No HJT for me!

View previous topic View next topic Go down

No HJT for me!

Post by taffy_miller on Sun Sep 06, 2009 7:37 pm

No, we can't use HJT, Malwarebytes or Norton. We cannot download anything that might help fix the problem. We cannot alter or remove files. At one time, Dr. Inferno had sent me a way to get into HJT without the malware recognizing it, but this no longer works, as I went back into his post and tried using it again. Bummer! After we ran Spyware doctor several times last evening and this AM, it said it took it all out, but when I rebooted, there was an error message with desote.exe with the little boxes at the bottom that ask if you want to send ir not send the report, but you could not click on either box (they didn't do anything) and if you go onto the internet, that error message was in front of whatever you were trying to see. Right now it is allowing into very limited parts of the internet, for example, I can play Farmville in Facebook but I can't see my wall or go to my homepage. I am using a netbook now to write to you. The only way I can get to geekpolice is occasionally when it allows me into my e-mail and I use a link form an e-mail, I always make sure I leave a link to this site. I guess maybe if there is any other sneaky way to get into HJT, that would be the ticket.

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Origin on Sun Sep 06, 2009 10:20 pm

Hello taffy_miller,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

  • If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  • If you have any cracked/pirated software in your computer delete them or we will not help you.
  • Only follow advise from Geek Police Staff and not a regular member.
  • Do NOT run any tool without Geek Police supervision as it could hinder your system useless.


Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    proquota.exe
    scecli.dll
    netlogon.dll
    eventlog.dll
    cngaudit.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

No luck

Post by taffy_miller on Mon Sep 07, 2009 5:51 pm

I tried both download options, each time, I got the error window with the desote.exe on the top.

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Mon Sep 07, 2009 8:29 pm

Please delete this file in red:
C:\Windows\system32\desote.exe

Next, download [You must be registered and logged in to see this link.] file.

Download it to your Desktop.
Double click it to run it; select yes to the registry merge prompt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Nope

Post by taffy_miller on Tue Sep 08, 2009 2:40 am

We already got that message in an earlier post. We CANNOT delete or alter that desote.exe file. We have tried. We can't use Malwarebytes, Norton, or HJT. Maybe we just don't realize how to find the file as you have it written, so you might be able to help us with that. We saw it in the files in 'My computer' and could not do anything with it (it's blocked us from working with it). Origin gave us 2 options for downloading something else to scan with, (refer to earleir post) and we were unable to download either one.

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Tue Sep 08, 2009 3:50 pm

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then try deleting desot.exe from there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

We already tried that, doesn't work

Post by taffy_miller on Fri Sep 11, 2009 11:48 am

If we go in safe mode, we can use the internet somewhat, but it does nothing as far as letting us run any of the programs mentioned above or deleting any bad programs. Sometimes Spyware doctor helps it to get a little better, but it never completely fixes it. We just started that the other day. We called a guy who does this stuff for a living and we'll see what happens. A friend of mine used to work with this type of thing, he told me he's betting I'm going to have to buy the new computer...bummer.

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Origin on Sat Sep 12, 2009 5:26 am

Please download SilentRunners from here:
[You must be registered and logged in to see this link.]
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Almost

Post by taffy_miller on Sat Sep 12, 2009 11:14 pm

I was able to download that, we put it on the desktop and did the scan. We are unable to locate the log. Sounds like it's supposed to show up right next to the Silent Rnner icon. We looked through all the program files, etc, an there is nothing that appears to be that file. However, the computer is running faster and seems more like it used to be. I don't think it fixed it though. Do you have any advice or can you give me a pathway to where I might find the logfile? Thanks! Rose

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Mon Sep 14, 2009 12:19 am

Hello.
If the machine is giving you an easier time, try running SystemLook and see what happens.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

SystemLook log!!!

