1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Antivirus XP 2008 infection gone?

Discussion in 'Malware and Virus Removal Archive' started by mtaffer, 2008/08/07.

  1. 2008/08/07
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    [Resolved]Antivirus XP 2008 infection gone?

    Hi again,

    I have a client that got this virus and I downloaded the Malware Remover tool that supposedly gets rid of it. First I used ATF cleaner, then I used the Malware remover and it appeared to get rid of that virus, but then screwy stuff started happening. We have a licensed copy of BitDefender Internet Security 2008 and now it won't install, telling me that the license has run out...which it hasn't. Also, it's having trouble getting to network servers, telling me "A device attached to the system is not functioning ". (IE type in the run box \\server\directory). Also, the machine is running really slow, taking about 1 minute to access My computer drives, but checking says it does not need a defrag. One other thing, I tried to run a chkdsk and the first two times it failed at the start and gave me a BSOD twice, before finally working the 3rd reboot.

    Here is the Hijack this log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:11:02 PM, on 8/7/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\tm\tmsimg\bin\ftsrvrsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
    C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\OLAP\bin\msmdsrv.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\ODI\OStore\BIN\OSCMGR6.EXE
    C:\ODI\OStore\BIN\OSSERVER.EXE
    C:\SFU\common\rshsvc.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\WINDOWS\system32\PSXRUN.EXE
    C:\WINDOWS\system32\psxss.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
    C:\SFU\Mapper\mapsvc.exe
    C:\SFU\usr\sbin\zzInterix
    C:\SFU\usr\sbin\init
    C:\SFU\usr\sbin\inetd
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\NetWaiting\netWaiting.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\WebEx\Productivity Tools\PTIM.exe
    C:\Program Files\WebEx\Productivity Tools\ptmsgfrm.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\SFU\usr\sbin\cron
    C:\SFU\tm\tmsimg\bin\pcexchanged
    C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6060927
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6060927
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKCU\..\Run: [PTIM.exe] C:\Program Files\WebEx\Productivity Tools\PTIM.exe
    O4 - HKCU\..\Run: [ptmsgfrm.exe] C:\Program Files\WebEx\Productivity Tools\ptmsgfrm.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll (HKCU)
    O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll (HKCU)
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com
    O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmscorp.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: McLeod Imaging Server (FTSRVR) - Unknown owner - C:\tm\tmsimg\bin\ftsrvrsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LME 9.0 - - C:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe
    O23 - Service: LME Scheduler (demo_820) - - c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXE
    O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC*MILER TCP/IP Interface (tcpsvc) - Unknown owner - C:\Program Files\ALK Technologies\Tolls190\TCPIP\tcpsvc.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 9186 bytes

    Thank you for your time :)
    mtaffer
     
    mtaffer,
    #1
  2. 2008/08/07
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi mtaffer
    Which malware removal tool would that be?

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2008/08/07
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    sorry bout that

    Malwarebytes' Anti-Malware:rolleyes:
     
    mtaffer,
    #3
  5. 2008/08/07
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK would you post the MBAM log it gave you and a Deckard System Scanner log.

    Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
    Note: You must be logged onto an account with administrator privileges to complete the following.
    • Close all other windows before proceeding.
    • Double-click on dss.exe and follow the prompts.
    • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

    Please post the "main.txt" log only for now.

    Thanks
    Geri
     
    Geri,
    #4
  6. 2008/08/07
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    Malwarebytes' log

    Here is the malware bytes log, about to start the Deckard scanner

    Malwarebytes' Anti-Malware 1.24
    Database version: 1030
    Windows 5.1.2600 Service Pack 2

    6:33:46 PM 8/6/2008
    mbam-log-8-6-2008 (18-33-46).txt

    Scan type: Quick Scan
    Objects scanned: 101175
    Time elapsed: 30 minute(s), 36 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 4
    Registry Data Items Infected: 2
    Folders Infected: 13
    Files Infected: 23

