Awvvu.dll I Need Help Please!
The other day I booted up my PC and was having all of the following issues some of which were worded so well I copied from another fella who was having similar troubles.
I had two new icons on my desktop, Windows XP's "Help and Support" icon and Windows XP's "Windows Update", both pointing to http://storageprotector.com. Symptoms of this infection included sluggishness, inability to double-click "My computer" icon as well as others, depending of the configuration of the system.
I googled the NT_Kernel error 1256 and came upon the forum http://forum.bitdefender.com/index.php?showtopic=3561 and after combing through the forum I found a fix mentioned called FixVundo.exe. I downloaded this third-party utility and ran it. It detected several .dlls related to this trojan and deleted all of them except for awvvu.dll and awvvu.exe The system required a reboot. Once rebooted, it DID NOT delete the final files.
However, a new error message popped up wanting to run one of the affected .dll but was unable to locate it. The two malicious icons on the desktop also remained. I was able to delete the icons. After double-clicking the C: icon, roughly 2,000+ .tmp files, all starting with the name posxxx.dll were in the root. I highlighted and deleted those files.
I entered the registry editor and went to HKEY_LOCAL_MACHINE\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and deleted the .dll in that group.
Every time I reboot my computer, it's a slow boot and I am getting plenty of POP UP Ads. I also receive a buffer overrun that McAffee catches and deals with.
I am Pretty sure all of this is stemming from the awvvu.dll and awvvu.exe files in my system32 folder. I recently ran HiJackThis and can post a log asap. The log has a run command to run [kernel] also which has it's own folder under program files. Could this be the malware kernal.exe? I think I can probably fix the problem with just checking a few boxes that look suspicious but would like some help with it.
Thanks a lot in advance.
Comments
-
kernal.exe ? 99% malware only by name:P:P. but if you paste the log here would be better. also, did you try BDAspy? (you can get it from http://students.info.uaic.ro/~daniel.chipi...DAspySetup.exe). If the normal scan doesn't work, you may try a DeepScan. keep us informed.
0 -
Hi kyron,
You may have cleaned the infection partially with Vundofix, but as you mentioned you don't seem totally clean. I suggest you post a HJT log. Check if you still have unusual amount of .tmp files particularly on C drive.0 -
To kyron: I am sorry on two accounts: one is that I mentioned your name in place of the original poster. The second is that going to another topic and seeing your reply I realised that as long as you are on the case I can better retreat and let you do the good job you are doing.
0 -
kernal.exe ? 99% malware only by name:P:P. but if you paste the log here would be better. also, did you try BDAspy? (you can get it from http://students.info.uaic.ro/~daniel.chipi...DAspySetup.exe). If the normal scan doesn't work, you may try a DeepScan. keep us informed.
I'll post my HiJack Log in as soon as I get to my PC. Thanks!0 -
Thanks a lot for the advice! I downloaded the malware tool you linked to and it came up with zero errors. Vundofix still detects awvvu.dll but cannot remove it. I still get a buffer overload in Internet Explorer that Mcaffee blocks, and I cannot double click with my mouse unless I go into the control panel and reset double click options on reboot.
Here is the HGT Log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:04 AM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\DOCUME~1\FRED\LOCALS~1\Temp\clclean.0001
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol .exe
C:\Program Files\RF Wireless Mouse\cm20 .exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\HP\HP Software Update\HPWuSchd .exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\FRED\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{64617C4F-0F10-4316-9A7A-8E372853EE6C}: NameServer = 38.9.212.2,38.9.222.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11974 bytes0 -
(sorry for delay)
Anchorless, please make an archive with all the content of C:\Program Files\kernel\ and give it to me.0 -
(sorry for delay)
Anchorless, please make an archive with all the content of C:\Program Files\kernel\ and give it to me.
Kyron, by archive do you mean a .zip file or .rar file? I noticed this morning I had another unusual .dll file in my system registry and took it out using regedit.
The desktop icons that I had posted in my initial post, had shown back up on my computer. Running VUNDOFIX to get rid of them again and archiving contents of C:\Program Files\kernel\ for you.
Thanks for the help, and do not worry about the delay.0 -
Kyron, here is the archived kernal file. It's in .rar format. I took it right from my system 32 folder.
After deleting the icons on my desktop and running vundofix.exe I had 1,000 .tmp files on my C:\ drive that I was able to delete.
Seems like I halted the virus, but since I didn't get rid of it, it respawned and kicked back into shape.
Still can't double click on startup.
Here is my VudoFix Logfile
It says it removed awvvu.dll but I just checked the system32 folder and it still remains.
VundoFix V6.7.7
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 4:36:40 PM 1/22/2008
Listing files found while scanning....
C:\windows\system32\awvvu.dll
C:\WINDOWS\system32\awvvu.exe
C:\WINDOWS\system32\cytjddlk.dll
C:\WINDOWS\system32\klddjtyc.ini
C:\WINDOWS\system32\kqqeixgm.dll
C:\WINDOWS\system32\putfqicw.dll
C:\WINDOWS\system32\sktfwsyw.exe
C:\WINDOWS\system32\snpmldwi.exe
C:\windows\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\wciqftup.ini
C:\WINDOWS\system32\wpssqanx.dll
C:\WINDOWS\system32\xkcsxunf.dll
C:\windows\system32\xkcsxunf.dllbox
C:\WINDOWS\system32\ydwbftst.dll
Beginning removal...
Attempting to delete C:\windows\system32\awvvu.dll
C:\windows\system32\awvvu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awvvu.exe
C:\WINDOWS\system32\awvvu.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\cytjddlk.dll
C:\WINDOWS\system32\cytjddlk.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\klddjtyc.ini
C:\WINDOWS\system32\klddjtyc.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\kqqeixgm.dll
C:\WINDOWS\system32\kqqeixgm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\putfqicw.dll
C:\WINDOWS\system32\putfqicw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sktfwsyw.exe
C:\WINDOWS\system32\sktfwsyw.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\snpmldwi.exe
C:\WINDOWS\system32\snpmldwi.exe Has been deleted!
Attempting to delete C:\windows\system32\uvvwa.ini
C:\windows\system32\uvvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\uvvwa.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wciqftup.ini
C:\WINDOWS\system32\wciqftup.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wpssqanx.dll
C:\WINDOWS\system32\wpssqanx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xkcsxunf.dll
C:\WINDOWS\system32\xkcsxunf.dll Has been deleted!
Attempting to delete C:\windows\system32\xkcsxunf.dllbox
C:\windows\system32\xkcsxunf.dllbox Has been deleted!
Attempting to delete C:\WINDOWS\system32\ydwbftst.dll
C:\WINDOWS\system32\ydwbftst.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cytjddlk.dll
C:\WINDOWS\system32\cytjddlk.dll Has been deleted!
Performing Repairs to the registry.
Done!
0 -
File already detected as "Trojan.Drastwor.A".
Best regards.0 -
File already detected as "Trojan.Drastwor.A".
Best regards.
Thanks a lot. How do remove it from my computer? Should I fix the hijack this log where it runs kernal.exe and then go back in and delete folder manually? None of my virus protectors find kernal.exe as a virus. I've ran vundofix, avg, bitdefender, mcaffee, addaware.
Thanks for the info!0 -
Hi Anchorless,
Since you have send the files and now understandably want help to remove the infection I would be ready to help you. I can see the infection is partially revealed by HJT. But still managing to hide itself. If you wanted my assistance try this as for me it is the shortcut: Change the HijackThis.exe to something like moon.exe or whatever you like. Double click moon.exe or whatever you name it (name.exe) and make a new log.
As soon as I see your new log after renaming HJT we can begin. But in advance:- Try to avoid using Internet and rebooting (unless it is neccesary for disinfection) until you PC is clean. As you may have noticed the infection creates a lot of junks and changes the extension of the running processes and makes them dysfunctional.
- If you cannot run a program by double clicking instead of changing the setting and reboot go to start-run and type the path to the program and click OK (example: this is the path to your HJT C:\Documents and Settings\FRED\Desktop\HiJackThis.exe).
- And yes if you mange to fix kernel.exe and remove it you can do it.
0 -
Hi Anchorless,
Since you have send the files and now understandably want help to remove the infection I would be ready to help you. I can see the infection is partially revealed by HJT. But still managing to hide itself. If you wanted my assistance try this as for me it is the shortcut: Change the HijackThis.exe to something like moon.exe or whatever you like. Double click moon.exe or whatever you name it (name.exe) and make a new log.
As soon as I see your new log after renaming HJT we can begin. But in advance:- Try to avoid using Internet and rebooting (unless it is neccesary for disinfection) until you PC is clean. As you may have noticed the infection creates a lot of junks and changes the extension of the running processes and makes them dysfunctional.
- If you cannot run a program by double clicking instead of changing the setting and reboot go to start-run and type the path to the program and click OK (example: this is the path to your HJT C:\Documents and Settings\FRED\Desktop\HiJackThis.exe).
- And yes if you mange to fix kernel.exe and remove it you can do it.
Thank you for the information. Renamed HiJackthis.exe to moon.exe and ran program. Here is the new log file. I didn't mess with the kernal.exe file yet. Waiting for any help from you first!
I really appreciate the help!0 -
I don't see any log. Please copy and paste it.
0 -
I don't see any log. Please copy and paste it.
Sorry about that. Here is the log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:27 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent .exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\DOCUME~1\FRED\LOCALS~1\Temp\clclean.0001
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\RF Wireless Mouse\cm20 .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
C:\Documents and Settings\FRED\Desktop\MOON.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvvu.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} -
\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: {b937c143-9f8d-821b-31a4-fe83301fcc13} - {31ccf103-38ef-4a13-b128-d8f9341c739b} - C:\WINDOWS\system32\wpssqanx.dll (file missing)
O2 - BHO: (no name) - {3401DB32-7F00-4EC7-A890-A75F64973843} - C:\WINDOWS\system32\hgggedb.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {8E905BEF-8BDD-4BD2-B75E-BE63BA7D97FD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AAE1499F-CDDF-4CDD-BA5F-500017E7153F} - C:\WINDOWS\system32\awvvu.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BC632F0E-13D7-41EA-A503-E3048D509289} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} -\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{64617C4F-0F10-4316-9A7A-8E372853EE6C}: NameServer = 38.9.212.2,38.9.222.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 14368 bytes0 -
Step 1.
Run hijackthis.click "Do a system scan only", check the following items, close all windows including the one you are reading and click on fix checked.
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvvu.exe
O2 - BHO: {b937c143-9f8d-821b-31a4-fe83301fcc13} - {31ccf103-38ef-4a13-b128-d8f9341c739b} - C:\WINDOWS\system32\wpssqanx.dll (file missing)
O2 - BHO: (no name) - {3401DB32-7F00-4EC7-A890-A75F64973843} - C:\WINDOWS\system32\hgggedb.dll (file missing)
O2 - BHO: (no name) - {8E905BEF-8BDD-4BD2-B75E-BE63BA7D97FD} - (no file)
O2 - BHO: (no name) - {AAE1499F-CDDF-4CDD-BA5F-500017E7153F} - C:\WINDOWS\system32\awvvu.dll
O2 - BHO: (no name) - {BC632F0E-13D7-41EA-A503-E3048D509289} - (no file)
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
Step 2.- Download ComboFix.exe to your desktop using this link:
- Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.- Double click on combofix.exe to run the programme & then follow the prompts.
When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post. If combofix.txt contains a long list of deleted pos*.tmp files remove all but a few pos.tmp from the log (leave a few from each directory so that I kan see where they were created) and then copy and paste the log. - ComboFix may need to reboot to finish its work. Let it.
- Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
Combofix should not take more than 20 minutes if malware is detected.If it does, open task-manager (press ctrl+alt+del) select and end any processes of findstr.exe, find.exe, send.exe or swreg.exe, then combofix should continue.
- Please download RenV.exe to desktop from:
- Run it, and post the log it produces - (log.txt)
Make a fresh hijackthis log and copy and paste to your reply.0 -
Step 1.
Run hijackthis.click "Do a system scan only", check the following items, close all windows including the one you are reading and click on fix checked.
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvvu.exe
O2 - BHO: {b937c143-9f8d-821b-31a4-fe83301fcc13} - {31ccf103-38ef-4a13-b128-d8f9341c739b} - C:\WINDOWS\system32\wpssqanx.dll (file missing)
O2 - BHO: (no name) - {3401DB32-7F00-4EC7-A890-A75F64973843} - C:\WINDOWS\system32\hgggedb.dll (file missing)
O2 - BHO: (no name) - {8E905BEF-8BDD-4BD2-B75E-BE63BA7D97FD} - (no file)
O2 - BHO: (no name) - {AAE1499F-CDDF-4CDD-BA5F-500017E7153F} - C:\WINDOWS\system32\awvvu.dll
O2 - BHO: (no name) - {BC632F0E-13D7-41EA-A503-E3048D509289} - (no file)
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
Step 2.- Download ComboFix.exe to your desktop using this link:
- Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.- Double click on combofix.exe to run the programme & then follow the prompts.
When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post. If combofix.txt contains a long list of deleted pos*.tmp files remove all but a few pos.tmp from the log (leave a few from each directory so that I kan see where they were created) and then copy and paste the log. - ComboFix may need to reboot to finish its work. Let it.
- Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
Combofix should not take more than 20 minutes if malware is detected.If it does, open task-manager (press ctrl+alt+del) select and end any processes of findstr.exe, find.exe, send.exe or swreg.exe, then combofix should continue.
- Please download RenV.exe to desktop from:
- Run it, and post the log it produces - (log.txt)
Make a fresh hijackthis log and copy and paste to your reply.
I have done everything that you instructed. When I right click on any icon on my desktop there is an adobe
acrobat 8.0 downloader that pops up. I am worried to let it run. I still do not have double click on reboot.Here is the combofix log.
ComboFix 08-01-23.1C - FRED 2008-01-27 12:42:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479 [GMT -5:00]
Running from: C:\Documents and Settings\FRED\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\FRED\Application Data\inst.exe
C:\Documents and Settings\FRED\My Documents\pos1000.tmp
C:\Documents and Settings\FRED\My Documents\pos1001.tmp
C:\Documents and Settings\FRED\My Documents\pos1002.tmp
C:\Documents and Settings\FRED\My Documents\pos1003.tmp
C:\Documents and Settings\FRED\My Documents\pos1004.tmp
C:\Documents and Settings\FRED\My Documents\pos1005.tmp
C:\Documents and Settings\FRED\My Documents\pos1006.tmp
C:\Documents and Settings\FRED\My Documents\pos1007.tmp
C:\Documents and Settings\FRED\My Documents\pos1008.tmp
C:\Documents and Settings\FRED\My Documents\pos1009.tmp
C:\Documents and Settings\FRED\My Documents\pos100A.tmp
C:\Documents and Settings\FRED\My Documents\pos100B.tmp
C:\Documents and Settings\FRED\My Documents\pos1129.tmp
C:\Documents and Settings\FRED\My Documents\pos112A.tmp
C:\Documents and Settings\FRED\My Documents\pos112B.tmp
C:\Documents and Settings\FRED\My Documents\pos112C.tmp
C:\Documents and Settings\FRED\My Documents\pos112D.tmp
C:\Documents and Settings\FRED\My Documents\pos112E.tmp
C:\Documents and Settings\FRED\My Documents\pos112F.tmp
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol .exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\HP\HP Software Update\HPWuSchd .exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\kernel
C:\Program Files\kernel\kernel .exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RF Wireless Mouse\cm20 .exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInstall.exe
C:\Program Files\TomTom HOME 2\HOMERunner .exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu312.exe
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\awvvu.exe
C:\WINDOWS\system32\dcrqpebu.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\kepnqaqy.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\niwucosf.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX40.tmp
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX43.tmp
C:\WINDOWS\system32\RCX44.tmp
C:\WINDOWS\system32\RCX45.tmp
C:\WINDOWS\system32\RCX46.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\RCX48.tmp
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\z1
C:\WINDOWS\system32\z9<pre>
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe ---> QooBox
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol .exe ---> QooBox
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe ---> QooBox
C:\Program Files\HP\HP Software Update\HPWuSchd .exe ---> QooBox
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe ---> QooBox
C:\Program Files\McAfee.com\Agent\mcagent .exe ---> QooBox
C:\Program Files\RF Wireless Mouse\cm20 .exe ---> QooBox
C:\Program Files\SiteAdvisor\6253\SiteAdv .exe ---> QooBox
C:\Program Files\TomTom HOME 2\HOMERunner .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-27 12:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 19:46 . 2008-01-23 19:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 19:46 . 2008-01-23 19:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-22 17:56 . 2006-11-30 15:49 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-01-22 17:56 . 2004-04-13 14:48 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-01-21 01:45 . 2008-01-21 01:45 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-01-20 23:57 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-20 23:57 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-20 23:32 . 2008-01-20 23:32 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-20 12:07 . 2008-01-20 12:08 <DIR> d-------- C:\Program Files\Macromedia
2008-01-20 12:07 . 2008-01-20 12:07 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-01-16 19:24 . 2008-01-16 19:24 338,944 --a------ C:\WINDOWS\system32\RCXA03.tmp
2008-01-15 19:02 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-15 16:09 . 2008-01-15 16:09 0 --a------ C:\ComboFix.exe
2008-01-15 16:08 . 2008-01-22 17:08 <DIR> d-------- C:\VundoFix Backups
2008-01-06 21:17 . 2008-01-06 21:19 <DIR> d-------- C:\Program Files\PCFriendly
2008-01-06 21:09 . 2008-01-06 21:09 0 --a------ C:\WINDOWS\iplayer.INI
2008-01-06 20:34 . 2008-01-06 20:35 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-06 20:34 . 2008-01-06 20:35 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-06 20:33 . 2008-01-06 20:33 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-06 20:29 . 2008-01-06 20:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-06 11:58 . 2008-01-06 11:59 1,043,860 --ahs---- C:\WINDOWS\system32\grrpctgn.ini
2008-01-05 10:24 . 2008-01-06 11:51 1,043,800 --ahs---- C:\WINDOWS\system32\cufqpeii.ini
2008-01-03 19:01 . 2008-01-15 15:55 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2008-01-03 19:01 . 2008-01-11 18:40 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-03 19:01 . 2008-01-15 15:55 98,304 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-03 19:01 . 2008-01-15 15:55 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-03 18:23 . 2008-01-03 18:28 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-01-03 18:23 . 2008-01-03 18:23 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-03 18:18 . 2008-01-03 18:51 <DIR> d-------- C:\WINDOWS\system32\mr9
2008-01-03 18:18 . 2008-01-03 18:18 <DIR> d-------- C:\WINDOWS\system32\ardCo16
2008-01-03 18:18 . 2008-01-03 18:51 <DIR> d-------- C:\WINDOWS\system32\aj2
2008-01-03 18:18 . 2008-01-03 18:18 <DIR> d-------- C:\Temp\cEeer12
2008-01-03 18:18 . 2008-01-03 18:18 111,831 --a------ C:\WINDOWS\system32\ope192.exe
2008-01-03 18:18 . 2008-01-03 18:18 0 --a------ C:\WINDOWS\system32\ope192.tmp
2008-01-03 18:17 . 2008-01-03 18:17 352,410 --a------ C:\WINDOWS\system32\ope18B.exe
2008-01-03 18:17 . 2008-01-03 18:17 0 --a------ C:\WINDOWS\system32\ope18B.tmp
2008-01-03 18:17 . 2008-01-03 18:17 0 --a------ C:\WINDOWS\ope190.tmp
2007-12-28 17:32 . 2007-12-28 17:32 <DIR> d-------- C:\WINDOWS\system32\RegVac
2007-12-28 17:31 . 2008-01-16 22:32 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 18:12 --------- d-----w C:\Program Files\TomTom HOME 2
2008-01-27 18:12 --------- d-----w C:\Program Files\RF Wireless Mouse
2008-01-27 18:12 --------- d-----w C:\Program Files\QuickTime
2008-01-27 18:12 --------- d-----w C:\Program Files\AIM6
2008-01-22 23:05 --------- d-----w C:\Program Files\Cakewalk
2008-01-22 22:53 118,784 ----a-w C:\WINDOWS\dsdxirmv.exe
2008-01-21 06:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-21 04:42 --------- d-----w C:\Program Files\Bonjour
2008-01-19 17:58 --------- d-----w C:\Program Files\NetWaiting
2008-01-07 02:08 --------- d-----w C:\Program Files\DellSupport
2007-12-26 16:19 --------- d-----w C:\Program Files\Dnote Software
2007-12-26 16:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 16:14 --------- d-----w C:\Program Files\TomTom DesktopSuite
2007-12-19 21:00 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-19 20:59 --------- d-----w C:\Program Files\McAfee
2007-12-15 17:38 --------- d-----w C:\Program Files\CDisplay
2007-12-05 00:32 --------- d-----w C:\Program Files\Lavasoft
2007-12-05 00:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 22:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-30 15:23 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-09-24 22:58 104 --sh--r C:\WINDOWS\system32\173C1FC059.sys
2007-09-24 22:58 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.<pre>
----a-w 460,784 2008-01-07 01:59:47 C:\Program Files\DellSupport\DSAgnt .exe
----a-w 602,182 2008-01-15 23:22:17 C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w 667,718 2008-01-15 23:22:16 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
----a-w 1,694,208 2008-01-09 23:41:30 C:\Program Files\Messenger\msmsgs .exe
----a-w 1,637,312 2008-01-15 23:22:56 C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe
----a-w 761,947 2008-01-15 23:22:20 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 77,824 2008-01-15 20:55:14 C:\WINDOWS\system32\hkcmd .exe
----a-w 118,784 2008-01-11 23:40:52 C:\WINDOWS\system32\igfxpers .exe
----a-w 98,304 2008-01-15 20:55:13 C:\WINDOWS\system32\igfxtray .exe
----a-w 155,648 2008-01-15 20:55:47 C:\WINDOWS\system32\NeroCheck .exe
----a-w 127,035 2008-01-15 20:55:44 C:\WINDOWS\system32\dla\tfswctrl .exe
----a-w 176,128 2008-01-15 20:56:06 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 04:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [ ]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [ ]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [ ]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 14:35 397312 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [ ]
"MBMon"="CTMBHA.DLL" [2006-03-03 03:18 1355938 C:\WINDOWS\system32\CTMBHA.DLL]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"Start RF Wireless Mouse"="C:\Program Files\RF Wireless Mouse\cm20.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-01-14 08:43 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [ ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [ ]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-01-27 12:43 2288640]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-16 14:54:27 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24 237568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OZ_ZQ-590A Synchronization Software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OZ_ZQ-590A Synchronization Software.lnk
backup=C:\WINDOWS\pss\OZ_ZQ-590A Synchronization Software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^FRED^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\FRED\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 C:\PROGRA~1\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 20:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
--------- 2006-01-02 09:13 1126400 C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2006-07-10 10:44]
S3 SPCP825K;Sunplus Serial port driver;C:\WINDOWS\system32\DRIVERS\SPCP825K.sys [2004-02-02 14:23]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5786853d-fd78-11da-8cb7-0015c51c88fa}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (FREDJOAKMAN-FRED).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-09-15 05:05:12 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-07 05:49:51 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 13:17:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-27 13:24:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 18:24:50
.
2008-01-08 23:54:04 --- E O F ---Here is the Renv log:
Ran on Sun 01/27/2008 - 13:34:55.40
----a-w 460,784 2008-01-07 01:59:47 C:\Program Files\DellSupport\DSAgnt .exe
----a-w 602,182 2008-01-15 23:22:17 C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w 667,718 2008-01-15 23:22:16 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
----a-w 1,694,208 2008-01-09 23:41:30 C:\Program Files\Messenger\msmsgs .exe
----a-w 1,637,312 2008-01-15 23:22:56 C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe
----a-w 761,947 2008-01-15 23:22:20 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 77,824 2008-01-15 20:55:14 C:\WINDOWS\system32\hkcmd .exe
----a-w 118,784 2008-01-11 23:40:52 C:\WINDOWS\system32\igfxpers .exe
----a-w 98,304 2008-01-15 20:55:13 C:\WINDOWS\system32\igfxtray .exe
----a-w 155,648 2008-01-15 20:55:47 C:\WINDOWS\system32\NeroCheck .exe
----a-w 127,035 2008-01-15 20:55:44 C:\WINDOWS\system32\dla\tfswctrl .exe
----a-w 176,128 2008-01-15 20:56:06 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
Entries: 12 (12)
Directories: 0 Files: 12
Bytes: 6,577,874 Blocks: 12,851
Here is the Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:56 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\DOCUME~1\FRED\LOCALS~1\Temp\clclean.0001
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\FRED\Desktop\MOON.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} -\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (file missing)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} -\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{64617C4F-0F10-4316-9A7A-8E372853EE6C}: NameServer = 38.9.212.2,38.9.222.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 12777 bytes0 -
I have done everything that you instructed. When I right click on any icon on my desktop there is an adobe
acrobat 8.0 downloader that pops up. I am worried to let it run. I still do not have double click on reboot.
Well done anchorless.
The infection and many others are removed. But the job is not finished yet. Don't worry about the adobe icon, it is the removed (infected) adobe BHO file you can download it later on.
Lets take care of the leftovers and repair the changed running processes.
Step 1.
Go to Internet options, check the privacy and security setting if it is lowered by the malware set them both to default. While you are there empty your IE cache: all temporary and off line Internet files and cookies and history.
Step 2.
Open a notepad (start menu-all programs-accessories-notepad)
Copy and paste the text in the code box below into it.File::
C:\WINDOWS\system32\awvvu.*
C:\WINDOWS\system32\wpssqanx.*
C:\WINDOWS\system32\hgggedb.*
C:\WINDOWS\system32\xpssqanw.*
C:\WINDOWS\system32\bgggedh.*
C:\windows\system32\uvvwa.*
C:\VundoFix Backups
Folder::
C:\Program Files\kernel
Click File-save as …
Select save in:desktop
Fill in File name: CFScript.txt
save as type: All file types (*.*)
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
Drag CFScript.txt into ComboFix.exe. You can see the image showing this here: http://www.fromsej.saknet.dk/billeder/cfscript.gif
ComboFix will now run a scan on your system.
It may reboot your system when it finishes. This is normal. Copy and paste the content of combofix.txt into your reply.
Step 3.
You have already have log.txt on your desktp (if not make one) when you run RenV. Drag Log.txt into renv.exe-file. You can see the image showing this here: http://www.ctrlaltdel.dk/forum/uploads/FBJ...095939_RenV.gif
Please copy and paste resulting log.txt into your reply.
(If the ComboFix start to run a scan, let it, but you don't need to post the log).
Step 4.
Reboot : Right after reboot empty user temp file by going to start-run- type %temp% - on the right panel select one of the files, then ctrl+a (this one select also hidden files) then shift+delete to delete (this bypasses recyclebin).
See how it is going, you may download the missing adobe file if everything is fine.
Step 5.
Go to this site: http://www.virustotal.com/ upload the following files one by one and let them scan and paste the scan result.
C:\WINDOWS\dsdxirmv.exe
C:\WINDOWS\system32\ope18B.exe
C:\WINDOWS\system32\grrpctgn.ini
Step 5.
Please make also a fresh HJT and tell me how your PC is running now.0 -
See how it is going, you may download the missing adobe file if everything is fine.
I think you can, but to be on the safe side, you can uninstall Adobe. After we finished with cleaning (hopefully the next post) you can reinstall it again.
Let me now if you can double click now, if not rest it again and see if it remains.0 -
Step 4.
Reboot : Right after reboot empty user temp file by going to start-run- type %temp% - on the right panel select one of the files, then ctrl+a (this one select also hidden files) then shift+delete to delete (this bypasses recyclebin).
See how it is going, you may download the missing adobe file if everything is fine.
Do you want me to delete .tmp files only? Or EVERYTHING in the temp folder? Other folders that have shown up include:
Folders in my Temp directory:
clclean.0001.dir.0000
WPDNSE
{AC76BA86-1033-0000-7760-000000000003}
Files which are not .tmp files in my Temp directory
clclean.0001
AUInst.log
I'm almost done with everything just not clear on if I should delete all of these files and folders in the Temp directory.
Thanks, I really appreciate your help.
I'm also looking at the files under my windows directory and the only .exe file that I have from the list that you gave me is:
dsdxirmv.exe
I have a ope190.tmp file in my Windows directory but no .exe0 -
I attempted to delete the .tmp files that appeared in my TEMP folder and got an alert stating the file is currently in use and cannot be deleted. . My double click is still disabled. Whenever I right click on an icon on desktop adobe acrobat still tries to load. I still think something is remaining because of my double click problem. I can enter the control panel and change speed of my double click from fast to slower and double click will work fine. It resets on reboot every time though. Thank you so much. Keep me updated.
Here is the New Combo Fix
ComboFix 08-01-23.1C - FRED 2008-01-27 16:18:17.2 - NTFSx86
Running from: C:\Documents and Settings\FRED\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\FRED\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\VundoFix Backups
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-27 12:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 19:46 . 2008-01-23 19:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 19:46 . 2008-01-23 19:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-22 17:56 . 2006-11-30 15:49 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-01-22 17:56 . 2004-04-13 14:48 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-01-21 01:45 . 2008-01-21 01:45 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-01-20 23:57 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-20 23:57 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-20 23:32 . 2008-01-20 23:32 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-20 12:07 . 2008-01-20 12:08 <DIR> d-------- C:\Program Files\Macromedia
2008-01-20 12:07 . 2008-01-20 12:07 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-01-16 19:24 . 2008-01-16 19:24 338,944 --a------ C:\WINDOWS\system32\RCXA03.tmp
2008-01-15 19:02 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-15 16:09 . 2008-01-15 16:09 0 --a------ C:\ComboFix.exe
2008-01-15 16:08 . 2008-01-22 17:08 <DIR> d-------- C:\VundoFix Backups
2008-01-06 21:17 . 2008-01-06 21:19 <DIR> d-------- C:\Program Files\PCFriendly
2008-01-06 21:09 . 2008-01-06 21:09 0 --a------ C:\WINDOWS\iplayer.INI
2008-01-06 20:34 . 2008-01-06 20:35 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-06 20:34 . 2008-01-06 20:35 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-06 20:33 . 2008-01-06 20:33 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-06 20:29 . 2008-01-06 20:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-06 11:58 . 2008-01-06 11:59 1,043,860 --ahs---- C:\WINDOWS\system32\grrpctgn.ini
2008-01-05 10:24 . 2008-01-06 11:51 1,043,800 --ahs---- C:\WINDOWS\system32\cufqpeii.ini
2008-01-03 19:01 . 2008-01-15 15:55 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2008-01-03 19:01 . 2008-01-11 18:40 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-03 19:01 . 2008-01-15 15:55 98,304 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-03 19:01 . 2008-01-15 15:55 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-03 18:23 . 2008-01-03 18:28 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-01-03 18:23 . 2008-01-03 18:23 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-03 18:18 . 2008-01-03 18:51 <DIR> d-------- C:\WINDOWS\system32\mr9
2008-01-03 18:18 . 2008-01-03 18:18 <DIR> d-------- C:\WINDOWS\system32\ardCo16
2008-01-03 18:18 . 2008-01-03 18:51 <DIR> d-------- C:\WINDOWS\system32\aj2
2008-01-03 18:18 . 2008-01-03 18:18 <DIR> d-------- C:\Temp\cEeer12
2008-01-03 18:18 . 2008-01-03 18:18 111,831 --a------ C:\WINDOWS\system32\ope192.exe
2008-01-03 18:18 . 2008-01-03 18:18 0 --a------ C:\WINDOWS\system32\ope192.tmp
2008-01-03 18:17 . 2008-01-03 18:17 352,410 --a------ C:\WINDOWS\system32\ope18B.exe
2008-01-03 18:17 . 2008-01-03 18:17 0 --a------ C:\WINDOWS\system32\ope18B.tmp
2008-01-03 18:17 . 2008-01-03 18:17 0 --a------ C:\WINDOWS\ope190.tmp
2007-12-28 17:32 . 2007-12-28 17:32 <DIR> d-------- C:\WINDOWS\system32\RegVac
2007-12-28 17:31 . 2008-01-16 22:32 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 18:12 --------- d-----w C:\Program Files\TomTom HOME 2
2008-01-27 18:12 --------- d-----w C:\Program Files\RF Wireless Mouse
2008-01-27 18:12 --------- d-----w C:\Program Files\QuickTime
2008-01-27 18:12 --------- d-----w C:\Program Files\AIM6
2008-01-22 23:05 --------- d-----w C:\Program Files\Cakewalk
2008-01-22 22:53 118,784 ----a-w C:\WINDOWS\dsdxirmv.exe
2008-01-21 06:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-21 04:42 --------- d-----w C:\Program Files\Bonjour
2008-01-19 17:58 --------- d-----w C:\Program Files\NetWaiting
2008-01-07 02:08 --------- d-----w C:\Program Files\DellSupport
2007-12-26 16:19 --------- d-----w C:\Program Files\Dnote Software
2007-12-26 16:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 16:14 --------- d-----w C:\Program Files\TomTom DesktopSuite
2007-12-19 21:00 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-19 20:59 --------- d-----w C:\Program Files\McAfee
2007-12-15 17:38 --------- d-----w C:\Program Files\CDisplay
2007-12-05 00:32 --------- d-----w C:\Program Files\Lavasoft
2007-12-05 00:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 22:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-04 22:57 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-11-30 15:23 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-09-24 22:58 104 --sh--r C:\WINDOWS\system32\173C1FC059.sys
2007-09-24 22:58 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.<pre>
----a-w 460,784 2008-01-07 01:59:47 C:\Program Files\DellSupport\DSAgnt .exe
----a-w 602,182 2008-01-15 23:22:17 C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w 667,718 2008-01-15 23:22:16 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
----a-w 1,694,208 2008-01-09 23:41:30 C:\Program Files\Messenger\msmsgs .exe
----a-w 1,637,312 2008-01-15 23:22:56 C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe
----a-w 761,947 2008-01-15 23:22:20 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 77,824 2008-01-15 20:55:14 C:\WINDOWS\system32\hkcmd .exe
----a-w 118,784 2008-01-11 23:40:52 C:\WINDOWS\system32\igfxpers .exe
----a-w 98,304 2008-01-15 20:55:13 C:\WINDOWS\system32\igfxtray .exe
----a-w 155,648 2008-01-15 20:55:47 C:\WINDOWS\system32\NeroCheck .exe
----a-w 127,035 2008-01-15 20:55:44 C:\WINDOWS\system32\dla\tfswctrl .exe
----a-w 176,128 2008-01-15 20:56:06 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
</pre>
((((((((((((((((((((((((((((( snapshot@2008-01-27_13.23.06.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 17:40:23 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 21:18:07 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-27 17:40:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 21:18:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-27 17:40:24 8,978,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 21:18:07 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-27 17:40:24 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 21:18:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-27 17:40:24 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 21:18:07 8,978,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-27 17:40:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 21:18:07 167,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 04:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [ ]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [ ]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [ ]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 14:35 397312 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [ ]
"MBMon"="CTMBHA.DLL" [2006-03-03 03:18 1355938 C:\WINDOWS\system32\CTMBHA.DLL]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"Start RF Wireless Mouse"="C:\Program Files\RF Wireless Mouse\cm20.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-01-14 08:43 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [ ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [ ]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-01-27 12:43 2288640]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-16 14:54:27 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24 237568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OZ_ZQ-590A Synchronization Software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OZ_ZQ-590A Synchronization Software.lnk
backup=C:\WINDOWS\pss\OZ_ZQ-590A Synchronization Software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^FRED^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\FRED\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 C:\PROGRA~1\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 20:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
--------- 2006-01-02 09:13 1126400 C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2006-07-10 10:44]
S3 SPCP825K;Sunplus Serial port driver;C:\WINDOWS\system32\DRIVERS\SPCP825K.sys [2004-02-02 14:23]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5786853d-fd78-11da-8cb7-0015c51c88fa}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (FREDJOAKMAN-FRED).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-09-15 05:05:12 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-07 05:49:51 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 16:24:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-27 16:26:39
ComboFix-quarantined-files.txt 2008-01-27 21:26:36
ComboFix2.txt 2008-01-27 18:24:53
.
2008-01-08 23:54:04 --- E O F ---
Here is the new RENV LOGRan on Sun 01/27/2008 - 16:39:04.78
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
Here is the virustotal.exe result for dsdxirmv.exe
Antivirus Version Last Update Result
AhnLab-V3 2008.1.26.10 2008.01.25 -
AntiVir 7.6.0.56 2008.01.27 -
Authentium 4.93.8 2008.01.26 -
Avast 4.7.1098.0 2008.01.27 -
AVG 7.5.0.516 2008.01.27 -
BitDefender 7.2 2008.01.27 -
CAT-QuickHeal 9.00 2008.01.25 -
ClamAV 0.91.2 2008.01.27 -
DrWeb 4.44.0.09170 2008.01.27 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5486 2008.01.26 -
Ewido 4.0 2008.01.27 -
FileAdvisor 1 2008.01.27 -
Fortinet 3.14.0.0 2008.01.27 -
F-Prot 4.4.2.54 2008.01.27 -
F-Secure 6.70.13260.0 2008.01.27 -
Ikarus T3.1.1.20 2008.01.27 -
Kaspersky 7.0.0.125 2008.01.27 -
McAfee 5216 2008.01.26 -
Microsoft 1.3109 2008.01.27 -
NOD32v2 2826 2008.01.27 -
Norman 5.80.02 2008.01.24 -
Panda 9.0.0.4 2008.01.27 -
Prevx1 V2 2008.01.27 -
Rising 20.28.62.00 2008.01.27 -
Sophos 4.25.0 2008.01.27 -
Sunbelt 2.2.907.0 2008.01.25 -
Symantec 10 2008.01.27 -
TheHacker 6.2.9.200 2008.01.27 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.27 -
Webwasher-Gateway 6.6.2 2008.01.27 -
Additional information
File size: 118784 bytes
MD5: 26cfc8713e6ccfbfa5a4bc47f87aa6fe
SHA1: 7051c422701b43e15d1e5296f3e47ecbe4abae47
PEiD: Armadillo v1.71
Here is the new HiJack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:33 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\FRED\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\FRED\Desktop\MOON.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvvu.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} -\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (file missing)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {38E990AD-8434-4E23-B9AD-246AE71E969E} - C:\WINDOWS\system32\awvvu.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} -\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{64617C4F-0F10-4316-9A7A-8E372853EE6C}: NameServer = 38.9.212.2,38.9.222.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 13268 bytes0 -
Do you want me to delete .tmp files only? Or EVERYTHING in the temp folder? Other folders that have shown up include:
Folders in my Temp directory:
clclean.0001.dir.0000
WPDNSE
{AC76BA86-1033-0000-7760-000000000003}
Files which are not .tmp files in my Temp directory
clclean.0001
AUInst.log
I'm almost done with everything just not clear on if I should delete all of these files and folders in the Temp directory.
Thanks, I really appreciate your help.
I'm also looking at the files under my windows directory and the only .exe file that I have from the list that you gave me is:
dsdxirmv.exe
I have a ope190.tmp file in my Windows directory but no .exe
1. Clean everything in Temp folder by following the instruction exactly as it is written (inclusive eventually hidden files), dus by selechting one file and then cntr+a
2. The files named may be hidden, unhide it by going to start-control panel- map options- view- check show hidden files and folder.
3. Let also the following (in bold files) to be scanned. I think you can remove this entries from the registry. First select them in the registry, go to file and export to make backup them remove them.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5786853d-fd78-11da-8cb7-0015c51c88fa}]
\Shell\AutoRun\command - setupSNK.exe
I am going to bed now, post me your questions, I take a deeper look at the combofix log. Wait if you have any doubt about doing anything.0 -
1. Clean everything in Temp folder by following the instruction exactly as it is written (inclusive eventually hidden files), dus by selechting one file and then cntr+a
2. The files named may be hidden, unhide it by going to start-control panel- map options- view- check show hidden files and folder.
3. Let also the following (in bold files) to be scanned. I think you can remove this entries from the registry. First select them in the registry, go to file and export to make backup them remove them.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5786853d-fd78-11da-8cb7-0015c51c88fa}]
\Shell\AutoRun\command - setupSNK.exe
I am going to bed now, post me your questions, I take a deeper look at the combofix log. Wait if you have any doubt about doing anything.
Thanks a lot for your help. I can't delete the all items in Temp folder, access is denied because they are currently being used by another program. I ran hijack this again and awvvu.dll is popping back up.
Here is the newest HiJack this Log. I didn't mess with the regedit I'll wait for further instructions. Thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:51 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc .exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\DOCUME~1\FRED\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\FRED\Desktop\MOON.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {DC454ED7-644F-431B-9743-F7DC54306A67} - C:\WINDOWS\system32\awvvu.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{64617C4F-0F10-4316-9A7A-8E372853EE6C}: NameServer = 38.9.212.2,38.9.222.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 13271 bytes0 -
Do you want me to delete .tmp files only? Or EVERYTHING in the temp folder? Other folders that have shown up include:
I'm almost done with everything just not clear on if I should delete all of these files and folders in the Temp directory.
I'm also looking at the files under my windows directory and the only .exe file that I have from the list that you gave me is:
dsdxirmv.exe
I have a ope190.tmp file in my Windows directory but no .exe0 -
Do you want me to delete .tmp files only? Or EVERYTHING in the temp folder? Other folders that have shown up include:
I'm also looking at the files under my windows directory and the only .exe file that I have from the list that you gave me is:
dsdxirmv.exe
I have a ope190.tmp file in my Windows directory but no .exe
1. I am sorry, I ment Temp folder, yes everything inclusive eventually hidden ones, do it right after reboot.
2. Those files may be hidden, thus more suspicious. To unhide files go to control panel-folder options- view- check show hidden files and folders, and uncheck hide extensions for known file types.0 -
2. Those files may be hidden, thus more suspicious. To unhide files go to control panel-folder options- view- check show hidden files and folders, and uncheck hide extensions for known file types.
Hi anchorless,
I want to make sure the malware does not get installed next time.
Step 1.
Did you get a chance to get those files scanned? I added a couple of files to them:
*C:\WINDOWS\system32\ope18B.exe (there are more ope* files in system32 folder, all suspicious)
*C:\WINDOWS\system32\grrpctgn.ini
*C:\WINDOWS\QTFont.qfn
*E:setup.exe (if you have an E drive/partition, or this is just a registry left over from a flash drive?)
You don't need to post the scan result when they are clean.
Step 2.
1-See if you have inst.exe on your system (please report back). Combofix has removed one of them, I suspect there are more. To search for file:
Go to start-search-click all files and folders-type the name of the file up in the upper box - click more advanced options and check: search system folders, search hidden files and folders and search subfolders- click on search.
2. Check the allowed firewall list and see if there is a reference to inst.exe ( please report back)
3. while you are there check other allowed programs and remove the suspicious ones, except for those you are sure about (windows updater and AV and security related programs) remove the rest. You have to be on alarm a while until we remove all the parts of the malware and close the door behind.The malware can download and install things if it has free access from the firewall.
Step 2.
Do you have any p2p (utorrent, bitlord, limewire, etc.) on your system? (please report) ,if yes uninstall it for now and remove any remaining folder or downloaded file. You may reinstall it later on.
Step 3.
Remove old Java versions due to serious security vulnerability (particularly for Vundo family malware):
*Go to http://java.sun.com/javase/download...="3"]
*Download the latest version of JRE (Java Runtime Environment (JRE) 6 Update 4) but don't install it yet you may install it later on.
*Go to control panel -add/remove programs – uninstall/remove all the old versions of Java, or any item with Java (JRE or J2SE) in the name. Then remove any folder left in program files.0 -
Hi anchorless,
I want to make sure the malware does not get installed next time.
Step 1.
Did you get a chance to get those files scanned? I added a couple of files to them:
*C:\WINDOWS\system32\ope18B.exe (there are more ope* files in system32 folder, all suspicious)
*C:\WINDOWS\system32\grrpctgn.ini
*C:\WINDOWS\QTFont.qfn
*E:setup.exe (if you have an E drive/partition, or this is just a registry left over from a flash drive?)
You don't need to post the scan result when they are clean.
Step 2.
1-See if you have inst.exe on your system (please report back). Combofix has removed one of them, I suspect there are more. To search for file:
Go to start-search-click all files and folders-type the name of the file up in the upper box - click more advanced options and check: search system folders, search hidden files and folders and search subfolders- click on search.
2. Check the allowed firewall list and see if there is a reference to inst.exe ( please report back)
3. while you are there check other allowed programs and remove the suspicious ones, except for those you are sure about (windows updater and AV and security related programs) remove the rest. You have to be on alarm a while until we remove all the parts of the malware and close the door behind.The malware can download and install things if it has free access from the firewall.
Step 2.
Do you have any p2p (utorrent, bitlord, limewire, etc.) on your system? (please report) ,if yes uninstall it for now and remove any remaining folder or downloaded file. You may reinstall it later on.
Step 3.
Remove old Java versions due to serious security vulnerability (particularly for Vundo family malware):
*Go to http://java.sun.com/javase/download...="3"]
*Download the latest version of JRE (Java Runtime Environment (JRE) 6 Update 4) but don't install it yet you may install it later on.
*Go to control panel -add/remove programs – uninstall/remove all the old versions of Java, or any item with Java (JRE or J2SE) in the name. Then remove any folder left in program files.
On my way to work. I will read your new instructions and follow through with them when I get back 4:30 EST USA
Thank you for helping so much.0 -
On my way to work. I will read your new instructions and follow through with them when I get back 4:30 EST USA
Thank you for helping so much.
Hi Anchorless,
You are welcome, thank you also for your patience.
Please add this one to the list at the step 1:
C:\WINDOWS\iplayer.INI (this is a legit one but may be misused)0 -
Hi Anchorless,
You are welcome, thank you also for your patience.
Please add this one to the list at the step 1:
C:\WINDOWS\iplayer.INI (this is a legit one but may be misused)
I ended up having to work a long day yesterday. When I got home it was well past my bedtime. My apologies. Going to work again this morning, be back at 4:30 EST USA. Running through all new instructions for files on virus total, then I'll post my results!
Thanks!0 -
I ended up having to work a long day yesterday. When I got home it was well past my bedtime. My apologies. Going to work again this morning, be back at 4:30 EST USA. Running through all new instructions for files on virus total, then I'll post my results!
Thanks!
Fine to hear from you. We have 7 hours time difference. I am also sitting at my work, Tuesday I have a long day but can perhaps manage to post you the next step as soon as you give me the feedback I need. About ob*.exe files I am pretty sure they are malware, I think the setup.exe is an autorun registry item to run the setup.ex file situated on a (usually an installation) CD once you insert the CD into E (CD-ROM) drive, it is harmless at the moment but a vulnerability for future, let say you have an infected CD with a malware setup file, once you insert the CD it will execute the setup file on it without you getting a chance to take a look at it or get it scanned. It is then up to AV real time protection to detect the infection. In case you have an E partition it is quite a different story.
I am interested to know about the rest of files. And about other questions I have asked.0 -
I scanned all of the ope files in my system32 folder with virustotal.com
ope192.exe came up with the following so I deleted ope files in the system 32 folder, there were two ope.tmp files, plus the .exe
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - Trojan.DownLoader.24715
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - Trojan-Downloader.Win32.VB.caw
Ikarus - - Trojan-Downloader.Win32.VB.awj
Kaspersky - - Trojan-Downloader.Win32.VB.caw
McAfee - - -
Microsoft - - TrojanDownloader:Win32/VB.AAF
NOD32v2 - - a variant of Win32/TrojanDownloader.VB.AW
Norman - - -
Panda - - -
Prevx1 - - Trojan.Vundo
Rising - - -
Sophos - - Troj/Agent-GKF
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
There was no grrpctgn.ini file in either windows or system32 folder even after changing the folder properties to view hidden and system files.
QTFont.qfn was clean according to virustotal.com
IPlayer.ini was unable to be scanned by virustotal.com probably because of the type of file(?)
Ran search on inst.exe and came up with the following:
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3
(Looks like an AOL installer or something. Getting rid of it, I don't want it.)
I removed all p2p I had on my system.
Under firewall settings.
ope190.exe had full outbound access as does kernal.exe so i deleted those.
I found a strange file called ardCo162291.exe under system32/ardCo16/ It had outbound access with my firewall. Blocked access. Creation date was January 3rd 2008.
I scanned it with virustotal.com and found it to be pretty nasty. I pat myself on the shoulder for that one.
Should I manually delete that file or is there an alternate way that you would prefer me to try?
Here were the results from that virustotal.com scan of the ardco16991.exe file.
Antivirus Version Last Update Result
AhnLab-V3 2008.1.30.10 2008.01.29 Win-Trojan/Xema.variant
AntiVir 7.6.0.57 2008.01.29 HEUR/Malware
Authentium 4.93.8 2008.01.29 -
Avast 4.7.1098.0 2008.01.29 Win32:VB-GWF
AVG 7.5.0.516 2008.01.29 Downloader.Generic6.ABCA
BitDefender 7.2 2008.01.29 -
CAT-QuickHeal 9.00 2008.01.29 TrojanDownloader.VB.caw
ClamAV 0.91.2 2008.01.29 -
DrWeb 4.44.0.09170 2008.01.29 Trojan.DownLoader.24715
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5494 2008.01.29 Win32/Fishdown.I
Ewido 4.0 2008.01.29 Downloader.VB.ccs
FileAdvisor 1 2008.01.29 -
Fortinet 3.14.0.0 2008.01.29 -
F-Prot 4.4.2.54 2008.01.29 -
F-Secure 6.70.13260.0 2008.01.29 Trojan-Downloader.Win32.VB.caw
Ikarus T3.1.1.20 2008.01.29 Trojan-Downloader.Win32.VB.caw
Kaspersky 7.0.0.125 2008.01.29 Trojan-Downloader.Win32.VB.caw
McAfee 5218 2008.01.29 Generic Downloader.s
Microsoft 1.3109 2008.01.28 TrojanDownloader:Win32/VB.AAF
NOD32v2 2833 2008.01.29 a variant of Win32/TrojanDownloader.VB.AW
Norman 5.80.02 2008.01.29 -
Panda 9.0.0.4 2008.01.28 Trj/Downloader.PLF
Prevx1 V2 2008.01.29 Heuristic: Suspicious File With Bad Parent Associations
Rising 20.29.12.00 2008.01.29 -
Sophos 4.25.0 2008.01.29 Troj/Agent-GKF
Sunbelt 2.2.907.0 2008.01.29 -
Symantec 10 2008.01.29 Downloader
TheHacker 6.2.9.201 2008.01.28 -
VBA32 3.12.2.6 2008.01.29 -
VirusBuster 4.3.26:9 2008.01.29 -
Webwasher-Gateway 6.6.2 2008.01.29 Heuristic.Malware
Under ADD/REMOVE PROGRAMS I found old versions of the Java application and removed them and also found a kernel application which since deletion it was no longer a valid program and deleted it from the list of programs.
Thanks a TON for your help. Let me know what to do with that ardCo162291.exe file and I'll gladly continue to follow your instructions.0 -
You are welcome and good work, sure you deserve a pat on the shoulder for all that. ardCo162291.exe was already on my list to delete because I had no doubt about it at all.
And what about E:/setup ? I want to be sure it is not a partition.
I want to close the circle on the malware that is why we take a more cautious approach:
Step 1
Make backup copy of QTFont.qfn, QTFont.for, and IPlayer.ini and change the name old.qfn.ddd and old.for.ddd and old.ini.ddd and save them somewhere but not in the same directory where the files reside.
Step 2
Open notepad and copy/paste the text in the code box below into it:File::
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\wpssqanx.*
C:\WINDOWS\system32\hgggedb.*
C:\WINDOWS\system32\xpssqanw.*
C:\WINDOWS\system32\bgggedh.*
C:\WINDOWS\system32\awvvu.exe
C:\windows\system32\uvvwa.*
C:\WINDOWS\system32\ope192.exe
C:\WINDOWS\system32\ope192.tmp
C:\WINDOWS\system32\ope18B.exe
C:\WINDOWS\system32\ope18B.tmp
C:\WINDOWS\ope190.tmp
C:\WINDOWS\system32\RCXA03.tmp
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\iplayer.INI
Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\mr9
C:\WINDOWS\system32\ardCo16
C:\WINDOWS\system32\aj2
C:\WINDOWS\system32\mr9
C:\Temp\cEeer12
RenV::
C:\WINDOWS\system32\igfxpers .exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxpers"=-
"SigmatelSysTrayApp"=-
"QuickTime Task"=-
WD Button Manager"=-
"HPDJ Taskbar Utility"=-
"QuickTime Task"=-
"Creative Detector"=-
"AnyDVD"=-
"MSMSGS"=-
"Acrobat Assistant 8.0"=-
"Adobe_ID0EYTHM"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38E990AD-8434-4E23-B9AD-246AE71E969E}]
*Save this on your desktop as CFScript.txt
*Go to your firewall settings and add combofix.exe to the allowed items.
*Close/disable all anti virus and anti malware programs[/b] so they do not interfere with the running of ComboFix but don't disable the firewall.After Combofix is finished turn on/enable your anti virus again.
*Drag CFScript.txt into ComboFix.exe.
Step 3
Run Hijachthis and check if the.dll is showing up again.
If de dll is not there go to start-Run box and type in:sfc /scannow
It checks the integrity of Windows system files and if needed replaces them. If the system backup files are also corrupted it ask you to insert your windows installation CD.
Step 4
Reboot and run HJT again.
Post the content of combofix.exe and if the dll has come back post the hijackthis log too.0 -
I am still thinking of E:\setup.exe if you have an E partition this file should be removed immediately before going through the steps. If E is your CD-ROM go on with the steps.
0 -
I am still thinking of E:\setup.exe if you have an E partition this file should be removed immediately before going through the steps. If E is your CD-ROM go on with the steps.
E:\ is my CD/DVD rom drive.
Thanks.
Just ran the combo fix with the ****** posting results really soon.
Thanks again!0 -
Unfortunately with DELL they did not ship my computer with an XP CD. Just a CD with the drivers etc... I can look into getting a hard copy of the CD. It only asked on two instances for the CD and I had to hit skip. Other than that I did follow the instructions and ran the ****** through combo fix and the log is just below. There were no signs of awvvu.dll when I ran hijack and posted the log for you to view below.
I can right click icons without adobe popping up and trying to install. I still have no double click. I do have vundofix and if you want I could try and run that to see if anything shows up.
Here is the combofix log.
ComboFix 08-01-23.1C - FRED 2008-01-30 11:26:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.524 [GMT -5:00]
Running from: C:\Documents and Settings\FRED\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\FRED\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\iplayer.INI
C:\WINDOWS\ope190.tmp
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\awvvu.exe
C:\WINDOWS\system32\ope18B.exe
C:\WINDOWS\system32\ope18B.tmp
C:\WINDOWS\system32\ope192.exe
C:\WINDOWS\system32\ope192.tmp
C:\WINDOWS\system32\RCXA03.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent .exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VERSIO~2 .EXE
C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VERSIO~2.EXE
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\VundoFix Backups
C:\VundoFix Backups\awvvu.dll.bad
C:\VundoFix Backups\awvvu.exe.bad
C:\VundoFix Backups\bbpldgjb.exe.bad
C:\VundoFix Backups\cytjddlk.dll.bad
C:\VundoFix Backups\emqmjady.exe.bad
C:\VundoFix Backups\etnggqdj.dll.bad
C:\VundoFix Backups\hgggedb.dll.bad
C:\VundoFix Backups\hkcmd.exe.bad
C:\VundoFix Backups\hpztsb09.exe.bad
C:\VundoFix Backups\htpnqiuj.dll.bad
C:\VundoFix Backups\igfxtray.exe.bad
C:\VundoFix Backups\imhjaglm.dll.bad
C:\VundoFix Backups\imhjaglm.dllbox.bad
C:\VundoFix Backups\jdqggnte.ini.bad
C:\VundoFix Backups\jgbmqein.exe.bad
C:\VundoFix Backups\klddjtyc.ini.bad
C:\VundoFix Backups\kqqeixgm.dll.bad
C:\VundoFix Backups\mrofinu1000106.exe.bad
C:\VundoFix Backups\NeroCheck.exe.bad
C:\VundoFix Backups\oiypfskj.dll.bad
C:\VundoFix Backups\pmuhpiqy.exe.bad
C:\VundoFix Backups\putfqicw.dll.bad
C:\VundoFix Backups\rlnjjcxs.dll.bad
C:\VundoFix Backups\sktfwsyw.exe.bad
C:\VundoFix Backups\snpmldwi.exe.bad
C:\VundoFix Backups\sutnscav.dll.bad
C:\VundoFix Backups\sxcjjnlr.ini.bad
C:\VundoFix Backups\tfswctrl.exe.bad
C:\VundoFix Backups\ujpeapcs.dll.bad
C:\VundoFix Backups\uvvwa.ini.bad
C:\VundoFix Backups\uvvwa.ini2.bad
C:\VundoFix Backups\vacsntus.ini.bad
C:\VundoFix Backups\wciqftup.ini.bad
C:\VundoFix Backups\wpssqanx.dll.bad
C:\VundoFix Backups\xkcsxunf.dll.bad
C:\VundoFix Backups\xkcsxunf.dllbox.bad
C:\VundoFix Backups\ydwbftst.dll.bad
C:\VundoFix Backups\yypomelo.dll.bad
C:\VundoFix Backups\zeapcyup.dll.bad
C:\VundoFix Backups\zeapcyup.dllbox.bad
C:\WINDOWS\ope190.tmp
C:\WINDOWS\system32\aj2
C:\WINDOWS\system32\ardCo16
C:\WINDOWS\system32\ardCo16\ardCo162291.exe
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\awvvu.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\mr9
C:\WINDOWS\system32\NeroCheck .exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\RCX25.tmp
C:\WINDOWS\system32\RCXA03.tmp
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\ymqvfwpt.dll\Autorun.inf<pre>
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent .exe ---> QooBox
C:\Program Files\DellSupport\DSAgnt .exe ---> QooBox
C:\Program Files\McAfee.com\Agent\mcagent .exe ---> QooBox
C:\Program Files\Messenger\msmsgs .exe ---> QooBox
C:\WINDOWS\system32\igfxtray .exe ---> QooBox
C:\WINDOWS\system32\NeroCheck .exe ---> QooBox
C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VERSIO~2 .EXE ---> QooBox
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-27 16:39 . 2008-01-15 15:55 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-27 12:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 17:56 . 2006-11-30 15:49 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-01-22 17:56 . 2004-04-13 14:48 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-01-21 01:45 . 2008-01-21 01:45 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-01-20 23:57 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-20 23:57 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-20 23:32 . 2008-01-20 23:32 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-20 12:07 . 2008-01-20 12:08 <DIR> d-------- C:\Program Files\Macromedia
2008-01-20 12:07 . 2008-01-20 12:07 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-01-15 19:02 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-15 16:09 . 2008-01-15 16:09 0 --a------ C:\ComboFix.exe
2008-01-06 21:17 . 2008-01-06 21:19 <DIR> d-------- C:\Program Files\PCFriendly
2008-01-06 21:09 . 2008-01-06 21:09 0 --a------ C:\WINDOWS\IPlayer.ini.INI
2008-01-06 20:34 . 2008-01-06 20:35 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-06 20:34 . 2008-01-06 20:35 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-06 20:33 . 2008-01-06 20:33 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-06 20:29 . 2008-01-06 20:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-06 11:58 . 2008-01-06 11:59 1,043,860 --ahs---- C:\WINDOWS\system32\grrpctgn.ini
2008-01-05 10:24 . 2008-01-06 11:51 1,043,800 --ahs---- C:\WINDOWS\system32\cufqpeii.ini
2008-01-03 18:23 . 2008-01-03 18:28 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-01-03 18:23 . 2008-01-03 18:23 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-12-28 17:32 . 2007-12-28 17:32 <DIR> d-------- C:\WINDOWS\system32\RegVac
2007-12-28 17:31 . 2008-01-16 22:32 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner
2007-12-26 11:19 . 2007-12-26 11:19 <DIR> d-------- C:\Program Files\Dnote Software
2007-12-26 11:15 . 2008-01-27 13:12 <DIR> d-------- C:\Program Files\TomTom HOME 2
2007-12-26 11:14 . 2007-12-26 11:14 <DIR> d-------- C:\Program Files\TomTom DesktopSuite
2007-12-04 19:31 . 2007-12-04 19:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 16:34 --------- d-----w C:\Program Files\DellSupport
2008-01-29 21:04 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-29 21:01 --------- d-----w C:\Program Files\AIM
2008-01-29 19:57 --------- d-----w C:\Program Files\Java
2008-01-29 14:41 --------- d-----w C:\Program Files\BitComet
2008-01-27 22:27 --------- d-----w C:\Program Files\McAfee
2008-01-27 18:12 --------- d-----w C:\Program Files\RF Wireless Mouse
2008-01-27 18:12 --------- d-----w C:\Program Files\QuickTime
2008-01-22 23:05 --------- d-----w C:\Program Files\Cakewalk
2008-01-22 22:53 118,784 ----a-w C:\WINDOWS\dsdxirmv.exe
2008-01-21 06:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-21 04:42 --------- d-----w C:\Program Files\Bonjour
2008-01-19 17:58 --------- d-----w C:\Program Files\NetWaiting
2007-12-26 16:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 21:00 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-15 17:38 --------- d-----w C:\Program Files\CDisplay
2007-12-05 00:32 --------- d-----w C:\Program Files\Lavasoft
2007-12-04 22:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-30 15:23 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-09-24 22:58 104 --sh--r C:\WINDOWS\system32\173C1FC059.sys
2007-09-24 22:58 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-27_13.23.06.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 17:40:23 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-30 16:24:07 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-27 17:40:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-30 16:24:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-27 17:40:24 8,978,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-30 16:24:07 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-27 17:40:24 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-30 16:24:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-27 17:40:24 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-30 16:24:07 8,990,720 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-27 17:40:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-30 16:24:07 167,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-27 03:12:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-29 19:40:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-27 03:12:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-29 19:40:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-29 19:40:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-15 20:55:44 127,035 ----a-w C:\WINDOWS\system32\dla\tfswctrl.exe
- 2008-01-27 18:16:53 1,570,352 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-01-28 14:09:31 1,570,352 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-07-12 05:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-03-14 04:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 05:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-03-14 04:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 06:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-03-14 06:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 04:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [ ]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [ ]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [ ]
"MBMon"="CTMBHA.DLL" [2006-03-03 03:18 1355938 C:\WINDOWS\system32\CTMBHA.DLL]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"Start RF Wireless Mouse"="C:\Program Files\RF Wireless Mouse\cm20.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-01-14 08:43 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [ ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-16 14:54:27 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24 237568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OZ_ZQ-590A Synchronization Software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OZ_ZQ-590A Synchronization Software.lnk
backup=C:\WINDOWS\pss\OZ_ZQ-590A Synchronization Software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^FRED^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\FRED\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 20:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
--------- 2006-01-02 09:13 1126400 C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2006-07-10 10:44]
S3 SPCP825K;Sunplus Serial port driver;C:\WINDOWS\system32\DRIVERS\SPCP825K.sys [2004-02-02 14:23]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5786853d-fd78-11da-8cb7-0015c51c88fa}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (FREDJOAKMAN-FRED).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-09-15 05:05:12 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-07 05:49:51 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 11:40:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-30 11:48:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 16:48:17
ComboFix2.txt 2008-01-27 21:26:40
ComboFix3.txt 2008-01-27 18:24:53
.
2008-01-08 23:54:04 --- E O F ---
Here is the new HiJack This Log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:22 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\DOCUME~1\FRED\LOCALS~1\Temp\clclean.0001
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\FRED\Desktop\MOON.EXE
C:\WINDOWS\system32\notepad.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{64617C4F-0F10-4316-9A7A-8E372853EE6C}: NameServer = 38.9.212.2,38.9.222.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11886 bytes0 -
Okay the adobe installer is popping up again when I click on icons in desktop. My system came with windows XP but didn't come with an XP CD. Just a drivers CD. I read up on it a bit and there was suppose to be some sort of restore program to reinstall operating system? Not very convenient for us. Thanks a lot for your help once again. We'll get this bad boy figured out I'm sure. I'm happy to see that awvvu.dll is no longer anywhere to be found.
0 -
First of all congratulation, you may relax now. You may try Vundo.fix, it does no harm, but I don't expect it detects anything (active) at all. From now on it is not a question of malware but corrupted progroams.
Step1.
You forgot to remove java folder after uninstalling java, please remove it now, path: 1.C:\Program Files\Java. Then go to the search box and type in java. Remove all the items you find except the java you have downloaded....
Step2.
Check the Internet privacy and set it to default if it is lowered (feedback please).
Step 3.
Run RenV again, then drag the log it produces to RenV.exe and check the log it produces this time. I expect it reports no item otherwise post the result.
Step 4.
uninstall combofix by going to start-run type: Combofix /u and click OK..
step 5.
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Step 6.
Update your AV manually.
Step 7.
Reboot and apply ATF cleaner. How is your Pc running now?0 -
Check if you have still java in add/remove. Uninstall from there if that is the case. Otherwise end jusched.exe using taskmager and remove the folder, then search with the search box and remove.
0 -
I did all that you instructed. Still no double click on startup. It seems like whatever is happening, the settings in my control panel under mouse are changing the double click speed to the fastest setting which keeps the double click from working. Seems like the adobe installer doesn't load when I right click on the desktop now. So that's good news.
Here is the latest hijack report.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:46 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\DOCUME~1\FRED\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Documents and Settings\FRED\Desktop\MOON.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{64617C4F-0F10-4316-9A7A-8E372853EE6C}: NameServer = 38.9.212.2,38.9.222.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11489 bytes0 -
It is indeed good news, let me think about the double click.
Meanwhile I want to make sure the malware is cleaned from system information volume:
Reboot and check if your computer is running fine. Then empty your restore volume to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore points. Reboot and uncheck "turn off system restore on all drives' to create a clean restore point.0 -
It is indeed good news, let me think about the double click.
Meanwhile I want to make sure the malware is cleaned from system information volume:
Reboot and check if your computer is running fine. Then empty your restore volume to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore points. Reboot and uncheck "turn off system restore on all drives' to create a clean restore point.
Okay I did the system restore instructions, looks to be fine. The only thing is that double click! It's pretty frustrating. I just don't know if I feel 100% about the clean yet until we can get the double click situation figured out. Thank you SO MUCH for all of your help! Let me know if you come up with any ideas for that.
THANKS!0 -
Okay I did the system restore instructions, looks to be fine. The only thing is that double click! It's pretty frustrating. I just don't know if I feel 100% about the clean yet until we can get the double click situation figured out. Thank you SO MUCH for all of your help! Let me know if you come up with any ideas for that.
THANKS!
Also, what did you want me to do with those three backup files you had me save? Is it safe to get rid of those now?
Thanks.0 -
Okay I did the system restore instructions, looks to be fine. The only thing is that double click! It's pretty frustrating. I just don't know if I feel 100% about the clean yet until we can get the double click situation figured out. Thank you SO MUCH for all of your help! Let me know if you come up with any ideas for that.
It is indeed frustrating but we will fix it. I suggest you the following security related steps
Step 1
Download DTRweb-cureit from here to your desktop.
Reboot to go to safe mode "Safe Mode without Internet connection".
Run ATF cleaner once, select all and clean.
Doubleclick/run the "drweb-cureit.exe" and click "Start" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the Options->Change settings.
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select –Rename Click – Apply - OK
Click on Scan Tab. Choose Complete Scan. Click on The Green arrow to the right. It will now scan your drive(s), say yes to all.
After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Step 2
Please download and run Bit Defender 8 online scanner
Install the program and then follow the prompts to download all available updates.
Select Antivirus and then click the Settings button. Click Default. Click Ok.
Select Local Drives and click Scan.
When the scan is complete save the log and post it along with the DrWeb if these scans find anything.
Other than these two steps I would suggest to perform the following repair steps:- check your hard disc for errors to do that: start-My Computer-right-click the hard disk that you want to check ©-Properties-click Tools-check Now
check everything in the error checking section,press on yes. - Do you have a connectable mouse to see if it works?
You can uninstall the de wireless mouse driver, clean the registry and then reinstall the driver. - See if you could manage a windows installation CD and perform the windows system file scan I suggested before.
0 - check your hard disc for errors to do that: start-My Computer-right-click the hard disk that you want to check ©-Properties-click Tools-check Now
-
Also, what did you want me to do with those three backup files you had me save? Is it safe to get rid of those now?
Keep those TQFont files a while, they don't do any harm and you may need them later on. The iplayer.ini is made again with a new name(:iplayer.ini.ini). It should be a part of one of the media players you have on your system. I could not find any official reference to this file.0 -
Again about the double click, you may try this:
- Go to add/remove and uninstall the software running your mouse
- Remove the folder in program file (C:\Program Files\RF Wireless Mouse)
- Go to C:\Document and settings\FRED\application data and remove (if there is) any folder with the name RF Wireless Mouse
- Go to C:\Document and settings\All users\application data and remove (if there is) any folder with the name RF Wireless Mouse
- Reboot and do a registry cleaning
- Install the software again
0 -
Again about the double click, you may try this:
- Go to add/remove and uninstall the software running your mouse
- Remove the folder in program file (C:\Program Files\RF Wireless Mouse)
- Go to C:\Document and settings\FRED\application data and remove (if there is) any folder with the name RF Wireless Mouse
- Go to C:\Document and settings\All users\application data and remove (if there is) any folder with the name RF Wireless Mouse
- Reboot and do a registry cleaning
- Install the software again
To make sure after uninstalling check also C:\Document and settings\FRED\application data\local setting\application data and remove, if there is any, folder related to RF Wireless Mouse.0 -
Of course you need a connectable mouse to be able perform this because you loose contact after uninstalling.
0 -
Of course you need a connectable mouse to be able perform this because you loose contact after uninstalling.
I will follow through with your steps as soon as I can! Thank you so very much! Had a bit of trouble finding time to get on here. Work is demanding some days.
I really appreciate the help!
Talk with you soon, I'll let you know as soon as I go through your instructions!0 -
Take your time. There is no active malware on your system. Just maybe some leftovers which are not causing any harm at the moment. When you have time find a cable connectable mouse and fix the double click problem first.
0 -
Take your time. There is no active malware on your system. Just maybe some leftovers which are not causing any harm at the moment. When you have time find a cable connectable mouse and fix the double click problem first.
Sorry about the delay. Really busy weekend at work. I do feel better with my computer acting better, I'm going to go through your instructions tonight to find about double click.
Thank you again, sorry for delay.0