Post by taffy_miller on Mon Sep 14, 2009 9:11 pm

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 17:05 on 14/09/2009 by Compaq_Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\WINDOWS\$NtServicePackUninstall$\proquota.exe -----c 50176 bytes [04:57 24/01/2009] [04:00 10/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4
C:\WINDOWS\ServicePackFiles\i386\proquota.exe ------ 50176 bytes [19:00 30/08/2008] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8
C:\WINDOWS\system32\proquota.exe ------ 50176 bytes [04:00 10/08/2004] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [04:57 24/01/2009] [04:00 10/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [19:00 30/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [04:00 10/08/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [04:57 24/01/2009] [04:00 10/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [19:00 30/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [04:00 10/08/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [04:57 24/01/2009] [04:00 10/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [18:58 30/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 56320 bytes [04:00 10/08/2004] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

Searching for "cngaudit.dll"
No files found.

-=End Of File=-

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Mon Sep 14, 2009 9:25 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

cobofix file

Post by taffy_miller on Tue Sep 15, 2009 12:45 pm

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.224 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\Combo-Fix.exe
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Images
c:\images\DirCfg.ini
c:\program files\Common
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Install.txt
c:\windows\Installer\df9f1.msp
c:\windows\kb913800.exe
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\bincd32.dat
c:\windows\system32\FInstall.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\Install.txt
c:\windows\system32\kdpini.dll
c:\windows\system32\netsdk.sys
c:\windows\system32\wispex.html
D:\Autorun.inf

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_kbiwkmfuukfhmc
-------\Legacy_NETSDK
-------\Service_kbiwkmfuukfhmc
-------\Service_netsdk


((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-12 15:26 . 2009-03-31 15:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-12 15:26 . 2009-03-31 15:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-12 15:26 . 2009-03-31 15:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-09-12 15:26 . 2009-03-31 15:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-09 21:52 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-01 22:32 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-01 22:31 . 2009-08-24 18:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-01 22:31 . 2009-08-19 15:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-01 22:31 . 2009-09-01 22:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-01 22:31 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-01 22:31 . 2009-09-14 12:27 -------- d-----w- c:\program files\Spyware Doctor
2009-09-01 22:31 . 2009-09-12 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-01 22:31 . 2009-09-01 22:31 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\PC Tools
2009-09-01 22:31 . 2009-09-15 12:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-01 21:48 . 2009-09-01 21:48 -------- d-----w- C:\0de76ee21061f88991ef77fd89e4
2009-08-31 17:23 . 2009-08-31 17:23 273935 ----a-w- c:\windows\system32\aebacebfafaedde.dll
2009-08-31 10:26 . 2009-08-31 10:26 163840 ----a-w- c:\windows\svchasts.exe
2009-08-25 21:13 . 2009-08-25 21:13 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-08-24 21:44 . 2009-08-24 21:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 21:38 . 2009-08-22 21:38 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-22 20:42 . 2009-08-22 20:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-22 20:08 . 2009-08-22 20:08 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-22 19:55 . 2009-08-22 19:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPQ
2009-08-22 19:43 . 2009-08-22 19:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-22 19:43 . 2009-08-22 19:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 12:02 . 2009-02-03 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-15 12:02 . 2006-09-12 01:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 19:19 . 2007-11-02 04:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-12 15:37 . 2007-02-02 21:55 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\WeatherBug
2009-08-23 06:16 . 2009-08-23 06:15 110574 ----a-w- c:\windows\~DF63BC.tmp
2009-08-23 06:15 . 2009-08-23 06:06 110574 ----a-w- c:\windows\~DFD7E1.tmp
2009-08-23 05:23 . 2009-05-10 12:48 -------- d-----w- c:\program files\'Malewarebytes' Anti-Malware'
2009-08-22 15:50 . 2009-08-22 15:50 296462 ----a-w- c:\windows\~DFEFB9.tmp
2009-08-21 23:59 . 2008-12-25 02:31 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\BitTorrent
2009-08-14 19:00 . 2006-09-12 01:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-14 18:59 . 2009-08-14 18:59 -------- d-----w- c:\program files\eBay
2009-08-14 10:58 . 2009-09-01 22:31 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-06 07:49 . 2006-09-12 01:28 45536 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 07:17 . 2009-08-06 07:17 -------- d-----w- c:\program files\MSBuild
2009-08-06 07:17 . 2009-08-06 07:17 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-10 04:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-05-10 12:48 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-05-10 12:48 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 20:42 . 2009-07-31 20:42 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\KodakCredentialStore
2009-07-31 19:24 . 2009-07-31 19:24 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Skinux
2009-07-31 19:17 . 2009-07-31 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-07-31 19:15 . 2009-07-31 19:14 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\ArcSoft
2009-07-31 19:15 . 2009-07-31 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-07-31 19:14 . 2009-07-31 19:13 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-07-31 19:13 . 2009-07-31 19:13 -------- d-----w- c:\program files\ArcSoft
2009-07-31 19:12 . 2009-07-31 18:16 -------- d-----w- c:\program files\Kodak
2009-07-31 19:10 . 2009-07-31 18:19 -------- d-----w- c:\program files\Common Files\Kodak
2009-07-17 19:01 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 18:26 . 2009-07-15 18:26 49152 ----a-r- c:\windows\system32\inetwh32.dll
2009-07-15 18:26 . 2009-07-15 18:26 1044480 ----a-r- c:\windows\system32\roboex32.dll
2009-07-13 14:08 . 2004-08-10 04:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 04:00 730112 ------w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 04:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 04:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 04:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 04:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 04:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-10 11:00 92928 ------w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-12 180269]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-9-11 36903]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-1-26 54776]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aebacebfafaedde]
2009-08-31 17:23 273935 ----a-w- c:\windows\system32\aebacebfafaedde.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/1/2009 6:31 PM 206256]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/12/2009 11:26 AM 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/12/2009 11:26 AM 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [9/1/2009 6:32 PM 159600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/11/2009 8:46 AM 102448]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [9/1/2009 6:31 PM 64392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/12/2009 11:26 AM 33056]
S0 bbaeec9b7011df3982c8237517cd3e15;bbaeec9b7011df3982c8237517cd3e15;c:\windows\system32\bbaeec9b7011df3982c8237517cd3e15.sys --> c:\windows\system32\bbaeec9b7011df3982c8237517cd3e15.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - EVDOSERVER
*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-16 22:11]