    Memory Processes Infected:
    C:\WINDOWS\system32\CbEvtSvc.exe (Trojan.MyDoom) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcr5oj0e13c (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\rhcr5oj0e13c (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc (Trojan.MyDoom) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Program Files\rhcr5oj0e13c (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Application Data\rhcr5oj0e13c\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\lphcv5oj0e13c.exe (Trojan.Downloader) -> Delete on reboot.
    C:\WINDOWS\Temp\B7.tmp (Rootkit.Rustock) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\456V83GB\04scan[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\install[1].exe (Rootkit.Rustock) -> Quarantined and deleted successfully.
    C:\Program Files\rhcr5oj0e13c\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcr5oj0e13c\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcr5oj0e13c\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcr5oj0e13c\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcr5oj0e13c\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcr5oj0e13c\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcr5oj0e13c\rhcr5oj0e13c.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcr5oj0e13c\rhcr5oj0e13c.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcr5oj0e13c\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\blphcv5oj0e13c.scr (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\system32\phcv5oj0e13c.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\pphcv5oj0e13c.exe (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\system32\CbEvtSvc.exe (Trojan.MyDoom) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.


    Thanks again, :)
    mtaffer
     
    mtaffer,
    #5
  7. 2008/08/07
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    Deckard's log

    Here is the main as requested

    Deckard's System Scanner v20071014.68
    Run by tedk on 2008-08-07 16:10:03
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 5 Restore Point(s) --
    9: 2008-08-07 21:10:09 UTC - RP9 - Deckard's System Scanner Restore Point
    8: 2008-08-07 17:52:28 UTC - RP8 - Removed BitDefender Internet Security 2008
    7: 2008-08-07 15:37:33 UTC - RP7 - Installed BitDefender Internet Security 2008
    6: 2008-08-07 14:17:31 UTC - RP6 - Removed BitDefender Internet Security 2008
    5: 2008-08-07 13:39:47 UTC - RP5 - Installed BitDefender Internet Security 2008


    -- First Restore Point --
    1: 2008-08-06 22:11:55 UTC - RP1 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as tedk.exe) ------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:11:41 PM, on 8/7/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\tm\tmsimg\bin\ftsrvrsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
    C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\OLAP\bin\msmdsrv.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\ODI\OStore\BIN\OSCMGR6.EXE
    C:\ODI\OStore\BIN\OSSERVER.EXE
    C:\SFU\common\rshsvc.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\WINDOWS\system32\PSXRUN.EXE
    C:\WINDOWS\system32\psxss.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
    C:\SFU\Mapper\mapsvc.exe
    C:\SFU\usr\sbin\zzInterix
    C:\SFU\usr\sbin\init
    C:\SFU\usr\sbin\inetd
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\NetWaiting\netWaiting.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\WebEx\Productivity Tools\PTIM.exe
    C:\Program Files\WebEx\Productivity Tools\ptmsgfrm.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\SFU\usr\sbin\cron
    C:\SFU\tm\tmsimg\bin\pcexchanged
    C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe
    C:\WINDOWS\system32\WISPTIS.EXE
    C:\Documents and Settings\tedk\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\tedk.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6060927
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6060927
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKCU\..\Run: [PTIM.exe] C:\Program Files\WebEx\Productivity Tools\PTIM.exe
    O4 - HKCU\..\Run: [ptmsgfrm.exe] C:\Program Files\WebEx\Productivity Tools\ptmsgfrm.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll (HKCU)
    O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll (HKCU)
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com
    O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmscorp.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: McLeod Imaging Server (FTSRVR) - Unknown owner - C:\tm\tmsimg\bin\ftsrvrsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LME 9.0 - - C:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe
    O23 - Service: LME Scheduler (demo_820) - - c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXE
    O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC*MILER TCP/IP Interface (tcpsvc) - Unknown owner - C:\Program Files\ALK Technologies\Tolls190\TCPIP\tcpsvc.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 9260 bytes

    -- File Associations -----------------------------------------------------------

    .reg - regfile - shell\open\command - regedit.exe "%1" %*
    .scr - scrfile - shell\open\command - "%1" %*


