll give you directions to remove the tools we used. Wait for that and don't remove any on your own.
De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com.../readstep2.html
Did this pc at one time have Norton Personal Firewall and Norton/Symantec Internet Security?
There is one component of it left as indicated by the HJT log (and prior entries) but was not critical while we were clearing the TDSS issues (which are now gone).
Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Please advise if you've removed Norton/Symantec apps.
Download DDS and save it to your desktop from http://www.techsuppo...ctools/sUBs/dds here or
http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds
Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
- When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
Please include just Attach.txt in your next reply.
Re-enable any antivirus component you had disabled.
=
I beliveve you'd told me this system has a Brother printer. I see the 2 drivers are back in place, which is a relief.
The results of the Avenger run are great, and of course the MBAM is all clear. The TDSS is all gone.
Sometime soon, I'll give you directions to remove the tools we used. Wait for that and don't remove any on your own.
There's a light at the end of this tunnel, eh?
I removed/updated Adobe Acrobat from v7 to v9.
I don't know if Symantec was on here before or not. It's quite possible it was, but this isn't my computer, so I don't know the history.
I dug around and found out the password for the encrypted Avenger.zip file and restored the Brother printer drivers....
Attach.txt:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Version 1.0)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/11/2004 9:54:06 PM
System Uptime: 1/5/2009 7:33:57 PM (14 hours ago)
Motherboard: Dell Computer Corp. | | 0G1548
Processor: Intel® Celeron® CPU 2.40GHz | Microprocessor | 2393/400mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 34 GiB total, 18.493 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is Removable
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (ATW)
Device ID: ROOT\NET\0001
Manufacturer: America Online, Inc.
Name: WAN Miniport (ATW) #2
PNP Device ID: ROOT\NET\0001
Service: wanatw
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: PlayLinc Adapter
Device ID: ROOT\NET\0002
Manufacturer: Super Computer Inc.
Name: PlayLinc Adapter
PNP Device ID: ROOT\NET\0002
Service: hamachi_oem
==== System Restore Points ===================
RP895: 1/2/2009 9:47:19 AM - System Checkpoint
RP896: 1/4/2009 2:43:08 PM - ComboFix created restore point
RP897: 1/5/2009 5:03:01 PM - ComboFix created restore point
RP898: 1/6/2009 8:27:02 AM - Removed Adobe Reader 7.0.9
RP899: 1/6/2009 8:35:22 AM - Installed Adobe Reader 9.
==== Installed Programs ======================
5600
5600_Help
5600Trb
Acrobat.com
Adobe AIR
Adobe Flash Player ActiveX
Adobe Reader 9
AIM 6
AIM Toolbar
AiO_Scan
AiOSoftware
AOL Coach Version 1.0(Build:20030807.3)
AOL Toolbar 4.0
AOL Uninstaller (Choose which Products to Remove)
Authentium AntiVirus SDK - 2
AVG Free 8.0
Banctec Service Agreement
Broadcom Management Programs
Brother 1440
Brownie
BufferChm
CCleaner (remove only)
Chessmaster 10th Edition Demo
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Custom Info
CustomerResearchQFolder
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide
Dell Photo Printer 720
Dell Solution Center
DellSupport
Destinations
DeviceManagementQFolder
DocProc
DriveCleaner Freeware 1.0.111.0
DriverAgent by TouchStone Software
EarthLink Common
EarthLink FastLane
EarthLink IM
EarthLink MailBox
EarthLink MDAC
EarthLink Popup Blocker
EarthLink Redistributed
EarthLink Setup
EarthLink Setup Files
EarthLink TAR
EarthLink TotalAccess 2003
EarthLink Update Manager
EarthLink Webspace
ESET Online Scanner
eSupportQFolder
Fax
GdiplusUpgrade
Get High Speed Internet!
getPlus® for Adobe
Google Talk (remove only)
Google Toolbar for Internet Explorer
Help and Support Customization
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Extended Capabilities 5.3
HP Imaging Device Functions 5.3
HP Photosmart Essential
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
ICUII 4.0
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics Driver
Internet Explorer Default Page
iPod for Windows 2005-09-23
iSpQ VideoChat
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 10
Java™ 6 Update 3
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Modem Event Monitor
Modem Helper
Modem On Hold
MSN Toolbar
MSSoap
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
MyPoints Point Alert!