2009-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 18:05]

2009-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 18:05]

2009-09-15 c:\windows\Tasks\User_Feed_Synchronization-{B37FEFBC-FD89-4275-949A-ED107B49DFB2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Yahoo! Search - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsms.htm
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: trymedia.com
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-15 08:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-905739999-803018164-1412106516-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,72,a6,5a,5b,3d,4c,f4,40,98,76,2a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,72,a6,5a,5b,3d,4c,f4,40,98,76,2a,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\aebacebfafaedde.dll
c:\windows\system32\Wininet.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'lsass.exe'(1044)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll

- - - - - - - > 'explorer.exe'(4304)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\program files\Spyware Doctor\TFEngine\TFService.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\TEMP\t4m0_436554816484.bk.old
c:\windows\system32\sofatnet.exe
c:\windows\system32\lsm32.sys
.
**************************************************************************
.
Completion time: 2009-09-15 8:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 12:39

Pre-Run: 130,531,045,376 bytes free
Post-Run: 130,484,686,848 bytes free

360 --- E O F --- 2009-09-12 07:01

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Tue Sep 15, 2009 5:31 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\aebacebfafaedde.dll
c:\windows\~DF63BC.tmp
c:\windows\~DFD7E1.tmp
c:\windows\~DFEFB9.tmp

Registry::
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

Driver::
bbaeec9b7011df3982c8237517cd3e15

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

ComboFix Log

Post by taffy_miller on Tue Sep 15, 2009 8:57 pm

ComboFix 09-09-14.02 - Administrator 09/15/2009 16:07.2.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.206 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

FILE ::
"c:\windows\~DF63BC.tmp"
"c:\windows\~DFD7E1.tmp"
"c:\windows\~DFEFB9.tmp"
"c:\windows\system32\aebacebfafaedde.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\~DF63BC.tmp
c:\windows\~DFD7E1.tmp
c:\windows\~DFEFB9.tmp
c:\windows\system32\aebacebfafaedde.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\wiwow64.exe

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BBAEEC9B7011DF3982C8237517CD3E15
-------\Service_bbaeec9b7011df3982c8237517cd3e15


((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-12 15:26 . 2009-03-31 15:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-12 15:26 . 2009-03-31 15:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-12 15:26 . 2009-03-31 15:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-09-12 15:26 . 2009-03-31 15:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-09 21:52 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-01 22:32 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-01 22:31 . 2009-08-24 18:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-01 22:31 . 2009-08-19 15:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-01 22:31 . 2009-09-01 22:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-01 22:31 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-01 22:31 . 2009-09-15 20:16 -------- d-----w- c:\program files\Spyware Doctor
2009-09-01 22:31 . 2009-09-12 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-01 22:31 . 2009-09-01 22:31 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\PC Tools
2009-09-01 22:31 . 2009-09-15 20:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-01 21:48 . 2009-09-01 21:48 -------- d-----w- C:\0de76ee21061f88991ef77fd89e4
2009-08-31 10:26 . 2009-08-31 10:26 163840 ----a-w- c:\windows\svchasts.exe
2009-08-25 21:13 . 2009-08-25 21:13 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-08-24 21:44 . 2009-08-24 21:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 21:38 . 2009-08-22 21:38 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-22 20:42 . 2009-08-22 20:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-22 20:08 . 2009-08-22 20:08 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-22 19:55 . 2009-08-22 19:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPQ
2009-08-22 19:43 . 2009-08-22 19:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-22 19:43 . 2009-08-22 19:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 20:19 . 2006-09-12 01:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-15 13:18 . 2007-02-06 02:47 -------- d--h--r- c:\documents and settings\Compaq_Administrator\Application Data\yahoo!
2009-09-15 13:17 . 2006-09-12 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-15 12:02 . 2009-02-03 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-14 19:19 . 2007-11-02 04:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-12 15:37 . 2007-02-02 21:55 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\WeatherBug
2009-08-23 05:23 . 2009-05-10 12:48 -------- d-----w- c:\program files\'Malewarebytes' Anti-Malware'
2009-08-21 23:59 . 2008-12-25 02:31 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\BitTorrent
2009-08-14 19:00 . 2006-09-12 01:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-14 18:59 . 2009-08-14 18:59 -------- d-----w- c:\program files\eBay
2009-08-14 10:58 . 2009-09-01 22:31 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-06 07:49 . 2006-09-12 01:28 45536 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 07:17 . 2009-08-06 07:17 -------- d-----w- c:\program files\MSBuild
2009-08-06 07:17 . 2009-08-06 07:17 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-10 04:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-05-10 12:48 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-05-10 12:48 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 20:42 . 2009-07-31 20:42 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\KodakCredentialStore
2009-07-31 19:24 . 2009-07-31 19:24 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Skinux
2009-07-31 19:17 . 2009-07-31 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-07-31 19:15 . 2009-07-31 19:14 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\ArcSoft
2009-07-31 19:15 . 2009-07-31 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-07-31 19:14 . 2009-07-31 19:13 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-07-31 19:13 . 2009-07-31 19:13 -------- d-----w- c:\program files\ArcSoft
2009-07-31 19:12 . 2009-07-31 18:16 -------- d-----w- c:\program files\Kodak
2009-07-31 19:10 . 2009-07-31 18:19 -------- d-----w- c:\program files\Common Files\Kodak
2009-07-17 19:01 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 18:26 . 2009-07-15 18:26 49152 ----a-r- c:\windows\system32\inetwh32.dll
2009-07-15 18:26 . 2009-07-15 18:26 1044480 ----a-r- c:\windows\system32\roboex32.dll
2009-07-13 14:08 . 2004-08-10 04:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 04:00 730112 ------w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 04:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 04:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 04:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 04:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 04:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-10 11:00 92928 ------w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-15 20:17 . 2009-09-15 20:17 16384 c:\windows\temp\Perflib_Perfdata_738.dat
+ 2004-08-10 04:00 . 2004-08-10 04:00 132096 c:\windows\system32\dvdpaly.exe
+ 2009-08-01 16:09 . 2009-09-15 16:45 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-08-01 16:09 . 2009-09-13 04:19 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-12 180269]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-9-11 36903]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-1-26 54776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