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
    R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
    R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
    R2 InAspi32 - c:\windows\system32\drivers\inaspi32.sys <Not Verified; Initio Corporation; Initio Aspi32 Driver For Windows NT>
    R3 Portmap - c:\windows\system32\drivers\portmap.sys <Not Verified; Microsoft Corporation; Microsoft Windows Services for UNIX>
    R3 PsxDrv - c:\windows\system32\drivers\psxdrv.sys <Not Verified; Microsoft Corporation; Microsoft Windows Services for UNIX>
    R3 RpcXdr - c:\windows\system32\drivers\rpcxdr.sys <Not Verified; Microsoft Corporation; Microsoft Windows Services for UNIX>

    S2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
    S3 BW2NDIS5 - c:\windows\system32\drivers\bw2ndis5.sys (file missing)
    S3 CSVirtA (Cisco Systems SSL VPN Adapter) - c:\windows\system32\drivers\csvirta.sys (file missing)
    S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys (file missing)
    S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
    S3 SMNDIS5 (SMNDIS5 NDIS Protocol Driver) - c:\program files\verizon wireless\vzaccess manager\smndis5.sys <Not Verified; Smith Micro Software, Inc.; QuickLink Wi-Fi>
    S3 Sntnlusb (Rainbow USB SuperPro) - c:\windows\system32\drivers\sntnlusb.sys <Not Verified; Rainbow Technologies Inc.; Rainbow Technologies USB Security Device Driver>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 FTSRVR (McLeod Imaging Server) - c:\tm\tmsimg\bin\ftsrvrsvc.exe
    R2 Mapsvc (User Name Mapping) - c:\sfu\mapper\mapsvc.exe <Not Verified; Microsoft Corporation; Microsoft Windows Services for UNIX>
    R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
    R2 ObjectStore Cache Manager R6.0 - c:\odi\ostore\bin\oscmgr6.exe <Not Verified; eXcelon Corp.; ObjectStore>
    R2 ObjectStore Server R6.0 - c:\odi\ostore\bin\osserver.exe <Not Verified; eXcelon Corp.; ObjectStore>
    R2 RshSvc (Remote Shell Service) - c:\sfu\common\rshsvc.exe <Not Verified; Microsoft Corporation; Microsoft Windows Services for UNIX>
    R2 zzInterix (Interix Subsystem Startup) - c:\windows\system32\psxrun.exe <Not Verified; Microsoft Corporation; Microsoft Windows Services for UNIX>

    S3 LME 9.0 - c:\mcleod_900\win2000_tools\scheduler_service\lmeschedulerservice.exe
    S3 LME Scheduler (demo_820) - c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe
    S3 tcpsvc (PC*MILER TCP/IP Interface) - c:\program files\alk technologies\tolls190\tcpip\tcpsvc.exe
    S4 CronService (Windows Cron Service) - c:\sfu\common\cron.exe <Not Verified; Microsoft Corporation; Microsoft Windows Services for UNIX>
    S4 PerlSock (Perl Socket Service) - c:\sfu\perl\bin\perlsock.exe <Not Verified; ActiveState Tool Corp.; ActiveState PerlSock>
    S4 tcsd_win32.exe (NTRU Hybrid TSS v2.0.25 TCS) - "c:\program files\ntru cryptosystems\ntru hybrid tss v2.0.25\bin\tcsd_win32.exe "


