tallisall

Honorary Members
  • Content count

    52
  • Joined

  • Last visited

About tallisall

  • Rank
    Regular Member

Contact Methods

  • ICQ
    0
  1. Hi, I know you are extremely busy based on the number of posts I am seeing. It has been approx. 70 hours since my post. Thanks for the help in advance.
  2. A friend brought me his infected machine for help because he knew that I have received help from your forum before and knew how to post here. I downloaded a new copy of mbam.exe to my machine, copied it to a thumb drive and then to his desktop. When I tried to double-click to start the installation this message came up. Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. I have downloaded and tried to run the following programs: Malwarebytes, HiJackThis, ComboFix, Process Explorer, Security Check, Root Repeal, and OTL.exe. I have triedto run them in safe mode as well. In safe mode I don't get that message, but instread get a popup window with desot.exe Application Error on the blue bar and the message the application failed to initialize properly. I have to click on it twice to close it. I rightclicked on start, picked explore and was able to look at the files in windows and system32. I had previously changed the settings in control panel to show hidden files, extensions and system files. I found the desot.exe in system32 along with dddesot.dll. There are some other dll's and dat files that were installed the same day (9-20-09) The machine is a HP Pavilion, XP Home sp-2, AMD Athlon 3 GHz, and 1gig ram. I know that I am in way over my head so I am asking the forum for help. Thanks in advance.
  3. Hi screen317, Sorry to not have posted back before, but I still have not gotten in touch with her. Please keep this active for another day or so and I will give you an answer. Again, sorry for the delay. I know you folks are busy.
  4. Hi screen317, Downloaded and did manual update to mbam in safe mode than ran it. It did not find anything. I can backup her data to ext hd in safe mode and if she has her recovery disks we will probably do as you suggest. I will post tomorrow on laptop's status. Thanks for all the help. MBAM log below.Malwarebytes' Anti-Malware 1.40 Database version: 2667 Windows 6.0.6001 Service Pack 1 (Safe Mode) 8/21/2009 6:09:33 PM mbam-log-2009-08-21 (18-09-33).txt Scan type: Quick Scan Objects scanned: 87759 Time elapsed: 3 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  5. Hi screen317, Sorry that it took so long to post this. Here is the log that you requested. Searching 'C:\Windows'... Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl [1] 2009-08-19 19:57:26 627496 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl [1] 2009-08-20 09:26:04 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl [1] 2009-08-20 09:26:09 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl [1] 2009-08-20 09:26:09 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl () Finished!
  6. Screen317, Thanks for the help. I am not where the laptop is right now. Will run the diag tonight and post tomorrow morning.
  7. I downloaded both combofix and inherit.exe, dragged combofix onto the inherit icon, got the ok message, then doubleclicked on combofix to run. Got the green bar as it was loading, but it stopped at that point. Looking at C: drive the Qoobox folder is there, but no log file is present.
  8. Here are the logs from last post. I tried to run MBAM in real mode and it could not run. I rebooted into safe mode and it did not find any problems. Thanks for the help on this. Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows Vista ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: could not open file "C:\WINDOWS\ServicePackFiles\i386\scecli.dll" for move operation File move operation "C:\WINDOWS\ServicePackFiles\i386\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Completed script processing. ******************* Finished! Terminate. Malwarebytes' Anti-Malware 1.40 Database version: 2658 Windows 6.0.6001 Service Pack 1 (Safe Mode) 8/19/2009 7:53:45 PM mbam-log-2009-08-19 (19-53-45).txt Scan type: Quick Scan Objects scanned: 87544 Time elapsed: 3 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  9. Hi, Ran batch file, then avenger with the code, Log is below. Combofix and Malwarebytes both froze while attempting to run. I did a manual update to mb as this laptop cannot get on the internet. Should I try to run mb in safe mode again? How about combofix in safe mode? Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows Vista ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "c:\scecli.dll" not found! File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.
  10. Here is the log. Searching 'C:\Windows'... Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl [1] 2009-08-18 17:50:06 388696 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl [1] 2009-08-19 14:30:37 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl [1] 2009-08-19 14:30:42 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl [1] 2009-08-19 14:30:42 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl () Finished!
  11. Hi, I downloaded it on my machine,copied it to thumb drive, and then copied it to her desktop. When I tried to run it, I got the green bar as it was unpacking and a brief dos box, then nothing. No hard drive activity at all. I checked at C prompt and no log was created. Do you think that it is safe to let this machine on to my network and have internet access? Thanks in advance.
  12. Hi, I am helping a friend with her laptop. I could install malwarebytes normally, but it would not start. I tried to run hjt, and it would not start either. I did a manual update of mbam then restarted in safe mode and both worked. The logs are below. I tried to install AVG antivirus, but it would not unpack completely. Then tried to install Avira antivirus and the same thing happened. The laptop is a Compaq Presario CQ50 with Vista home premium sp-1 32bit, AMD Athlon Dual-Core QL-60 CPU, with 2 gig's of ram. Will someone please look at the logs and see what we have on this machine? Thanks Malwarebytes' Anti-Malware 1.40 Database version: 2551 Windows 6.0.6001 Service Pack 1 (Safe Mode) 8/17/2009 10:57:25 AM mbam-log-2009-08-17 (10-57-25).txt Scan type: Quick Scan Objects scanned: 87181 Time elapsed: 3 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 4 Files Infected: 13 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\AV1 (Rogue.AntiVirus1) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Windows\Temp\spoolsv (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\download (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\logs (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\sounds (Backdoor.Bot) -> Quarantined and deleted successfully. Files Infected: C:\Windows\Temp\spoolsv\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\aliases.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\com.mrc (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\control.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\ident.txt (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\mirc.ico (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\mirc.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\popups.txt (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\remote.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\run.bat (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\servers.ini (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\Temp\spoolsv\users.ini (Backdoor.Bot) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:48:04 PM, on 8/18/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18248) Boot mode: Safe mode Running processes: C:\Windows\Explorer.EXE C:\Search\RDH.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnb R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnb R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnb R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing) O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKLM\..\Run: [samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O13 - Gopher Prefix: O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: AT&T Con App Svc (CAATT) - PCTEL - C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 8080 bytes
  13. Hi, Everything seems to be running smoothly. I need to reinstall his Norton, but the machine seems to be running fine. Thank you for all the help.
  14. Hi, Sorry it took so long for me to post. The machine is running much better now. I ran a malwarebytes scan this weekend without updates because I was still having problems getting on line. It found 5 Trojan.DNSChanger entries in the registry. Today I was able to get on the net and update. Here are the 2 logs and a new hjt log. Again, thanks for the help. Malwarebytes' Anti-Malware 1.38 Database version: 2297 Windows 5.1.2600 Service Pack 3 6/28/2009 1:46:30 PM mbam-log-2009-06-28 (13-46-30).txt Scan type: Quick Scan Objects scanned: 81386 Time elapsed: 4 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e3fd40ce-a0a2-48ed-b6d8-3f5b8d099212}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e3fd40ce-a0a2-48ed-b6d8-3f5b8d099212}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f3761965-f4e6-4793-b82d-c542b503e338}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f3761965-f4e6-4793-b82d-c542b503e338}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.19,85.255.112.120 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.38 Database version: 2353 Windows 5.1.2600 Service Pack 3 6/29/2009 3:48:21 PM mbam-log-2009-06-29 (15-48-21).txt Scan type: Quick Scan Objects scanned: 83548 Time elapsed: 4 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:52:34 PM, on 6/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\sistray.EXE C:\WINDOWS\System32\keyhook.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe C:\WINDOWS\system32\wuauclt.exe C:\Search\rdh.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Ativa Wireless USB Utility.lnk = C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O23 - Service: Symantec Eraser Service (EraserSvc10910) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (file missing) O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 4986 bytes
  15. Hi, Copied Combo-Fix.exe to friends desktop and ran it. It found a rootkit. Machine now will boot in real mode. Malwarebytes now comes up, but still unable to get on internet for updates. Logs below. Thank you for all your help. ComboFix 09-06-26.02 - Owner 06/28/2009 12:52.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.270 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\MSIVXxbnmwqxmnvxvitusppkbmddnbphewxll.sys c:\windows\system32\MSIVXcount c:\windows\system32\MSIVXoowfsxwikdbblrpojevpikrwmasplgos.dll c:\windows\system32\MSIVXruxoteplqvipfqxqkdhbwvigmgrilefm.dll c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job c:\windows\wtun.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_MSIVXserv.sys ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 ))))))))))))))))))))))))))))))) . 2009-06-27 16:19 . 2009-06-28 17:45 -------- d-----w- C:\Search 2009-06-27 16:17 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-27 16:17 . 2009-06-27 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-27 16:17 . 2009-06-27 16:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-27 16:17 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-27 16:15 . 2009-06-27 18:16 -------- d-----w- C:\Downloads 2009-06-17 18:34 . 2009-06-18 16:52 1536 ----a-w- c:\windows\system32\TrueSoft.dat 2009-06-17 18:10 . 2009-06-17 18:10 -------- d-----w- c:\program files\Symantec 2009-06-17 18:10 . 2009-06-17 18:10 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2009-06-17 18:10 . 2009-06-17 18:10 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-06-17 18:09 . 2009-06-17 18:09 -------- d-----w- c:\program files\Windows Sidebar 2009-06-17 16:29 . 2009-06-27 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton VRQ 2009-06-17 16:15 . 2009-06-17 18:46 -------- d-----w- c:\windows\LMIB16.tmp 2009-06-17 15:51 . 2009-06-17 15:51 -------- d-----w- c:\windows\LMIB35.tmp 2009-06-17 14:35 . 2009-06-17 14:35 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-27 16:06 . 2009-03-19 19:40 -------- d-----w- c:\program files\NortonInstaller 2009-06-17 18:12 . 2009-03-19 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-06-17 18:12 . 2004-06-06 16:01 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-06-17 18:11 . 2009-03-19 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-06-17 18:10 . 2009-06-17 18:10 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2009-06-17 18:10 . 2009-06-17 18:10 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2009-05-26 11:39 . 2009-05-26 11:39 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\Update\RealPlayer11.exe 2009-05-07 15:32 . 2001-08-18 12:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2006-06-23 17:33 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 12:26 . 2001-08-18 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-06-21 00:59 585216 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496] "SiS Tray"="c:\windows\System32\sistray.EXE" [2003-10-30 667648] "SiS Windows KeyHook"="c:\windows\System32\keyhook.exe" [2003-10-30 249856] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984] "PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-09-24 180224] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Ativa Wireless USB Utility.lnk - c:\program files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe [2006-8-29 1556480] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk backup=c:\windows\pss\Office Startup.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to winvnc.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to winvnc.exe.lnk backup=c:\windows\pss\Shortcut to winvnc.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\uvnc114\\winvnc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= S2 EraserSvc10910;Symantec Eraser Service;"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe" /h ccCommon --> c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [?] S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [9/18/2008 12:47 PM 33752] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/16/2008 1:46 PM 29744] S3 ODWGU(Ativa);Ativa Wireless G USB Network Adapter(Ativa);c:\windows\system32\drivers\ODWGU.sys [1/10/2007 5:45 PM 408064] S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [1/18/2008 3:24 PM 29952] S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [1/18/2008 3:24 PM 41856] S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [1/18/2008 3:24 PM 39936] S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [1/18/2008 3:24 PM 59520] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = iexplore TCP: {5556164D-4B4A-458F-81B6-DBDFD44BA4AD} = 69.78.96.14 66.174.92.14 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-28 12:57 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Ahead\InCD\incdsrv.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-06-28 13:02 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-28 18:02 Pre-Run: 44,661,202,944 bytes free Post-Run: 44,634,849,280 bytes free Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5 134 --- E O F --- 2009-06-11 10:55 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:03:45 PM, on 6/28/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\sistray.EXE C:\WINDOWS\System32\keyhook.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe C:\WINDOWS\explorer.exe C:\Search\rdh.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Ativa Wireless USB Utility.lnk = C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5556164D-4B4A-458F-81B6-DBDFD44BA4AD}: NameServer = 69.78.96.14 66.174.92.14 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120 O23 - Service: Symantec Eraser Service (EraserSvc10910) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (file missing) O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 5283 bytes