MySpaceIM
NewCopy
OpenOffice.org Installer 1.0
Panda ActiveScan 2.0
PC CIF Camer@
PhoTags Express
PlayLinc
PPSDKRedistributables
ProductContext
QuickTime
Radialpoint Security Services
Readme
RealArcade
RealPlayer Basic
Scan
ScannerCopy
Security Advisor
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shockwave
Smart Menus (Windows Live Toolbar)
SolutionCenter
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
Status
Super Gem Drop
Symantec Network Drivers Update
The Weather Channel Desktop
TrayApp
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Verizon Broadband Toolbar
Verizon Online Help and Support
Verizon PC Security Checkup
Verizon Servicepoint 1.5.20
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Writer
Windows Media Format Runtime
Windows XP Service Pack 3
WinZip
WordPerfect Office 12
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Music Jukebox
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
1/1/2009 9:31:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/1/2009 12:46:19 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/1/2009 12:26:40 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/1/2009 12:20:00 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/31/2008 11:58:17 AM, error: Print [19] - Sharing printer failed + 1722, Printer ChoosethisBrother HL-1440 series share name Printer3.
1/3/2009 9:50:09 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
1/3/2009 9:56:11 AM, error: System Error [1003] - Error code 1000000a, parameter1 00000023, parameter2 00000002, parameter3 00000000, parameter4 804f434e.
1/5/2009 4:55:57 PM, error: PlugPlayManager [11] - The device Root\LEGACY_YJIV\0000 disappeared from the system without first being prepared for removal.
==== End Of File ===========================
#19
Posted 07 January 2009 - 02:23 AM
-
- Moderators
-
- 4,234 posts
Eradicator de logiciels malveillants
- Gender:Male
- Location:USA
- Interests:Security, Windows, Windows Update, malware prevention
One bit of housekeeping to remove older versions of Java.
This system has an old version of Java Run-time.
Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6
uninstall all of them. After uninstalling, reboot if directed to do so.
In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.
> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 11
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.
When the download is complete, close all browser windows and double-click on the saved file to install the update.
If you were /not/ prompted to reboot, please do so now.
To test your Java Run-time, you may go to this page http://www.javatester.org/version.html
When all is well, you should see Java Version: 1.6.0_11 from Sun Microsystems Inc.
=
I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.
The following few steps will remove tools we used; followed by advice on staying safer.
We have to remove Combofix and all its associated folders. By whichever name you named it, (either Combofix or Combo-fix), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
Download and install Comodo BOClean (free): http://www.comodo.co...O_download.html
Download, install, and keep updated Spyware Blaster (free): http://www.javacools...areblaster.html (all Protections should be enabled at all times)
I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
See the FAQ page http://mvps.org/winh...02/hostsfaq.htm
That would help to keep your browser away from known spyware/malware sites.
Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
Kaspersky Webscan Online Virus Scanner
ESET Online Scanner
Panda ActiveScan?
Trend Micro Housecall
F-Secure Online Scanner
Read Tony Klein's article How Did I Get Infected In The First Place
Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingc...tutorial82.html We are finished here. All the best.
This system has an old version of Java Run-time.
Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6
uninstall all of them. After uninstalling, reboot if directed to do so.
In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.
- Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 11
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.
When the download is complete, close all browser windows and double-click on the saved file to install the update.
- Tip: Choose Custom install to select only the part(s) you need/want.
If you were /not/ prompted to reboot, please do so now.
To test your Java Run-time, you may go to this page http://www.javatester.org/version.html
When all is well, you should see Java Version: 1.6.0_11 from Sun Microsystems Inc.
=
I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.
The following few steps will remove tools we used; followed by advice on staying safer.
We have to remove Combofix and all its associated folders. By whichever name you named it, (either Combofix or Combo-fix), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
- Click Start, then click Run.
In the command box that opens, type or copy/paste combo-fix.exe /u and then click OK.
Note the space after EXE and before the slash. Your copy of the tool is named combo-fix.exe
- You already have OTMoveIt3 by OldTimer:
- Please double-click OTMoveIt3.exe to start it.
- Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
- This step removes the files, folders, and shortcuts created by the tools I had you download and run.
- Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
- Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
- Check in at Windows Update and install any Critical Updates offered.
- Download and Install Windows Defender by Microsoft (free) if you do not already have it:
http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
- Make certain that Automatic Updates is enabled.
- How to configure and use Automatic Updates in WinXP:
http://support.microsoft.com/kb/306525
See the FAQ page http://mvps.org/winh...02/hostsfaq.htm
That would help to keep your browser away from known spyware/malware sites.
On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
Kaspersky Webscan Online Virus Scanner
ESET Online Scanner
Panda ActiveScan?
Trend Micro Housecall
F-Secure Online Scanner
Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingc...tutorial82.html
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)
MS-MVP (Oct 2002 - Sept 2010)
#20
Posted 07 January 2009 - 07:55 PM
-
- Members
-
- 13 posts
New Member
Got it all. Thanks for all your help!
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