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0000
    Service: CVirtA


    -- Files created between 2008-07-07 and 2008-08-07 -----------------------------

    2008-08-07 13:10:12 0 d-------- C:\Program Files\Trend Micro
    2008-08-07 10:38:30 0 d-------- C:\WINDOWS\LastGood.Tmp
    2008-08-07 10:37:43 0 d-------- C:\Program Files\BitDefender
    2008-08-07 10:36:36 0 d-------- C:\Program Files\Common Files\BitDefender
    2008-08-07 10:29:33 0 d-------- C:\Documents and Settings\All Users\Local Settings
    2008-08-07 09:15:56 0 d-------- C:\Documents and Settings\tedk\Application Data\SUPERAntiSpyware.com
    2008-08-07 08:48:48 81984 --a------ C:\WINDOWS\system32\bdod.bin
    2008-08-06 18:43:53 0 d-------- C:\Documents and Settings\administrator.MCLEOD\Application Data\Malwarebytes
    2008-08-06 17:53:21 0 d-------- C:\Documents and Settings\tedk\Application Data\Malwarebytes
    2008-08-06 17:53:17 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-06 17:53:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-06 17:13:10 94208 --a------ C:\WINDOWS\system32\pphcv5oj0e13c.exe
    2008-08-06 17:11:47 70144 --a------ C:\WINDOWS\system32\blphcv5oj0e13c.scr
    2008-08-06 17:11:32 109762 --a------ C:\WINDOWS\system32\drivers\138a9884.sys
    2008-07-18 08:16:23 0 d-------- C:\Documents and Settings\tedk\Application Data\Productivity Tools
    2008-07-18 08:16:00 0 d-------- C:\Documents and Settings\tedk\Application Data\Webex


    -- Find3M Report ---------------------------------------------------------------

    2008-08-07 14:39:33 0 d-------- C:\Documents and Settings\tedk\Application Data\AdobeUM
    2008-08-07 10:36:36 0 d-------- C:\Program Files\Common Files
    2008-07-29 17:56:08 0 --a------ C:\WINDOWS\system32\fax
    2008-07-18 11:32:44 0 d-------- C:\Documents and Settings\tedk\Application Data\U3
    2008-07-18 08:16:28 0 d-------- C:\Program Files\WebEx
    2008-06-19 19:03:19 0 d-------- C:\Documents and Settings\tedk\Application Data\Adobe
    2008-06-16 18:58:19 0 d-------- C:\Program Files\Cisco Systems
    2008-06-16 18:56:55 0 d-------- C:\Documents and Settings\tedk\Application Data\Sun
    2008-06-15 20:32:31 0 d-------- C:\Program Files\Picasa2
    2008-06-08 15:36:37 0 d-------- C:\Documents and Settings\tedk\Application Data\Help


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [12/15/2006 04:23 AM]
    "SigmatelSysTrayApp "= "stsystra.exe" [03/24/2006 04:30 PM C:\WINDOWS\stsystra.exe]
    "igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [12/13/2005 04:44 PM]
    "igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [12/13/2005 04:45 PM]
    "igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [12/13/2005 04:41 PM]
    "Broadcom Wireless Manager UI "= "C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 08:08 AM]
    "Apoint "= "C:\Program Files\Apoint\Apoint.exe" [10/07/2005 12:13 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold "= "C:\Program Files\NetWaiting\netWaiting.exe" [09/10/2003 02:24 AM]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [09/07/2007 09:25 AM]
    "Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [02/25/2008 08:23 PM]
    "PTIM.exe "= "C:\Program Files\WebEx\Productivity Tools\PTIM.exe" [06/03/2008 02:16 PM]
    "ptmsgfrm.exe "= "C:\Program Files\WebEx\Productivity Tools\ptmsgfrm.exe" [06/03/2008 02:17 PM]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [9/27/2006 3:13:55 AM]
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 10:07:32 PM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "disablecad "=1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts "=1 (0x1)
    "NoDispBackgroundPage "=0 (0x0)
    "NoDispScrSavPage "=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages "= scecli pswdsync

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\0\0]
    "Script "=xdrivemapping.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\1\0]
    "Script "=xdrivemapping.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1198\Scripts\logon\0\0]
    "Script "=connectXDrive.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\0\0]
    "Script "=xdrivemapping.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\1\0]
    "Script "=xdrivemapping.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-500\Scripts\logon\0\0]
    "Script "=connectXDrive.vbs

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^tedk^Start Menu^Programs^Startup^procexp.exe]
    path=C:\Documents and Settings\tedk\Start Menu\Programs\Startup\procexp.exe
    backup=C:\WINDOWS\pss\procexp.exeStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
    C:\Program Files\Dell\QuickSet\quickset.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
    C:\Program Files\NetWaiting\netWaiting.exe


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2e273a9-eeeb-11dc-9fa4-00188baa7821}]
    AutoRun\command- E:\LaunchU3.exe




    -- Hosts -----------------------------------------------------------------------

    192.168.1.102 HP000D9D1023E5


    -- End of Deckard's System Scanner: finished at 2008-08-07 16:12:12 ------------

    Thank You, :)
    mtaffer
     
    mtaffer,
    #6
  8. 2008/08/07
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi mtaffer
    I see you posted on another forum in relation to this,
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\0\0]
    "Script "=xdrivemapping.bat

    I'm assuming you know what this is and it's OK?

    Please do this.

    ** dss.exe must be on the desktop for the following command to work. **

    Highlight and copy the bolded command below.

    "%userprofile%\desktop\dss.exe" /daft
    • Click Start>Run and paste the command in the run box, then hit enter.
    • An interface of Deckards file association fix will open.
    • Click Scan.
    • Check the box next to the following, then click Fix.
      • .reg
      • .scr
    • Exit when complete.

    Now run Combofix.

    Download ComboFix from Here to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post the Combofix log
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Please post the CF log and answer my question.

    Thanks
    Geri
     
    Geri,
    #7
  9. 2008/08/08
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    combofix log

    Geri,

    Here is the combofix log as requested. I do know what that .bat file is for, it is company related.
    Also the //backup is company related as well. Thanks for asking those questions.

    ComboFix 08-08-08.01 - tedk 2008-08-08 8:41:31.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1447 [GMT -5:00]
    Running from: C:\Documents and Settings\tedk\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\tedk\Application Data\macromedia\Flash Player\#SharedObjects\W9R2U3TL\interclick.com
    C:\Documents and Settings\tedk\Application Data\macromedia\Flash Player\#SharedObjects\W9R2U3TL\interclick.com\ud.sol
    C:\Documents and Settings\tedk\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
    C:\Documents and Settings\tedk\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
    C:\WINDOWS\Downloaded Program Files\setup.inf
    C:\WINDOWS\system32\blphcv5oj0e13c.scr
    C:\WINDOWS\system32\drivers\138a9884.sys
    C:\WINDOWS\system32\pphcv5oj0e13c.exe

    ----- BITS: Possible infected sites -----

    http://backup
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_138a9884


    ((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
    .

    2008-08-07 16:09 . 2008-08-07 16:09 <DIR> d-------- C:\Deckard
    2008-08-07 13:10 . 2008-08-07 13:10 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-07 10:38 . 2008-08-07 12:52 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
    2008-08-07 10:37 . 2008-08-07 10:37 <DIR> d-------- C:\Program Files\BitDefender
    2008-08-07 10:36 . 2008-08-07 12:53 <DIR> d-------- C:\Program Files\Common Files\BitDefender
    2008-08-07 09:15 . 2008-08-07 09:15 <DIR> d-------- C:\Documents and Settings\tedk\Application Data\SUPERAntiSpyware.com
    2008-08-07 08:48 . 2008-08-07 10:40 81,984 --a------ C:\WINDOWS\system32\bdod.bin
    2008-08-07 08:48 . 2008-08-07 12:52 121 --a------ C:\WINDOWS\bdagent.INI
    2008-08-06 18:43 . 2008-08-06 18:43 <DIR> d-------- C:\Documents and Settings\administrator.MCLEOD\Application Data\Malwarebytes
    2008-08-06 17:53 . 2008-08-06 17:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-06 17:53 . 2008-08-06 17:53 <DIR> d-------- C:\Documents and Settings\tedk\Application Data\Malwarebytes
    2008-08-06 17:53 . 2008-08-06 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-06 17:53 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-06 17:53 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-06 17:13 . 2008-08-06 17:13 0 --a------ C:\WINDOWS\system32\C2.tmp
    2008-07-18 08:16 . 2008-07-21 12:47 <DIR> d-------- C:\Documents and Settings\tedk\Application Data\Webex
    2008-07-18 08:16 . 2008-07-18 08:16 <DIR> d-------- C:\Documents and Settings\tedk\Application Data\Productivity Tools

