We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Please Help - IS this log infected?
Options
Comments
-
Run in the order I put them
Run hijack again and FIX those items I listed then continue down the list:idea:0 -
Fixed the items in post 18, here is new log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29:32, on 24/01/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-grpj
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 5722 bytes
Running combo fix now0 -
Here is the combo fix log:
ComboFix 10-01-23.06 - Paul 2010-01-24 16:51:14.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.293 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\kb913800.exe
c:\windows\system32\drivers\mujxafotqryc.sys
c:\windows\system32\drivers\RkPavProc.sys
c:\windows\system32\drivers\tjqmyoibrudx.sys
c:\windows\system32\STEC3.sys
.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_STEC3
\Service_STEC3
\Legacy_mujxafotqryc
\Legacy_RkPavProc
\Legacy_tjqmyoibrudx
\Service_mujxafotqryc
\Service_RkPavProc
\Service_tjqmyoibrudx
((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.
2010-01-24 14:47 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 14:47 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 21:07 . 2010-01-21 21:07
d
w- c:\documents and settings\All Users\Application Data\ReviverSoft
2010-01-19 21:59 . 2010-01-19 21:59
d
w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-19 21:59 . 2010-01-19 21:59
d
w- c:\program files\Defraggler
2010-01-19 20:58 . 2010-01-19 20:58
d
w- c:\windows\system32\CatRoot_bak
2010-01-19 20:57 . 2010-01-19 20:57
d
w- c:\program files\MSXML 4.0
2010-01-17 18:52 . 2010-01-19 19:38
d
w- c:\documents and settings\Paul\Local Settings\Application Data\Temp
2010-01-13 15:42 . 2010-01-13 15:42
d
w- c:\windows\ServicePackFiles
2010-01-13 15:21 . 2008-05-01 14:30 331776
w- c:\windows\system32\dllcache\msadce.dll
2010-01-13 15:20 . 2009-06-05 07:42 655872
w- c:\windows\system32\dllcache\mstscax.dll
2010-01-13 15:19 . 2008-04-21 10:02 215552
w- c:\windows\system32\dllcache\wordpad.exe
2010-01-12 21:34 . 2010-01-12 21:34
d
w- c:\documents and settings\Vicky\Application Data\Malwarebytes
2010-01-12 21:30 . 2004-08-04 00:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-12 21:30 . 2004-08-04 00:56 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-01-10 18:57 . 2010-01-10 18:57 32400 ----a-w- c:\documents and settings\Vicky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-10 18:12 . 2010-01-10 18:12
d
w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-10 17:56 . 2010-01-10 17:56
d
w- c:\documents and settings\Paul\Application Data\Malwarebytes
2010-01-10 17:56 . 2010-01-10 17:56
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-10 17:56 . 2010-01-24 15:06
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 21:05 . 2010-01-05 21:05
d
w- c:\documents and settings\Vicky\Local Settings\Application Data\Citrix
2010-01-05 21:05 . 2010-01-05 21:05 61224 ----a-w- c:\documents and settings\Vicky\GoToAssistDownloadHelper.exe
2010-01-03 18:47 . 2010-01-03 18:47
d
w- c:\documents and settings\Del\Local Settings\Application Data\Apple Computer
2010-01-03 18:47 . 2010-01-03 18:47
d
w- c:\documents and settings\Del\Local Settings\Application Data\SupportSoft
2010-01-01 17:16 . 2010-01-01 17:16
d
w- c:\documents and settings\Vicky\Local Settings\Application Data\SupportSoft
2009-12-30 13:50 . 2009-12-30 13:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-30 13:49 . 2009-12-30 13:49 152576 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-30 13:48 . 2009-12-30 13:48 79488 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-29 15:58 . 2010-01-01 17:17
d
w- c:\documents and settings\HelpAssistant\UserData
2009-12-29 15:58 . 2009-12-29 15:58
d
w- c:\documents and settings\HelpAssistant\Shared
2009-12-29 15:58 . 2009-12-29 15:58
d
w- c:\documents and settings\HelpAssistant\Phone Browser
2009-12-28 20:03 . 2009-12-28 20:03
d
w- c:\documents and settings\HelpAssistant\Incomplete
2009-12-28 20:03 . 2008-08-22 18:25 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
2009-12-28 20:02 . 2009-12-28 20:02
d
w- c:\documents and settings\HelpAssistant\.limewire
2009-12-28 20:02 . 2009-12-28 20:02
d
w- c:\documents and settings\HelpAssistant\.housecall6.6
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 13:53 . 2006-08-13 14:42
d
w- c:\program files\Dl_cats
2010-01-19 21:59 . 2009-10-05 19:30
d
w- c:\program files\Yahoo!
2010-01-19 20:54 . 2006-04-27 13:00
d
w- c:\program files\AOL 9.0
2010-01-17 18:43 . 2006-04-27 13:00
d
w- c:\documents and settings\All Users\Application Data\AOL
2010-01-05 10:00 . 2005-08-16 03:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-08-16 03:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 03:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-02 17:14 . 2006-05-17 20:46
d
w- c:\program files\Google
2009-12-30 13:50 . 2006-04-27 12:51
d
w- c:\program files\Java
2009-12-10 23:42 . 2006-05-04 21:19 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-10 23:42 . 2006-05-04 21:19 88 --sh--r- c:\windows\system32\51C4F7340D.sys
2009-12-10 20:34 . 2009-12-10 20:34 56 --sh--r- c:\windows\system32\0D34F7C451.sys
2009-12-01 20:56 . 2008-10-12 18:25
d
w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-21 16:36 . 2005-08-16 03:18 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{cd36797a-70f3-4acd-8825-623d3b896881}"= "c:\program files\securedie\tbsecu.dll" [2007-09-06 1453080]
[HKEY_CLASSES_ROOT\clsid\{cd36797a-70f3-4acd-8825-623d3b896881}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{cd36797a-70f3-4acd-8825-623d3b896881}"= "c:\program files\securedie\tbsecu.dll" [2007-09-06 1453080]
[HKEY_CLASSES_ROOT\clsid\{cd36797a-70f3-4acd-8825-623d3b896881}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CD36797A-70F3-4ACD-8825-623D3B896881}"= "c:\program files\securedie\tbsecu.dll" [2007-09-06 1453080]
[HKEY_CLASSES_ROOT\clsid\{cd36797a-70f3-4acd-8825-623d3b896881}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"Google Update"="c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-17 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 2658304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]
c:\documents and settings\Paul\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\documents and settings\Paul\Desktop\LimeWire\LimeWire.exe [2008-2-8 147456]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2006-4-27 156784]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Paul\\Desktop\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"8268:TCP"= 8268:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
2009-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2010-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4027947593-25026477-389581538-1005Core.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-17 18:52]
2010-01-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4027947593-25026477-389581538-1005UA.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-17 18:52]
2009-08-30 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-08-30 21:11]
.
.
Supplementary Scan
.
uStart Page = hxxp://radbmx.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?fr=fp-grpj
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
IE: Google Sidewiki...
Trusted Zone: internet
Trusted Zone: mcafee.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 16:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(324)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-24 17:02:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 17:02
Pre-Run: 134,238,371,840 bytes free
Post-Run: 135,803,064,320 bytes free
- - End Of File - - 02826FD199FAC982DBA2BD04A99B4EEB0 -
What shall i do now?0
-
Youve got/had a serious infection
Open notepad and copy/paste the text in RED below
File::
c:\windows\system32\51C4F7340D.sys
c:\windows\system32\0D34F7C451.sys
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
:idea:0 -
HI, I have done the above and here is the new log file:
ComboFix 10-01-23.06 - Administrator 24/01/2010 17:24:45.6.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.376 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\0D34F7C451.sys"
"c:\windows\system32\51C4F7340D.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\NtUser.dat
c:\documents and settings\All Users\NtUser.dat.LOG
c:\windows\system32\0D34F7C451.sys
c:\windows\system32\51C4F7340D.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.
2010-01-24 14:47 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 14:47 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 21:59 . 2010-01-19 21:59
d
w- c:\program files\Defraggler
2010-01-19 20:58 . 2010-01-19 20:58
d
w- c:\windows\system32\CatRoot_bak
2010-01-19 20:57 . 2010-01-19 20:57
d
w- c:\program files\MSXML 4.0
2010-01-13 15:42 . 2010-01-13 15:42
d
w- c:\windows\ServicePackFiles
2010-01-13 15:21 . 2008-05-01 14:30 331776
w- c:\windows\system32\dllcache\msadce.dll
2010-01-13 15:20 . 2009-06-05 07:42 655872
w- c:\windows\system32\dllcache\mstscax.dll
2010-01-13 15:19 . 2008-04-21 10:02 215552
w- c:\windows\system32\dllcache\wordpad.exe
2010-01-12 21:30 . 2004-08-04 00:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-12 21:30 . 2004-08-04 00:56 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-01-10 17:56 . 2010-01-24 15:06
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 13:50 . 2009-12-30 13:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-28 20:01 . 2010-01-24 16:46
d
w- c:\documents and settings\HelpAssistant
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 16:36 . 2005-08-16 03:18 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{cd36797a-70f3-4acd-8825-623d3b896881}"= "c:\program files\securedie\tbsecu.dll" [2007-09-06 1453080]
[HKEY_CLASSES_ROOT\clsid\{cd36797a-70f3-4acd-8825-623d3b896881}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 2658304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Paul\\Desktop\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"8268:TCP"= 8268:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 15:19 202280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
2009-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2010-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4027947593-25026477-389581538-1005Core.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-17 18:52]
2010-01-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4027947593-25026477-389581538-1005UA.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-17 18:52]
.
.
Supplementary Scan
.
uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mStart Page = hxxp://www.yahoo.com/?fr=fp-grpj
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-DellSupport - c:\program files\Dell Support\DSAgnt.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 17:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-01-24 17:29:45
ComboFix-quarantined-files.txt 2010-01-24 17:29
ComboFix2.txt 2010-01-24 17:02
Pre-Run: 136,346,165,248 bytes free
Post-Run: 136,310,870,016 bytes free
- - End Of File - - 7B373EE646FFC4917EE6F06299111C060 -
AliEnRIK, When you say serious infection, how would i have caught this? Is it from a particular source?0
-
Almost certainly going to be through 'limewire':idea:0
-
Do i need to do anything else or should it be all clear now? Shall i go ahead and install my new Mcaffee licence?
Thanks so much for your help.0 -
I wouldnt risk it yet
Download and run the FREE version of DR WEB
http://www.freedrweb.com/download+cureit/gr/
Turn your anti virus OFF
Click CANCEL to the 'Would you like to read purchase terms now?' message
Click START click OK
It will auto QUICK scan
After that set to scan the WHOLE computer and press the 'play' icon
***DO NOT UPGRADE TO FULL VERSION***:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244K Work, Benefits & Business
- 598.8K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards