Options
Browser Hijacked to asiuoqgusdbaksd.com
Hello,
I picked up a case of this malware yesterday, and I am having a devil of a time getting rid of it.
I have the pc running in safe mode at the moment under the admin profile.
My profile (where malware launched) has admin restrictions to make changes (which is brought on by the malware)
I have tried the following
Virus scan
MS Windows Defender
Malware scan
SmitfuardFix
HijackThis
This morning I downloaded adaware 2008.
When the program ran a box opened stating the is an admin policy to prevent the running of adaware.
(mean little bugger)
any help or guidance would be much appreciated
Included is a HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:07, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] "C:\Documents and Settings\Nate\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe" -startup -product IncrediMail -report
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Malware Scanner] C:\Program Files\MalwareRemover.com\Malware Scanner\MalScr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-500\..\Run: [Malware Scanner] C:\Program Files\MalwareRemover.com\Malware Scanner\MalScr.exe (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - [URL]file://C:\Program[/URL] Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - [URL]file://C:\Program[/URL] Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.tmwsystems.com/tsweb/msrdp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
--
End of file - 4021 bytes
I picked up a case of this malware yesterday, and I am having a devil of a time getting rid of it.
I have the pc running in safe mode at the moment under the admin profile.
My profile (where malware launched) has admin restrictions to make changes (which is brought on by the malware)
I have tried the following
Virus scan
MS Windows Defender
Malware scan
SmitfuardFix
HijackThis
This morning I downloaded adaware 2008.
When the program ran a box opened stating the is an admin policy to prevent the running of adaware.
(mean little bugger)
any help or guidance would be much appreciated
Included is a HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:07, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] "C:\Documents and Settings\Nate\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe" -startup -product IncrediMail -report
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Malware Scanner] C:\Program Files\MalwareRemover.com\Malware Scanner\MalScr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-500\..\Run: [Malware Scanner] C:\Program Files\MalwareRemover.com\Malware Scanner\MalScr.exe (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - [URL]file://C:\Program[/URL] Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - [URL]file://C:\Program[/URL] Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.tmwsystems.com/tsweb/msrdp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
--
End of file - 4021 bytes
0
Comments
Is there a reason why you are running the computer in Safe Mode? If not, post a HijackThis log from Normal Mode.
Do you have any Anti-Virus or Firewall on the computer? Yes or No?
The trojan/malware has adjusted the priviledges on my profile.
I can and have run the new HijackThis log.
I have virus and fire wall the fire wall is disabled
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:26: VIRUS ALERT!, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] "C:\Documents and Settings\Nate\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe" -startup -product IncrediMail -report
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.tmwsystems.com/tsweb/msrdp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
--
End of file - 4155 bytes
Please do the following...
1. Your log shows that MSConfig is running at startup. This indicates that you may be using "diagnostic startup" rather than "normal startup" to stop something running. While this is normally OK, it is possible that you have disabled something that will affect how we fix your malware problem. While disabled, it will not then show up in the HijackThis log.
2. Please download Malwarebytes' Anti-Malware to your desktop.
3. I need to see another log from HijackThis.
4. Please post the following...
MalwareBytes log
Uninstall list
New HijackThis log
I double checked the virus scan (yahoo provided, computer associates)
The definitions had not been updated since Feb
Updated definitions and ran deep scan, cleared virus files ~ 40
Thanks for your help
Koyo
MalwareBytes Log
Malwarebytes' Anti-Malware 1.24
Database version: 1015
Windows 5.1.2600 Service Pack 2
2:53:57 PM 8/1/2008
mbam-log-8-1-2008 (14-53-57).txt
Scan type: Full Scan (C:\|)
Objects scanned: 143271
Time elapsed: 56 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Spammer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcl05j0el73 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcg05j0el73 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297639.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297675.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297632.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297646.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297652.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297653.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297660.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297667.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297690.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297696.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297704.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Installed Programs
2Wire Wireless Client
Abacast Client
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
AOL Explorer
AOL Instant Messenger
AOL Toolbar 2.0
ArcSoft Camera Suite 1.3
ArcSoft Software Suite
AT&T Yahoo! Applications
Backyard Baseball 2003
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Classic PhoneTools
Crash Analysis Tool
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Solution Center
Dell Support Center
DellSupport
Diablo II
EVEREST Home Edition v2.20
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP Update
ieSpell
Intel(R) 537EP V9x DFV PCI Modem
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Internet Explorer Default Page
iPod for Windows 2005-09-06
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Lineage II
Macromedia Shockwave Player
Malware Scanner 3.1.0.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher 2007 Trial
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Viewer 2007
Modem Event Monitor
Modem Helper
Modem On Hold
MPIO Manager 2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MUSICMATCH® Jukebox
NVIDIA Drivers
PowerDVD 5.1
Quicken 2003 Basic
QuickTime
RealPlayer
Roxio DLA
SBC Yahoo! DSL Home Networking Installer
ScanToWeb
HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:00 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\YOP\yop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] "C:\Documents and Settings\Nate\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe" -startup -product IncrediMail -report
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124724474\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [846a4836] rundll32.exe "C:\WINDOWS\system32\badggjou.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport-] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [DellSupport-] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.tmwsystems.com/tsweb/msrdp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
--
End of file - 8182 bytes
Please disable Windows Defender temporarily as this can interfere with the fixes.
Please do the following...
1. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
...(Unless you set these with a anti-spyware program like SpyBot's Immunize feature, or a System Administrator set them, have HiJackThis fix this.)
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
2. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6 update7.
- Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement."
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
- Java 2 Runtime Environment, SE v1.4.2_03
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
3. Please visit this webpage for download links, and instructions for running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
Couple of problems
The removal of Java,
Error msg follows
The window installer service could not be accessed.
This can occur if running in windows safe mode (I am not anymore )
or if windows installer is not correctly installed, contact support.
I ran into this problem earlier in the day also trying to reinstall quicken
Windows Recovery Console
Error msg
Setup cannot continue because the version of windows on your computer is newer than the version on the CD.
This is the Dell disk with the operating system on it
Koyo
Regarding Recovery Console: are you using the Windows CD to install the Recovery Console? If so, you do not need the Windows CD to install Recovery Console.
From the link:
After installing the windows installer, I am still having the same problem with the Java removal.
Here are the logs from ComboFix & HijackThis
ComboFix 08-07-31.06 - DW 2008-08-02 16:29:43.1 - NTFSx86
Running from: C:\Documents and Settings\DW\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DW\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Cindy\Application Data\macromedia\Flash Player\#SharedObjects\Z323TCWB\interclick.com
C:\Documents and Settings\Cindy\Application Data\macromedia\Flash Player\#SharedObjects\Z323TCWB\interclick.com\ud.sol
C:\Documents and Settings\Cindy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Cindy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\DW\Application Data\macromedia\Flash Player\#SharedObjects\GCWF8XT2\interclick.com
C:\Documents and Settings\DW\Application Data\macromedia\Flash Player\#SharedObjects\GCWF8XT2\interclick.com\ud.sol
C:\Documents and Settings\DW\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\DW\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\system32\MSINET.oca
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_CLBDRIVER
\Service_clbdriver
((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.
2008-08-01 15:12 . 2008-08-01 15:12 <DIR> d
C:\Documents and Settings\DW\Application Data\ieSpell
2008-07-31 22:13 . 2008-07-31 22:13 110,080 --a
C:\WINDOWS\SYSTEM32\digolmxc.exe
2008-07-31 17:03 . 2008-07-31 17:03 <DIR> d
C:\VundoFix Backups
2008-07-31 15:42 . 2008-07-31 15:49 <DIR> d
C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-31 13:43 . 2008-07-31 13:43 <DIR> d
C:\Documents and Settings\DW\Application Data\Malwarebytes
2008-07-31 12:53 . 2008-07-31 12:53 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 12:53 . 2008-07-31 12:53 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 12:53 . 2008-07-31 12:53 <DIR> d
C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-31 12:53 . 2008-07-30 20:07 38,472 --a
C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-07-31 12:53 . 2008-07-30 20:07 17,144 --a
C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-31 11:56 . 2008-07-31 11:56 <DIR> d
C:\Documents and Settings\Administrator\Application Data\ieSpell
2008-07-31 11:47 . 2008-07-31 11:47 <DIR> d
C:\Program Files\ieSpell
2008-07-31 00:38 . 2007-09-06 00:22 289,144 --a
C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-07-31 00:38 . 2006-04-27 17:49 288,417 --a
C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-07-31 00:38 . 2008-05-29 09:35 86,528 --a
C:\WINDOWS\SYSTEM32\VACFix.exe
2008-07-31 00:38 . 2008-05-18 21:40 82,944 --a
C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-07-31 00:38 . 2008-07-02 13:33 82,432 --a
C:\WINDOWS\SYSTEM32\IEDFix.C.exe
2008-07-31 00:38 . 2008-05-23 18:21 81,920 --a
C:\WINDOWS\SYSTEM32\404Fix.exe
2008-07-31 00:38 . 2003-06-05 21:13 53,248 --a
C:\WINDOWS\SYSTEM32\Process.exe
2008-07-31 00:38 . 2004-07-31 18:50 51,200 --a
C:\WINDOWS\SYSTEM32\dumphive.exe
2008-07-31 00:38 . 2007-10-04 00:36 25,600 --a
C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-07-31 00:33 . 2008-07-31 00:33 1,612 --a
C:\WINDOWS\SYSTEM32\tmp.reg
2008-07-30 23:28 . 2008-07-30 23:28 664 --a
C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-07-30 22:53 . 2008-07-30 22:53 <DIR> d
C:\Program Files\Trend Micro
2008-07-30 20:32 . 2008-07-30 20:32 <DIR> d
C:\Program Files\MalwareRemover.com
2008-07-30 18:59 . 2008-07-30 18:59 <DIR> d--h
C:\WINDOWS\SYSTEM32\GroupPolicy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 15:21
d
w C:\Program Files\Lineage II
2008-08-01 20:35
d
w C:\Documents and Settings\All Users\Application Data\Dell
2008-08-01 16:08
d
w C:\Documents and Settings\DW\Application Data\AdobeUM
2008-08-01 13:50
d
w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-31 13:57
d
w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 01:34
d
w C:\Program Files\Teamspeak2_RC2
2008-07-31 01:34
d
w C:\Program Files\Quicken
2008-07-31 01:34
d
w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 01:34
d
w C:\Program Files\Diablo II
2008-07-31 01:34
d
w C:\Program Files\AIM
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248
w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368
w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128
w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128
w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-04 17:52
d
w C:\Program Files\MSECache
2008-05-08 12:28 202,752
w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680
w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2004-09-17 00:59 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 20:34 169984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingl84.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=C:\WINDOWS\pss\LaunchU3.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--a
2005-11-26 19:50 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
--a
2005-11-26 19:50 185456 C:\Program Files\Yahoo!\Antivirus\CAVRid.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a
2004-08-04 03:56 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a
2003-09-17 11:43 57344 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a
2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport-]
--a
2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a
2007-11-15 10:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a
2005-11-07 06:20 122940 C:\WINDOWS\SYSTEM32\dla\DLACTRLW.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a
2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a
2005-08-02 15:33 159832 C:\Program Files\Common Files\AOL\1124724474\ee\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a
2005-05-12 00:12 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a
2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a
2005-12-20 21:54 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a
2004-04-19 15:45 53248 c:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a
2007-06-29 00:43 8466432 C:\WINDOWS\SYSTEM32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a
2007-06-29 00:43 81920 C:\WINDOWS\SYSTEM32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-11 21:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a
2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a
2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a
2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a
2005-08-15 16:24 3092480 C:\Program Files\Yahoo!\Messenger\YPager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a
2006-07-21 17:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a
2005-04-22 20:49 397312 C:\PROGRA~1\Yahoo!\YOP\yop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a
2007-06-29 00:43 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a
2004-06-10 12:51 60928 C:\WINDOWS\SYSTEM32\P17.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1124724474\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
Contents of the 'Scheduled Tasks' folder
2008-07-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
2008-08-02 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-zzz_ImInstaller_IncrediMail - C:\Documents and Settings\Nate\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe
MSConfigStartUp-846a4836 - C:\WINDOWS\system32\badggjou.dll
.
Supplementary Scan
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
O16 -: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://www.tmwsystems.com/tsweb/msrdp.cab
C:\WINDOWS\Downloaded Program Files\msrdp.inf
C:\WINDOWS\Downloaded Program Files\msrdp.ocx
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 16:40:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Other Running Processes
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Yahoo!\Antivirus\iSafe.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-08-02 16:45:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-02 20:45:01
Pre-Run: 127,816,585,216 bytes free
Post-Run: 128,248,717,312 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
244 --- E O F --- 2008-08-01 15:09:28
HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:45 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124724474\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport-] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [DellSupport-] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-4187731349-2736056107-4187614280-1006\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.tmwsystems.com/tsweb/msrdp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
--
End of file - 8397 bytes
Try removing Java in Safe Mode. Let me know what happens.
Back in Normal Mode, do the following...
1. Need to a file scanned:
2. Find and delete the following Folder in RED:
C:\Program Files\MalwareRemover.com
3. Post the VirusTotal results, and let me know about Java.
Uninstalling Java in safe mode did not work.
I tried twice, once after installing widows installer in safe mode
Deleted MalwareRemover.com, This was a program I tried before I found you guys.
Analysis from VirusTotal
And thank you again for your help
Koyo
File digolmxc.exe_ received on 08.01.2008 08:04:24 (CET)Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - HEUR/Crypted
Authentium - - -
Avast - - -
AVG - - Downloader.FraudLoad.A
BitDefender - - -
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - -
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Zhelatin.O.gen!Eldorado
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - Trojan.Win32.Tibs.J
Kaspersky - - -
McAfee - - FakeAlert-AG.gen
Microsoft - - -
NOD32v2 - - Win32/TrojanDownloader.Agent.OBK
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - Malicious Software
Rising - - -
Sophos - - Mal/TibsPk-D
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Heuristic.Crypted
Additional information
MD5: b2a253f6e8eec066f5a5e232aabf3bca
SHA1: 72bf805f46659ecca4f70ae67c2a7b94e1485e77
SHA256: d2d2d7d87302201e497d9f69c036c6b87f5aa812053c2ef83d464ec6c8e8d1f4
SHA512: 1cf889d6fed25b624d7c49e77041bc302a8f5f83eeaa1346227120f072f48174d1ff6d8687e64afeb8d249f433f2c803cdeb772ae8db06f0a0b417891e179794
Please do the following...
1. Run HijackThis and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:
C:\WINDOWS\SYSTEM32\digolmxc.exe
When you are asked "Do you want to restart your computer now?", click OK.
Your PC MUST reboot to delete the file!
2. Open Hijackthis.
Also, let me know how the computer is running.
text from uninstall command
MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
How is the computer running?
Much, much better overall, I was very worried
2-3 things I have noticed
Quicken is missing channel.dll and will not start.
reinstalling quicken gives me the following error
1607 unable to install installshield scripting runtime
(could be related to java prob??)
the CD rom drive is not recognizing blank (writable cds)
Typical close the barn door after the horse got out.
I was going to copy pictures and documents onto a cd as backup.
The wizard will not recognize a blank cd in the drive.
On the plus side the machine is definitely usable, running much better.
Thanks
Koyo
opening a word doc I get the following msg
This document could not be registered . It will not be possible to create links to this document
(c:\path.....File)
Please do the following...
1. Click Start > Run > copy and paste: MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030} in the box > press OK. This should hopefully uninstall Java.
2. Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Extended (if available otherwise Standard)
Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
Select
My Computer[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save Report As button:
- Change Save as type: to Text file
- Save this as Kaspersky scan to your Desktop
[*]Post the Kaspersky report in your next reply and let me know if Java was uninstalled..Regarding Quicken and the error, please follow the instructions for this provided by Microsoft. If you need help doing this, let me know.
I think the Word error could be related to the above problem. As for the CD rom, I am not sure what would cause that at this moment.
The java removal failed, same error,
Kaspersky Scan failed , needs a version of Java larger than 1.5
Attempts to update Java ran into the same install error as removing Java
Quicken install failed
determined the version of the install file was 7. with an msi file
Deleted the directory , downloaded new msi file
Upon running new file, same cannot install message
If the file version number starts with 7:
Check if there is a file with a .msi extension in the same directory as the installation file.
Does NvCpl mean anything?
It keeps showing up in the startup, I dissable it and it comes back
Koyo
RUNDLL32.EXE C:\Windows\system32\NvCpL.DLL NvStartup
I don't understand what this part is above
Just so you know, I don't believe this is a malware issue.
I think the Java problem may be related to the other problem. So, lets try and fix that. I don't understand what you did here. Always uninstall programs from Add/Remove programs rather than deleting directories as this can cause problems removing the program in the proper way later.
Also, when you say "downloaded new msi file"...do you mean you downloaded the Windows Installer again?
Regarding the last part, what is this for?
How far have you gotten with Microsoft's article?
I certainly do not want to waste your time!
Please disregard the nVidia call, I do not want or need it disabled.
I was just not sure what it was.
The quicken problem
I was following the MS article.
Says to find out what version your setup program is using
I believe the quicken needs 7.something and it has an msi file (requirements per the article)
The following is from the MS article
If the file version number starts with 7:
Check if there is a file with a .msi extension in the same directory as the installation file.
Hope this is explained better
Also most of the reason I throw the quicken in is it seem to be related to the Java problem.
Thanks
Koyo
When you go to C:\Program Files\Common Files\InstallShield\Driver, what folders do you see? The folders will be named by numbers, such as 7, 8, 9 etc.
I know Microsoft's article mentions ISScript7.zip, but there are newer versions of InstallShield available.
thanks and sorry was tied up yesterday.
C:\Program Files\Common Files\InstallShield\Driver
Folders
8
11
7 is in the recycle bin from the directions in the MS article
- Click Start > Run > type: services.msc > press OK
- Locate Windows Installer under the Name list and double click to open its properties.
- If the Service status is Stopped, click the 'Start' button to start the service.
Restart the computer and try uninstalling Java. Let me know what happens.Saturday 8/9
The Windows Installer service was not running and set to manual
I started the service set service to automatic
and removed (via control panel) Java 2 Runtime Environment, SE v1.4.2_03
Monday 8/11
Tried to install jre-6u7-windows-i586-p.exe
Failed , same error
Checked service (was not running), started service installed new java.
Ran Kaspersky scan results are below
Also tried to reinstall my quicken
Finished the instructions in the MS article
then tried to install, still failed the error msg is different
1608 unable to install driver instance, return code -2147221021
Also the Windows Installer program was stopped today when I was doing these tasks.
I checked and restarted the service
Kaspersy log
Thanks for your help
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 11, 2008 15:20:46
Records in database: 1082436
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 96706
Threat name: 7
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 01:29:48
File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0295394.sys Infected: Rootkit.Win32.Agent.bxq 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0296417.exe Infected: not-a-virus:FraudTool.Win32.XPAntivirus.nf 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0296599.dll Infected: Rootkit.Win32.Clbd.gq 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1440\A0297727.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1445\A0297954.exe Infected: Trojan-Downloader.Win32.Small.zsw 1
C:\WINDOWS\SYSTEM32\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1
The selected area was scanned.
Regarding Kaspersky, it found files from SmitfraudFix which are safe and items in System Restore that are not a threat. We clean System Restore soon.
It's normal for the Windows Installer service to automatically stop itself. Why it does this, I do not know.
So good news with getting Java installed.
Regarding the new error, I can't seem to find anything that matches the recturn code - 2147221021. I suggest creating a thread for this specific problem in our General Software forum and see if others have a solution.
Thanks for your help!
I did manage to get the quicken application working.
I think the problem list is just about done
Koyo
I'm glad to it's sorted.
The application had a problem not finding a .DLL I moved the DLL file into the folder manually.
Kind of a shot in the dark.
Still having the issue of .DOC files not being registered?
Also my scanner has lost communication with the PC (3 in 1 printer)
The printer works fine
The error message said reinstall
So... I might have to fight that install battle after all
If you want help with these issues, I suggest asking in the other forums here at Icrontic.
Good luck.