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-07 19:39 --------- d-----w C:\Documents and Settings\tedk\Application Data\AdobeUM
    2008-08-07 13:27 --------- d-----w C:\Documents and Settings\lmeadm\Application Data\Lavasoft
    2008-07-18 16:32 --------- d-----w C:\Documents and Settings\tedk\Application Data\U3
    2008-07-18 13:16 --------- d-----w C:\Program Files\WebEx
    2008-06-16 23:58 --------- d-----w C:\Program Files\Cisco Systems
    2008-06-16 01:32 --------- d-----w C:\Program Files\Picasa2
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold "= "C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 09:25 68856]
    "Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 20:23 443968]
    "PTIM.exe "= "C:\Program Files\WebEx\Productivity Tools\PTIM.exe" [2008-06-03 14:16 210248]
    "ptmsgfrm.exe "= "C:\Program Files\WebEx\Productivity Tools\ptmsgfrm.exe" [2008-06-03 14:17 42312]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]
    "igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 16:44 98304]
    "igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 16:45 118784]
    "igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 16:41 77824]
    "Broadcom Wireless Manager UI "= "C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 08:08 1347584]
    "Apoint "= "C:\Program Files\Apoint\Apoint.exe" [2005-10-07 12:13 176128]
    "SigmatelSysTrayApp "= "stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-27 03:13:55 24576]
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "disablecad "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "SENTINEL "= snti386.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\0\0]
    "Script "=xdrivemapping.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\1\0]
    "Script "=xdrivemapping.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1198\Scripts\logon\0\0]
    "Script "=connectXDrive.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\0\0]
    "Script "=xdrivemapping.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\1\0]
    "Script "=xdrivemapping.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-500\Scripts\logon\0\0]
    "Script "=connectXDrive.vbs

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^tedk^Start Menu^Programs^Startup^procexp.exe]
    path=C:\Documents and Settings\tedk\Start Menu\Programs\Startup\procexp.exe
    backup=C:\WINDOWS\pss\procexp.exeStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
    --a------ 2006-06-29 12:13 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    --a------ 2005-12-09 20:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    --a------ 2004-05-12 16:18 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2004-02-12 14:38 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    --a------ 2005-07-22 22:25 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
    --a------ 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\netwaiting.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8097:TCP "= 8097:TCP:EarthLink UHP Modem Support

    R2 FTSRVR;McLeod Imaging Server;C:\tm\tmsimg\bin\ftsrvrsvc.exe [2005-11-28 12:21]
    R2 InAspi32;InAspi32;C:\WINDOWS\system32\drivers\InAspi32.sys [2004-11-05 00:19]
    R2 Mapsvc;User Name Mapping;C:\SFU\Mapper\mapsvc.exe [2003-11-08 14:42]
    R2 MsDtsServer;SQL Server Integration Services;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 03:45]
    R2 msftesql$UC2007;SQL Server FullText Search (UC2007);C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [2005-08-26 16:00]
    R2 MSOLAP$UC2007;SQL Server Analysis Services (UC2007);C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe [2005-10-14 03:46]
    R2 MSSQL$UC2007;SQL Server (UC2007);C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2005-10-14 03:51]
    R2 ObjectStore Cache Manager R6.0;ObjectStore Cache Manager R6.0;C:\ODI\OStore\BIN\OSCMGR6.EXE [2005-07-06 14:28]
    R2 ObjectStore Server R6.0;ObjectStore Server R6.0;C:\ODI\OStore\BIN\OSSERVER.EXE [2005-07-06 14:28]
    R2 RshSvc;Remote Shell Service;C:\SFU\common\rshsvc.exe [2003-11-08 14:46]
    R2 zzInterix;Interix Subsystem Startup;C:\WINDOWS\system32\PSXRUN.EXE [2003-11-08 14:45]
    R3 Portmap;Portmap;C:\WINDOWS\system32\drivers\portmap.sys [2003-11-08 14:42]
    R3 PsxDrv;PsxDrv;C:\WINDOWS\system32\drivers\PSXDRV.SYS [2003-11-08 14:45]
    R3 RpcXdr;RpcXdr;C:\WINDOWS\system32\drivers\rpcxdr.sys [2003-11-08 14:42]
    S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
    S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys []
    S3 LME 9.0;LME 9.0;C:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe [2008-01-16 11:57]
    S3 LME Scheduler (demo_820);LME Scheduler (demo_820);c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe [2007-08-07 15:40]
    S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDWBus.sys [2007-04-06 02:49]
    S3 PTDWMdm;Curitel PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDWMdm.sys [2007-04-06 02:49]
    S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDWVsp.sys [2007-04-06 02:49]
    S3 PWCTLDRV;The NECHostController Filter Driver;C:\WINDOWS\system32\drivers\PWCTLDRV.sys [2007-04-09 00:25]
    S3 SQLAgent$UC2007;SQL Server Agent (UC2007);C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE [2005-10-14 03:51]
    S3 tcpsvc;PC*MILER TCP/IP Interface;C:\Program Files\ALK Technologies\Tolls190\TCPIP\tcpsvc.exe [2005-05-06 14:38]
    S4 CronService;Windows Cron Service;C:\SFU\common\cron.exe [2003-11-08 14:46]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 07:01]
    S4 PerlSock;Perl Socket Service;C:\SFU\Perl\bin\PerlSock.exe [2003-11-08 15:05]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2e273a9-eeeb-11dc-9fa4-00188baa7821}]
    \Shell\AutoRun\command - E:\LaunchU3.exe
    .
    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = hxxp://www.foxnews.com/
    R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
    R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
    O8 -: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 -: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 -: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 -: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 -: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 -: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-08 08:44:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$UC2007]
    "ImagePath "= "\ "C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:UC2007 "
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\WLTRYSVC.EXE
    C:\WINDOWS\system32\BCMWLTRY.EXE
    C:\WINDOWS\system32\scardsvr.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    C:\PROGRA~1\MI6841~1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\OLAP\bin\msmdsrv.exe
    C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\WINDOWS\system32\PSXSS.EXE
    C:\SFU\usr\sbin\zzInterix
    C:\SFU\usr\sbin\init
    C:\SFU\usr\sbin\inetd
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Apoint\hidfind.exe
    C:\Program Files\Apoint\ApntEx.exe
    C:\SFU\usr\sbin\cron
    C:\SFU\tm\tmsimg\bin\getimgd
    C:\SFU\tm\tmsimg\bin\imgnumd
    C:\SFU\tm\tmsimg\bin\nagent
    C:\SFU\tm\tmsimg\bin\tmsimgd
    C:\SFU\tm\tmsimg\bin\wflowd
    C:\SFU\tm\tmsimg\bin\xdbd
    C:\SFU\tm\tmsimg\bin\pcexchanged
    C:\WINDOWS\system32\wbem\wmiadap.exe
    C:\WINDOWS\system32\verclsid.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-08 8:48:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-08 13:48:42

    Pre-Run: 50,810,912,768 bytes free
    Post-Run: 50,783,760,384 bytes free

    220 --- E O F --- 2008-03-25 03:51:31

    Thank you again, :)
    mtaffer
     
    Last edited: 2008/08/08
    mtaffer,
    #8
  10. 2008/08/08
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi mtaffer
    OK that log looks good.

    How are things running?

    Geri
     
    Geri,
    #9
  11. 2008/08/08
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    He said yes

    I just talked to him and he said the machine was "smokin ".

    Thanks again for all your help. :)
    mtaffer
     
    mtaffer,
    #10
  12. 2008/08/08
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi mtaffer
    OK that's good to hear.

    Please have him do this.

    Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing the infected files there as well.

    He can delete dss.exe and this folder if present, C:\Deckard

    Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forums.
    http://www.windowsbbs.com/showthread.php?t=67958

    I'll mark this one resolved.

    Surf Safely
    Geri
     
    Geri,
    #11

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...