2;4 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe [x]
R2 gupdate1c98629fd5e6d98;Google Update Service (gupdate1c98629fd5e6d98);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2008-12-10 64392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-31 33056]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-08-24 206256]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-31 51488]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-31 39200]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2008-12-11 159600]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2004-08-10 93696]
S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-26 102448]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-16 22:11]

2009-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 18:05]

2009-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 18:05]

2009-09-15 c:\windows\Tasks\User_Feed_Synchronization-{B37FEFBC-FD89-4275-949A-ED107B49DFB2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Yahoo! Search - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsms.htm
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: trymedia.com
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

Notify-aebacebfafaedde - c:\windows\system32\aebacebfafaedde.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-15 16:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-905739999-803018164-1412106516-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,72,a6,5a,5b,3d,4c,f4,40,98,76,2a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,72,a6,5a,5b,3d,4c,f4,40,98,76,2a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll

- - - - - - - > 'lsass.exe'(1044)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll

- - - - - - - > 'explorer.exe'(1024)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dvdpaly.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LuComServer_3_4.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Spyware Doctor\TFEngine\TFService.exe
c:\windows\system\hpsysdrv.exe
c:\windows\system32\lsm32.sys
.
**************************************************************************
.
Completion time: 2009-09-15 16:45 - machine was rebooted [Compaq_Administrator]
ComboFix-quarantined-files.txt 2009-09-15 20:42
ComboFix2.txt 2009-09-15 12:39

Pre-Run: 130,923,065,344 bytes free
Post-Run: 130,485,288,960 bytes free

309 --- E O F --- 2009-09-12 07:01

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Bump

Post by taffy_miller on Mon Sep 21, 2009 8:15 pm

Please see last post (ComboFix log). Also can we remove SilentRunners? Since it's been on there our cell phone booster is blocked and we can't use the cells here at home. TY!

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Tue Sep 22, 2009 12:46 am

SilentRunners should cause a block, SilentRunners doesn't do anything but scans.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

MBAM LOG

Post by taffy_miller on Tue Sep 22, 2009 12:09 pm

Malwarebytes' Anti-Malware 1.40
Database version: 2691
Windows 5.1.2600 Service Pack 3 (Safe Mode)

9/22/2009 8:06:32 AM
mbam-log-2009-09-22 (08-06-32).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 262524
Time elapsed: 37 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 70

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP917\A0155522.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP918\A0155533.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP918\A0155534.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP918\A0155535.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP919\A0155536.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP919\A0155547.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP919\A0155559.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP919\A0156559.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP919\A0157565.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP919\A0157570.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP919\A0157571.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP920\A0157573.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP920\A0157579.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP920\A0157580.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP920\A0157581.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP920\A0157591.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP920\A0157592.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP920\A0157605.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP920\A0157606.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP921\A0157612.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP921\A0157616.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP921\A0157617.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP921\A0157618.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP922\A0157622.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP922\A0157627.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP923\A0158690.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP923\A0158691.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP923\A0158693.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP923\A0158694.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP924\A0158711.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP925\A0158720.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP925\A0158721.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP925\A0158722.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP925\A0158723.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP925\A0159606.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP925\A0159607.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP925\A0160612.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP925\A0160613.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP926\A0160618.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP926\A0161611.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP926\A0161612.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP926\A0161613.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP927\A0161618.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP927\A0161619.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0161649.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0161650.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0161653.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0161654.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0161675.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0161676.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0162681.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0162682.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0162691.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0163675.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0163688.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0163692.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0163743.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0164817.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0164846.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0164851.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP928\A0164852.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP929\A0164946.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP929\A0164949.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EvdoServer.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sofatnet.exex (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\t4m0_823915263465.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EvdoSv32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Tue Sep 22, 2009 7:16 pm

Hello.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Please read note at top! TY!

Post by taffy_miller on Tue Sep 22, 2009 8:03 pm

Malwarebytes' Anti-Malware 1.41
The quick scan showed nothing... twice today. The long scan showed a bunch of stuff. I prompted it to fix everything but there are still the same old problems with computer. Also we deleted silent runner from desktop but cannot find it anywhere else to delete it completely. Trying to remove it so our cell booster will work. Thanks!



Database version: 2844
Windows 5.1.2600 Service Pack 3 (Safe Mode)

9/22/2009 4:01:10 PM
mbam-log-2009-09-22 (16-01-10).txt

Scan type: Quick Scan
Objects scanned: 123275
Time elapsed: 15 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Tue Sep 22, 2009 9:28 pm

Hello.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: No HJT for me!

Post by taffy_miller on Wed Sep 23, 2009 12:07 pm

Pc is loading pages real slow and freezing up we still have a few error messages upon reboot. Works fine in safe mode but cant use printers and alot of other things. We have a cell phone booster and cant use it because of silent runners and can only find it on windows to delete is ther other places to delete it out? On windows all the letters under the icon are highlighted in gray.

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Wed Sep 23, 2009 6:51 pm

Hello.
This could be the result of the malware, the infection here is aweful and leaves damage behind if not removed as fast as possible.

Post anew Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

HJT log

Post by taffy_miller on Wed Sep 23, 2009 10:25 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:57 PM, on 9/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Update Service (gupdate1c98629fd5e6d98) (gupdate1c98629fd5e6d98) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12312 bytes

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Wed Sep 23, 2009 11:33 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1


  • Press "Fix Checked"
  • Close Hijack This.

Next, I need to see what's installed.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

HJT Uninstall list

Post by taffy_miller on Thu Sep 24, 2009 1:19 am

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5
Adobe® Photoshop® Album Starter Edition 3.2
AppCore
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
Backup
Cabela's Ultimate Deer Hunt 2
CardRd81
ccCommon
CCScore
Compaq Connections (remove only)
Coupon Printer for Windows
CR2
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Deer Drive (remove only)
Desktop Doctor
DISCover
DR Systems Web Ambassador
Easy Internet Sign-up
eDrawings 2008
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
GearDrvs
GearDrvs
GemMaster Mystic
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Boot Optimizer
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP PSC & OfficeJet 3.5
HP Solution Center 7.0
HP Support Overview
HP Update
HP Web Helper
iTunes
J2SE Runtime Environment 5.0 Update 6
Kodak EasyShare software
LG USB Modem driver
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003 60 days trial
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My HP Games
netbrdg
Netscape Browser (remove only)
Norton 360
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
OfotoXMI
oggcodecs 0.71.0946
Otto
PC-Doctor 5 for Windows
Quicken 2006
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Remove WeatherBug Installer
Rhapsody
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SFR
SFR2
SHASTA
Shop for HP Supplies
skin0001
SKINXSDK
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SPBBC 32bit
Spyware Doctor 6.1
staticcr
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
Turbo Lister 2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
V CAST Music with Rhapsody
VPRINTOL
WeatherBug
WeatherBug Browser Bar - powered by MyWebSearch
WildTangent Web Driver
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WIRELESS
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Music Jukebox
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

taffy_miller
Intermediate
Intermediate

Posts Posts : 52
Joined Joined : 2009-05-10
Gender Gender : Female
OS OS : Windows XP
Points Points : 27803
# Likes # Likes : 0

View user profile

Back to top Go down

Re: No HJT for me!

Post by Belahzur on Thu Sep 24, 2009 6:46 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 6

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum