Computer Hope
Software => Computer viruses and spyware => Topic started by: C-Train on November 19, 2008, 08:33:07 PM
-
First off, I'm new to the site and I will definately be here for good because there is a ton of info here. To the problem, I have been searching this site for about 2 hours now. I have a computer running Windows XP Home SP2. I know it has a number of virus issues as well as how to address them under normal circumstances so here we go...
Computer will boot normally and in safe mode...
Normal boot, I cannot open anything from desktop icons or start menu. If a program seems to start it just closes the window imidiately.
Safe Mode Boot, programs will open from desktop icons...some of them
In booting in either mood I cannot access the internet, save or transfer files from one folder to the next(including desktop) or load programs from my jump drive. If I try to run a program from my jump drive it begins then a pop-up refers to the operation being denied by the admin (i have no admin settings that would cause this). I have read and understand how this site works, but I cannot download or open from a jump drive any of the antivirus/malware programs you list, nor can I get a log of any sort. I can access the registry editor, so I need to know if there is a way to manually locate the virus affecting my bogus admin settings or if there is another way to open files or copy them to my computer. If I can start any anitvirus program (SuperAnti Spyware, Malware Bytes I use them both on other machines regualarly) I would be well on my way.
Please know that I have tried many if not all of the obvious quick fixes...Add or Remove Programs, Looking for noticable corrupt files in C: drive, etc. and none have worked. I am aware I have a much bigger problem...
Also, one I boot normally my background is blue with a yellow warning spyware has been detected on your computer something about you should run antivirus or spyware removal to clean your computer.
Please, Please, anything helpful is needed at this point
Thanks in advance
C-Train
-
Okay, this is definitely tricky. You have a SmitFraud infection at the very least (it's not usually quite this malicious, so I doubt it's alone). If everything you say is accurate, then your chances aren't great, but we'll do what we can. You say can't access anything from a jumpdrive on your computer...but what about a CD? If you could at least get HijackThis on there, it would prove very useful.
Infections can be disabled through the registry, but there are thousands of different entries, so finding the proper ones is an incredibly daunting task. I could possibly help you disable SmitFraud (no guarantee), but first, get back to me on my question about the CD drive. In the meantime, I will have to acquire some information.
-
Thanks for the quick response, I can open My Computer and see the disc is inserted but only when I am in safe mode. If I boot normally I cannot access My Compter to see the drives. Since I cannot run a .exe in safe mode I attempt to copy files to desktop but no luck, if I drag and drop the folder from the disk will hi-light but it won't move anywhere (no even in the screen it is in). I was able to run the program CleanUp 4.5.2 (don't know if this helps by knowing what type of program CleanUp is, possibly there is a virus scan that could work the same way...doubtful because I don't think the CleanUp program had to install before running, if you know what I mean...No windows installer pop-up came up). Unfortunately it only cleans temp files and cookies and I cannot copy the report to any drive to get it to another computer so I can post it here, I was able to copy it to Note Pad and save to the desktop, possibly for future use.
In Normal boot I can go Start>Run>Browse the D: drive and select SuperAntiSpyware, but it tells me Corrupt installation detected, check source media or re-download...program works fine on normal working computer. I attempted the same process with Windows Defender and got a message of The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows installer is not correctly installed. Contact your support personnel for assistance. (I AM booted Normally, Not Safe Mode)
Hope this helps somehow...Please let me know if there is anything else to try
-
can you open task manager?
Also- you can open regedit- I'll make a wild foray- if the dragging is affecting all files/folders- the infection might have installed itself as a dragdrophandler, which you can determine by examining the contents of:
HKEY_CLASSES_ROOT\*\SHELLEX\contextmenuhandlers
Now- here is the painful part- see all those funky names, like "{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}"? Those are called GUIDs. what is so painful? well, you'll need to locate the very same string, for each one within HKEY_CLASSES_ROOT\CLSID\
Each key should have an entry called "InProcServer32" whose default value is the dll- if you understand what I am saying- and are able to do this, you could tell us which DLL files are listed. They will surely reveal which ones have disabled your drag drop.
if your still with me- let's determine if you have any extraneous "ShellExecuteHooks". Windows "ShellExecutes" programs to run them- any "hook" installed will be notified and can cancel or redirect what occurs. The key is located here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Note that there is a mirror of this data in
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
that you might also want to examine. My current clean XP system only has two GUIDs listed-
{3711EEB0-1851-42C2-9ABD-C29470A5035C}
and
{AEB6717E-7E19-11d0-97EE-00C04FD91972}
If you have an active Anti-Virus solution, you may see one or more separate keys here as well. My guess is that there is another key here created by the virus to prevent you from executing other programs- however- I could be wrong.
Browser helper objects
their might also be some items known as browser helper objects installed by the virus. You'll find these entries here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Remember- you should cross-reference the GUIDs listed with those found in the previously mentions CLSID key, and determine the program associated with the GUID. filenames that appear random are often the work of a virus.
I have not advised you to delete or modify anything, merely to save myself liability. depending on what you discover- you should be able to find out some DLL names. we'd need as many of the DLL file names as possible to delete them all from within recovery console, but preferably- we just want to make the malware scanners work properly, so that they may finish the job.
I apologize for the technical nature of my suggestions- but with only registry editor- this stuff is good to know :)
Also- CBMatt is the malware expert here, not me- I guess I'm giving you something to check out while you wait for him to come back with a solution. It should give you an idea how badly your system is infected.
-
Yes, I can open task manager in both Safe Mode and Normal boot modes. I have looked there and nothing seems suspicious, but we can look again if need be. I have located the InProcServer32 entry and when selected here is what I can see under the Name, Type, Data headings
(Default) REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll
ThreadingModel REG_SZ Apartment
These are the only things in the first entry you asked about.
In the second entry you ask for "ShellExecuteHooks"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
I have two choices for Windows\CurrentVersion, both in the HKEY_LOCAL_MACHINE,
one of the folders has an array of subfolders and the other only has a folder with Control Panel. The subfolders to this folder are: Extended Properties\{305CA226-D286-468e-B848-2B2E8E697B74} 2 and in the right side of the window,
(Default) REG_SZ (value not set)
%SystemRoot%\system32\NicConfigSvc.cpl REG_DWORD 0x00000003 (3)
Anyway,
In the HKEY_LOCAL_MACHINE, I do not see any ShellExecuteHook subfolder within the Explorer, only Shell Folders, ShellIconOverlayIdentifiers, ShellServiceObjects.
In the HKEY_CURRENT_USER, there is also no folder for ShellExecuteHook subfolder, only Shell Folders.
Note: Everything I have given you above has been done in Safe Mode, I don't know if it makes a difference (don't think so), but I will repeat in Normal boot out of curiosity and post any differences. Just want to thank you again for the response and I will keep an eye out for future posts.
-
hmm, this is most interesting indeed.
One final key, no GUIDs involved this time (thank goodness)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
there should be several keys here. Again- my install contains
crypt32chain,cryptnet,cscdll,dimsntfy,sccertProp,schedule,sclgntfy,SensLogn and wlballoon.
If you have additional entries- And they turn out to be malware- you would need to remove them with Recovery console.
Also- you can run regedit- Is that the only program that starts? What about notepad, wordpad, Office programs (if you have them)?
Have you tried renaming Hijackthis.exe to something else?
-
crypt32chain,cryptnet,cscdll,dimsntfy,sccertProp,schedule,sclgntfy,SensLogn and wlballoon
Above are your folders in Notify, and below are what I have...
crypt32chain, cryptnet, cscdll, igfxcui, IntelWireless, ScCertProp, Schedule, sclgntfy, SensLogn, termsrv, wlballoon
I've tried to google some of these, but I am unsure if any are malware or not? Also, I will try to rename Hijackthis.exe
-
Okay, it's good to know that you can at least see an inserted CD. It may be a longshot, but let's try something before attempting any registry edits. Download MBAM (http://www.malwarebytes.org/mbam.php) and burn the installation file to a CD. You see, MBAM is one of the few programs that can actually be installed while in Safe Mode. So, enter Safe Mode and try accessing the CD so you can attempt to install MBAM (rename the file before doing so). If you can get it to install, you may have to change the program's filename (C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe). I know you haven't had any luck with programs yet, but it's worth a shot.
Also, try renaming HijackThis like BC_Programmer suggested.
If neither of these work, then we'll try looking for some registry entries that are commonly found with a SmitFraud infection.
-
Ok, a bit of success...I was sitting around today when it hit me that I have not tried to repair XP to possibly regain access to the drives desktop etc. I knew it wouldn't be a fix, but might give me some access...long story short it worked. At first the only program that I could load from my jump drive was Dr. Web, ran it did suggested fixes (I only took a screen shot no log). Then I was able to run MalwareBytes, caught a ton of stuff like I figured (have log). I still cannot run SuperAntiSpyware, I get an error 1500 message something about another installation is running and I have to wait on it??? Funny, because nothing else is trying to install (that I can see, most likely still infected). Finally, I ran HiJackThis and below is my log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:06 PM, on 11/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachF ile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [sunjavaupdatesched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [roxwatchtray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [realtray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [isusscheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [isuspm startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [intelwireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dvdlauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dell quickset] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [act! preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [siteadvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [pcmservice] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [sen] "C:\WINDOWS\system32\FNTS~1\wucrtupd.exe" -vt ndrv
O4 - HKCU\..\Run: [qvfcez] "C:\Program Files\??sks\javaw.exe"
O4 - HKCU\..\Run: [pjjcaml] "C:\Program Files\??sks\alg.exe"
O4 - HKCU\..\Run: [picasa media detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [msmsgs] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [isuspm] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [delltransferagent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [dellsupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Yahoo! Autosync.lnk = C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [searching] Search from the Address bar
O21 - SSODL: DPixgLk - {8C69FD17-26C3-57BD-DD65-CADE8FCB015D} - C:\WINDOWS\system32\dfokhr.dll (file missing)
O22 - SharedTaskScheduler: apathies - {aed6f6a3-183c-488d-9f90-23db99f56e7f} - C:\WINDOWS\system32\geplxss.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner - C:\Program Files\McAfee\MSK\MskSrver.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 12120 bytes
----Hope this helps, anything else you see please let me know. Also, Windows Installer is constantly popping up, even if nothing is installing. I have seen this on other machines and have actually been able to stop it rather easily, but I don't remember what I did. If I remember correctly I did not buy any software and I'm not sure I even downloaded anything. I vaguely remember simply changing something in control panel then system. Not a big deal, but if you know what I am talking about some insight on that would help too.
-
Good to hear! You got past the biggest hurdle!
I'm sure CBMatt will have you up and running in no time.
-
Progress is always good. Infections won't be quite as obvious now, but at least we have a much better chance of combatting them. Your log is only showing a Purityscan/Clickspring infection as of now (we'll handle that after trying the below). There are references to other infections, but they appear to be inactive. So, we need to dig a little more.
Can you post your MBAM log so I can see what exactly was detected and removed?
Also, now that you can actually run some programs, let's give ComboFix a shot. Download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here along with a new HJT log. Note: Don't click on the window while it's running; this may cause stalls.
If ComboFix won't run, try renaming it to Princess or some other random name.
Also...are you sure it's Windows Installer that keeps popping up, or is it Windows Messenger?
-
Ok, here are the updated logs for hijackthis, mbam, and combofix....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:08 AM, on 11/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [sunjavaupdatesched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [realtray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [isusscheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [isuspm startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [intelwireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dvdlauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dell quickset] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [act! preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [siteadvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [sen] "C:\WINDOWS\system32\FNTS~1\wucrtupd.exe" -vt ndrv
O4 - HKCU\..\Run: [qvfcez] "C:\Program Files\??sks\javaw.exe"
O4 - HKCU\..\Run: [pjjcaml] "C:\Program Files\??sks\alg.exe"
O4 - HKCU\..\Run: [isuspm] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [dellsupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227318588125
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8403 bytes
Mbam................................... ..............................Is below
Malwarebytes' Anti-Malware 1.30
Database version: 1415
Windows 5.1.2600 Service Pack 3
11/22/2008 10:48:38 AM
mbam-log-2008-11-22 (10-48-38).txt
Scan type: Full Scan (C:\|)
Objects scanned: 116448
Time elapsed: 32 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001150.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
-
ComboFix is below.................................. .......
ComboFix 08-11-21.05 - Kris Maurer 2008-11-22 11:07:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.172 [GMT -5:00]
Running from: c:\documents and settings\Kris Maurer\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\sks~1
c:\windows\system32\bszip.dll
c:\windows\system32\config\systemprofile\Application Data\rhcahvj0ej77
c:\windows\system32\fnts~1
c:\windows\system32\fnts~1\F?nts\
c:\windows\system32\wnsapiicomsv.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.
2008-11-21 21:35 . 2008-11-21 21:35 <DIR> d-------- c:\windows\system32\scripting
2008-11-21 21:35 . 2008-11-21 21:35 <DIR> d-------- c:\windows\system32\en
2008-11-21 21:35 . 2008-11-21 21:35 <DIR> d-------- c:\windows\system32\bits
2008-11-21 21:35 . 2008-11-21 21:35 <DIR> d-------- c:\windows\l2schemas
2008-11-21 21:33 . 2008-11-21 21:36 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-21 21:25 . 2008-11-21 21:25 <DIR> d-------- c:\windows\EHome
2008-11-21 21:22 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-21 21:20 . 2008-04-13 19:12 712,704 --------- c:\windows\system32\windowscodecs.dll
2008-11-21 21:20 . 2008-04-13 19:12 346,112 --------- c:\windows\system32\windowscodecsext.dll
2008-11-21 21:20 . 2008-04-13 19:12 276,992 --------- c:\windows\system32\wmphoto.dll
2008-11-21 21:20 . 2008-04-13 19:12 69,120 --------- c:\windows\system32\wlanapi.dll
2008-11-21 21:18 . 2008-04-13 19:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2008-11-21 21:17 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-21 21:08 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-21 21:08 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-21 20:57 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-21 20:57 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-21 20:57 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-21 20:57 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-21 20:56 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-21 20:54 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-21 20:54 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-11-21 20:54 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-21 20:54 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-11-21 18:32 . 2008-11-21 18:32 <DIR> d-------- C:\VundoFix Backups
2008-11-20 22:36 . 2008-11-20 22:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-20 22:36 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 22:36 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-20 22:31 . 2008-11-20 22:31 <DIR> d-------- c:\program files\Trend Micro
2008-11-20 21:29 . 2008-11-20 21:29 <DIR> d-------- c:\documents and settings\Kris Maurer\Application Data\Malwarebytes
2008-11-20 21:29 . 2008-11-20 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 16:58 . 2008-11-20 16:58 <DIR> d-------- c:\documents and settings\Kris Maurer\DoctorWeb
2008-11-20 16:51 . 2005-02-15 15:02 163,840 --a------ c:\windows\system32\igfxres.dll
2008-11-20 16:43 . 2008-04-13 19:11 156,672 --a--c--- c:\windows\system32\dllcache\winzm.ime
2008-11-20 16:43 . 2008-04-13 19:11 156,672 --a--c--- c:\windows\system32\dllcache\winsp.ime
2008-11-20 16:43 . 2008-04-13 19:11 156,672 --a--c--- c:\windows\system32\dllcache\winpy.ime
2008-11-20 16:43 . 2008-04-13 19:11 65,536 --a--c--- c:\windows\system32\dllcache\winime.ime
2008-11-20 16:43 . 2004-08-12 09:10 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2008-11-20 16:41 . 2004-08-12 08:58 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2008-11-20 16:40 . 2008-04-13 19:09 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2008-11-20 16:39 . 2004-08-12 08:56 195,618 --a--c--- c:\windows\system32\dllcache\c_10002.nls
2008-11-20 16:36 . 2008-11-20 16:36 749 -rah----- c:\windows\WindowsShell.Manifest
2008-11-20 16:36 . 2008-11-20 16:36 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-11-20 16:36 . 2008-11-20 16:36 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-11-20 16:36 . 2008-11-20 16:36 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-11-20 16:36 . 2008-11-20 16:36 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-11-20 16:35 . 2004-08-12 08:58 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-11-20 16:22 . 2004-08-12 09:06 24,661 --a------ c:\windows\system32\spxcoins.dll
2008-11-20 16:22 . 2004-08-12 09:06 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2008-11-20 16:22 . 2004-08-12 08:58 13,312 --a------ c:\windows\system32\irclass.dll
2008-11-20 16:22 . 2004-08-12 08:58 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2008-11-20 16:21 . 2004-08-12 09:06 1,042,903 --a--c--- c:\windows\system32\dllcache\SP2.CAT
2008-11-20 16:21 . 2004-08-12 09:02 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2008-11-20 16:21 . 2004-08-12 08:59 399,645 --a--c--- c:\windows\system32\dllcache\MAPIMIG.CAT
2008-11-20 16:21 . 2004-08-12 09:01 37,484 --a--c--- c:\windows\system32\dllcache\MW770.CAT
2008-11-20 16:21 . 2004-08-12 08:57 13,472 --a--c--- c:\windows\system32\dllcache\HPCRDP.CAT
2008-11-20 16:21 . 2004-08-12 08:57 8,574 --a--c--- c:\windows\system32\dllcache\IASNT4.CAT
2008-11-20 16:21 . 2004-08-12 09:11 7,710 --a--c--- c:\windows\system32\dllcache\OEMBIOS.CAT
2008-11-20 16:21 . 2004-08-12 09:09 7,334 --a--c--- c:\windows\system32\dllcache\wmerrenu.cat
2008-11-20 11:08 . 2008-11-20 11:08 <DIR> d-------- c:\windows\dell
2008-11-20 11:08 . 2008-11-20 21:18 527,921,152 --a------ c:\windows\MEMORY.DMP
2008-11-20 10:15 . 2008-11-20 12:15 <DIR> d-------- c:\program files\CleanUp!
2008-11-19 15:53 . 2008-11-19 15:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-11-14 16:56 . 2008-11-20 22:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-14 16:53 . 2008-11-20 16:25 4,128 --a------ C:\INFCACHE.1
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 15:50 1,786 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-11-21 23:28 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-15 03:55 --------- d-----w c:\program files\Common Files\Scanner
2008-11-15 02:38 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-28 07:46 74,752 ----a-w c:\windows\system32\msw3prt.dll
2008-08-28 07:46 104,960 ----a-w c:\windows\system32\win32spl.dll
2008-05-04 00:04 56 --sh--r c:\windows\system32\42F52BF3EA.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qvfcez"="c:\program files\??sks\javaw.exe" [?]
"pjjcaml"="c:\program files\??sks\alg.exe" [?]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-31 68856]
"isuspm"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"dellsupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"sunjavaupdatesched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"realtray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-10-07 26112]
"quicktime task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-07-13 169264]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"isusscheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"isuspm startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"intelwireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"dvdlauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"dell quickset"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"act! preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-04-05 1015808]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-07 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Yahoo! Autosync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Yahoo! Autosync.lnk
backup=c:\windows\pss\Yahoo! Autosync.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pcmservice]
--a------ 2004-04-11 20:15 290816 c:\program files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picasa media detector]
--a------ 2008-02-25 20:23 443968 c:\program files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ACT\\ACT for Windows\\Act8.exe"=
"%windir%\\system32\\sessmgr.exe"=
R2 Maxtor Sync Service;Maxtor Service;"c:\program files\Maxtor\Sync\SyncServices.exe" [2007-07-13 156976]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-02 24652]
S1 8a0dfb28;8a0dfb28;c:\windows\system32\drivers\8a0dfb28.sys []
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 []
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2008-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe []
2007-10-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe []
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-sen - c:\windows\system32\FNTS~1\wucrtupd.exe
HKCU-Run-aim6 - (no file)
HKLM-Run-siteadvisor - c:\program files\SiteAdvisor\6261\SiteAdv.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-roxwatchtray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 11:08:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-22 11:10:43
ComboFix-quarantined-files.txt 2008-11-22 16:10:01
Pre-Run: 17,878,667,264 bytes free
Post-Run: 17,858,400,256 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
217 --- E O F --- 2008-11-22 15:03:41
Please let me know whats next....
-
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
File::
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\fnts~1\wucrtupd.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qvfcez"=-
"pjjcaml"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply along with one more HijackThis log.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
How's the computer doing now?
-
Alright, I have a few extra things but computer is running a little better now. One of the most annoying things right now is every time I reboot "Roxio Media Manager" is attempting to install and then I get a message that a certificate file could not be located (something to that nature). Strange thing is when I search my C: drive nothing is found for roxio media manager or just roxio. What I have found online has been no help, I don’t know if it is a problem with Windows Installer, Roxio program or another virus. When Microsoft prompts me to send an error message I can see at the top of that window Macrovision Software Manager Agent is what the error is referring to.
Also, my first post of the mbam log was of the most recent scan (not many things found) I looked back in this thread and I can see I was supposed to send the initial log so that is the one below.
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2
11/20/2008 10:04:39 PM
mbam-log-2008-11-20 (22-04-39).txt
Scan type: Full Scan (C:\|)
Objects scanned: 103543
Time elapsed: 30 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 10
Registry Data Items Infected: 2
Folders Infected: 36
Files Infected: 20
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{12b2c1c8-646a-43db-8557-e25edecbc411} (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Insider (Adware.DnsInsider) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bnddrive2.band (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bnddrive2.band.1 (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bnddrive2.bho (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bnddrive2.bho.1 (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoaccessactivex.Chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcahvj0ej77 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcahvj0ej77 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcehvj0ej77 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\Insider (Adware.DnsInsider) -> Quarantined and deleted successfully.
C:\Program Files\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcahvj0ej77\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Start Menu\Programs\Outerinfo (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\rhcahvj0ej77\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\b128.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\8a0dfb28.sys (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll.cla (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\outerinfo.ico (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\Terms.rtf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Start Menu\Programs\Outerinfo\Terms.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Start Menu\Programs\Outerinfo\Uninstall.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcehvj0ej77.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcehvj0ej77.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris Maurer\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
-
And here is my most recent hijackthis log and I ran it while the Roxio Media Manager was trying to install in hopes hijackthis would give you something to work with....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:33 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [sunjavaupdatesched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [realtray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [isusscheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [isuspm startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [intelwireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dvdlauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dell quickset] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [act! preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [pcmservice] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [isuspm] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [dellsupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [picasa media detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [msmsgs] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Yahoo! Autosync.lnk = C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227318588125
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner - C:\Program Files\McAfee\MSK\MskSrver.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10333 bytes
Please let me know what you come up with.....
-
And lastly here is the ComboFix.txt..........
ComboFix 08-11-22.02 - Kris Maurer 2008-11-23 10:44:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.73 [GMT -5:00]
Running from: c:\documents and settings\Kris Maurer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kris Maurer\Desktop\CFScript.txt
FILE ::
c:\windows\system32\bszip.dll
c:\windows\system32\fnts~1\wucrtupd.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.
2008-11-22 16:51 . <DIR> c:\windows\LastGood.Tmp
2008-11-21 21:35 . 2008-11-21 21:35 <DIR> d-------- c:\windows\system32\scripting
2008-11-21 21:35 . 2008-11-21 21:35 <DIR> d-------- c:\windows\system32\en
2008-11-21 21:35 . 2008-11-21 21:35 <DIR> d-------- c:\windows\system32\bits
2008-11-21 21:35 . 2008-11-21 21:35 <DIR> d-------- c:\windows\l2schemas
2008-11-21 21:33 . 2008-11-21 21:36 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-21 21:25 . 2008-11-21 21:25 <DIR> d-------- c:\windows\EHome
2008-11-21 21:22 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-21 21:20 . 2008-04-13 19:12 712,704 --------- c:\windows\system32\windowscodecs.dll
2008-11-21 21:20 . 2008-04-13 19:12 346,112 --------- c:\windows\system32\windowscodecsext.dll
2008-11-21 21:20 . 2008-04-13 19:12 276,992 --------- c:\windows\system32\wmphoto.dll
2008-11-21 21:20 . 2008-04-13 19:12 69,120 --------- c:\windows\system32\wlanapi.dll
2008-11-21 21:18 . 2008-04-13 19:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2008-11-21 21:17 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-21 21:08 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-21 21:08 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-21 20:57 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-21 20:57 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-21 20:57 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-21 20:57 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-21 20:56 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-21 20:54 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-21 20:54 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-11-21 20:54 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-21 20:54 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-11-21 18:32 . 2008-11-21 18:32 <DIR> d-------- C:\VundoFix Backups
2008-11-20 22:36 . 2008-11-20 22:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-20 22:36 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 22:36 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-20 22:31 . 2008-11-20 22:31 <DIR> d-------- c:\program files\Trend Micro
2008-11-20 21:29 . 2008-11-20 21:29 <DIR> d-------- c:\documents and settings\Kris Maurer\Application Data\Malwarebytes
2008-11-20 21:29 . 2008-11-20 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 16:58 . 2008-11-20 16:58 <DIR> d-------- c:\documents and settings\Kris Maurer\DoctorWeb
2008-11-20 16:51 . 2005-02-15 15:02 163,840 --a------ c:\windows\system32\igfxres.dll
2008-11-20 16:43 . 2008-04-13 19:11 156,672 --a--c--- c:\windows\system32\dllcache\winzm.ime
2008-11-20 16:43 . 2008-04-13 19:11 156,672 --a--c--- c:\windows\system32\dllcache\winsp.ime
2008-11-20 16:43 . 2008-04-13 19:11 156,672 --a--c--- c:\windows\system32\dllcache\winpy.ime
2008-11-20 16:43 . 2008-04-13 19:11 65,536 --a--c--- c:\windows\system32\dllcache\winime.ime
2008-11-20 16:43 . 2004-08-12 09:10 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2008-11-20 16:41 . 2004-08-12 08:58 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2008-11-20 16:40 . 2008-04-13 19:09 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2008-11-20 16:39 . 2004-08-12 08:56 195,618 --a--c--- c:\windows\system32\dllcache\c_10002.nls
2008-11-20 16:36 . 2008-11-20 16:36 749 -rah----- c:\windows\WindowsShell.Manifest
2008-11-20 16:36 . 2008-11-20 16:36 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-11-20 16:36 . 2008-11-20 16:36 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-11-20 16:36 . 2008-11-20 16:36 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-11-20 16:36 . 2008-11-20 16:36 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-11-20 16:35 . 2004-08-12 08:58 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-11-20 16:22 . 2004-08-12 09:06 24,661 --a------ c:\windows\system32\spxcoins.dll
2008-11-20 16:22 . 2004-08-12 09:06 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2008-11-20 16:22 . 2004-08-12 08:58 13,312 --a------ c:\windows\system32\irclass.dll
2008-11-20 16:22 . 2004-08-12 08:58 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2008-11-20 16:21 . 2004-08-12 09:06 1,042,903 --a--c--- c:\windows\system32\dllcache\SP2.CAT
2008-11-20 16:21 . 2004-08-12 09:02 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2008-11-20 16:21 . 2004-08-12 08:59 399,645 --a--c--- c:\windows\system32\dllcache\MAPIMIG.CAT
2008-11-20 16:21 . 2004-08-12 09:01 37,484 --a--c--- c:\windows\system32\dllcache\MW770.CAT
2008-11-20 16:21 . 2004-08-12 08:57 13,472 --a--c--- c:\windows\system32\dllcache\HPCRDP.CAT
2008-11-20 16:21 . 2004-08-12 08:57 8,574 --a--c--- c:\windows\system32\dllcache\IASNT4.CAT
2008-11-20 16:21 . 2004-08-12 09:11 7,710 --a--c--- c:\windows\system32\dllcache\OEMBIOS.CAT
2008-11-20 16:21 . 2004-08-12 09:09 7,334 --a--c--- c:\windows\system32\dllcache\wmerrenu.cat
2008-11-20 11:08 . 2008-11-20 11:08 <DIR> d-------- c:\windows\dell
2008-11-20 11:08 . 2008-11-20 21:18 527,921,152 --a------ c:\windows\MEMORY.DMP
2008-11-20 10:15 . 2008-11-20 12:15 <DIR> d-------- c:\program files\CleanUp!
2008-11-19 15:53 . 2008-11-19 15:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-11-14 16:56 . 2008-11-20 22:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-14 16:53 . 2008-11-20 16:25 4,128 --a------ C:\INFCACHE.1
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-21 23:28 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-15 03:55 --------- d-----w c:\program files\Common Files\Scanner
2008-11-15 02:38 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-05-04 00:04 56 --sh--r c:\windows\system32\42F52BF3EA.sys
.
((((((((((((((((((((((((((((( snapshot@2008-11-22_11.09.34.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-22 16:21:49 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2007-07-31 00:19:46 203,096 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-07-19 03:09:44 205,000 -c--a-w c:\windows\system32\dllcache\wuweb.dll
- 2008-11-22 15:50:44 1,786 --sha-w c:\windows\system32\KGyGaAvL.sys
+ 2008-11-23 15:49:33 1,786 --sha-w c:\windows\system32\KGyGaAvL.sys
- 2007-05-08 19:03:04 1,275,392 ----a-w c:\windows\system32\msxml4.dll
+ 2008-09-30 21:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2007-07-31 00:19:46 203,096 ----a-w c:\windows\system32\wuweb.dll
+ 2008-07-19 03:09:44 205,000 ----a-w c:\windows\system32\wuweb.dll
+ 2008-11-23 15:48:35 16,384 ----atw c:\windows\temp\Perflib_Perfdata_584.dat
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-31 68856]
"isuspm"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"dellsupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"sunjavaupdatesched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"realtray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-10-07 26112]
"quicktime task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-07-13 169264]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"isusscheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"isuspm startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"intelwireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"dvdlauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"dell quickset"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"act! preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-04-05 1015808]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-07 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Yahoo! Autosync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Yahoo! Autosync.lnk
backup=c:\windows\pss\Yahoo! Autosync.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pcmservice]
--a------ 2004-04-11 20:15 290816 c:\program files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picasa media detector]
--a------ 2008-02-25 20:23 443968 c:\program files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ACT\\ACT for Windows\\Act8.exe"=
"%windir%\\system32\\sessmgr.exe"=
R2 Maxtor Sync Service;Maxtor Service;"c:\program files\Maxtor\Sync\SyncServices.exe" [2007-07-13 156976]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-02 24652]
S1 8a0dfb28;8a0dfb28;c:\windows\system32\drivers\8a0dfb28.sys []
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 []
.
Contents of the 'Scheduled Tasks' folder
2008-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2008-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe []
2007-10-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe []
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 10:48:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(980)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\progra~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe
.
**************************************************************************
.
Completion time: 2008-11-23 10:57:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-23 15:57:05
ComboFix2.txt 2008-11-22 16:10:45
Pre-Run: 17,798,598,656 bytes free
Post-Run: 17,781,473,280 bytes free
226 --- E O F --- 2008-11-22 16:21:50
-
Well, everything appears to check out. You will, of course, want to run regular virus scans, but there are no longer any obvious signs of infection. As for this Roxio installer...it's a bit hard to say exactly what is going on. Your logs show traces of Roxio existing in some form and it looks like you either had Roxio installed at one point or you stopped it in the middle of installation (probably the latter). I could be wrong, but it's possible that your registry is confusing the computer and making it want to install Roxio. For starters, let's try disabling the InstallShield updater from running at startup, as well as the Roxio entries in your log. Scan with HijackThis (without a log) and place checkmarks next to these entries:
O4 - HKLM\..\Run: [isusscheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [isuspm startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [isuspm] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
Close all other windows and click Fix Checked. While you're at it, check C:\Program Files and C:\Program Files\Common Files for any Roxio folders. If you find them, delete them. You should then download CCleaner (http://www.ccleaner.com[/url) (without the Yahoo! toolbar) and use it to clean out files and broken registry entries.
You may even want to open up the Windows search function and perform a search (you may need to view hidden files and folders) for "roxio" and delete everything related to the program. If you're uncertain, leave it alone. Keep in mind that I'm assuming you are not using any Roxio products, which is why I'm having you delete everything related.
Once you've done everything, restart and cross your fingers. If the problem persists, you may want to contact Roxio. There are viruses that will try to run the installer, but I've never seen one that acts quite like this, so I suspect that it isn't malicious.
-
CBMatt,
All looks good and computer is back to normal operation. Your help has been awsome and I will be in touch soon, I have a friends computer to work on around Christmas and I sounds like it is in similar shape
Thanks again,
C-Train
-
Great, I'm glad to hear that things are running smoothly again. And I'll be happy to help you out with the other computer if you need me. Take care.