We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
New Items Appeared on my Startup list
Steve_xx
Posts: 6,979 Forumite
The following two items have appeared on my Startup list and I'm wondering what they are and how they got there:
Startup Item - itceace - rundll32.exe "C\Windows\itceace.dll", Startup
Startup Item - ahovatepinukon - rundll32.exe "C\Windows\ahovatepinukon.dll", Startup
I unticked the pair of them when I shut my laptop down last night, but note that they have appeared as 'ticked' again when I looked today. Interestingly, the same entries also appear on the 'unticked' list!
Does anyone know what they are and why they're there please?
Startup Item - itceace - rundll32.exe "C\Windows\itceace.dll", Startup
Startup Item - ahovatepinukon - rundll32.exe "C\Windows\ahovatepinukon.dll", Startup
I unticked the pair of them when I shut my laptop down last night, but note that they have appeared as 'ticked' again when I looked today. Interestingly, the same entries also appear on the 'unticked' list!
Does anyone know what they are and why they're there please?
0
Comments
-
The following two items have appeared on my Startup list and I'm wondering what they are and how they got there:
Startup Item - itceace - rundll32.exe "C\Windows\itceace.dll", Startup
Startup Item - ahovatepinukon - rundll32.exe "C\Windows\ahovatepinukon.dll", Startup
I unticked the pair of them when I shut my laptop down last night, but note that they have appeared as 'ticked' again when I looked today. Interestingly, the same entries also appear on the 'unticked' list!
Does anyone know what they are and why they're there please?
Have you have installed travel plan software on your puter.
iTRACE delivers:
Sophisticated mapping & database technology
Fast & simple access to information including adding and editing details
Geo-location of organisations on a map
Easy attachment of documents & related data to sites
Predefined reports
Analysis of individual Travel Plans against targets, planning conditions and obligations
Workplace access to Site Audit & Staff Survey tool
Online Site Audits
Online or paper based staff surveys
A Standard methodology
Draft Travel Plan Reports automaticallyDisclaimer : Everything I write on this forum is my opinion. I try to be an even-handed poster and accept that you at times may not agree with these opinions or how I choose to express them, this is not my problem. The Disabled : If years cannot be added to their lives, at least life can be added to their years - Alf Morris - ℜ0 -
No I haven't installed that, but I clicked on the link in your response and I'm sure that page appeared on my laptop yesterday.
I did a search for the two files I mentioned on drive C and when the itcease one appeared my Antivirus software immediately flagged a trojan up. I didn't clck on the file, I only searched for it.
The antivrus has quarantined the trojan and the entry is removed from the startup list.
It's now doing a full scan. So far it's detected: TR/hiloti.A.230 -
No I haven't installed that, but I clicked on the link in your response and I'm sure that page appeared on my laptop yesterday.
I did a search for the two files I mentioned on drive C and when the itcease one appeared my Antivirus software immediately flagged a trojan up. I didn't clck on the file, I only searched for it.
The antivrus has quarantined the trojan and the entry is removed from the startup list.
It's now doing a full scan. So far it's detected: TR/hiloti.A.23
Good, if it clears it clears, if not you will need to run Malwarebytes - more of that later.
The software I refereed you to is magga priced commercial stuff usually only seen in corporate / county purchasing departments, however that it what was in the msconfig.Disclaimer : Everything I write on this forum is my opinion. I try to be an even-handed poster and accept that you at times may not agree with these opinions or how I choose to express them, this is not my problem. The Disabled : If years cannot be added to their lives, at least life can be added to their years - Alf Morris - ℜ0 -
Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM QUICK SCAN then click SCAN
Remove everything thats found (needs to be ticked)
Post the COMPLETE log here AFTER youve deleted everything it finds
If anything was found then do the exact same but run a FULL scan
reboot
Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)
If you get a message that you cant write to the hosts file then Press the SHIFT key, and whilst holding it RIGHT CLICK and select RUN AS (admin):idea:0 -
Thanks.
Here's the Malwarebytes file after removal of 6 items that it found. I'm just running a full scan now, as you advised:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5907
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
28/02/2011 21:00:54
mbam-log-2011-02-28 (21-00-54).txt
Scan type: Quick scan
Objects scanned: 151913
Time elapsed: 12 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{E856B973-45FD-4559-8F82-EAB539144667} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{DF058C45-CD18-453e-8745-5A77F60722AB} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{B5A33C35-7298-4D15-8753-A2E851E2EAB3} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\GTDOWNDE.GTAutoFixDLCtrl.1 (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\GTDOWNDE.GTAutoFixDLCtrl (Adware.Gdown) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\gtdownde_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.0 -
During the full Malwarebytes scan, which is still running, my Antivirus software detected this:
Begin scan in 'C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP68\A0013861.ocx'
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP68\A0013861.ocx
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4fdfb9ce.qua'.0 -
I believe that it found an infection in one of the system restore files, Windows makes periodic backups so you can roll back a day/week if the PC goes bad, viruses get backed up in the file too. Windows protects these backup files and although the antivirus might show that it removed the infection from the backup file, it's almost certainly still in there as no changes can be made to system restore files.
I'm pretty sure you can clear out these files by turning system restore off then on (but losing all previous roll back files) but don't think there's any other way.
More here
Never trust information given by strangers on internet forums0 -
The full scan of Malwarebytes revealed nothing more. So I've downloaded HijackThis and this is the report it's produced:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:15:34, on 28/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cweqizagova] rundll32.exe "C:\WINDOWS\ahovatepinukon.dll",Startup
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1294155595171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7157 bytes0 -
TICK and FIX this in hijack -
O4 - HKLM\..\Run: [Cweqizagova] rundll32.exe "C:\WINDOWS\ahovatepinukon.dll",Startup
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive):idea:0 -
ok I ticked and fixed in HijackThis and have now downloaded and run Combofix. Here is the report that Combofix produced:
ComboFix 11-02-28.02 - Steven Nicholas 28/02/2011 22:40:33.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1648 [GMT 0:00]
Running from: c:\documents and settings\Steven Nicholas\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Steven Nicholas\Local Settings\Application Data\{5C2B426D-BFE7-4C20-BE55-9607D85A9CE0}
c:\documents and settings\Steven Nicholas\Local Settings\Application Data\{5C2B426D-BFE7-4C20-BE55-9607D85A9CE0}\chrome.manifest
c:\documents and settings\Steven Nicholas\Local Settings\Application Data\{5C2B426D-BFE7-4C20-BE55-9607D85A9CE0}\chrome\content\_cfg.js
c:\documents and settings\Steven Nicholas\Local Settings\Application Data\{5C2B426D-BFE7-4C20-BE55-9607D85A9CE0}\chrome\content\overlay.xul
c:\documents and settings\Steven Nicholas\Local Settings\Application Data\{5C2B426D-BFE7-4C20-BE55-9607D85A9CE0}\install.rdf
c:\windows\ahovatepinukon.dll
c:\windows\system32\muzapp.exe
.
((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))
.
2011-02-28 22:14 . 2011-02-28 22:14 388096 ----a-r- c:\documents and settings\Steven Nicholas\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-28 22:14 . 2011-02-28 22:14
d
w- c:\program files\Trend Micro
2011-02-28 20:42 . 2011-02-28 20:42
d
w- c:\documents and settings\Steven Nicholas\Application Data\Malwarebytes
2011-02-28 20:42 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-28 20:42 . 2011-02-28 20:42
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-28 20:42 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-28 20:42 . 2011-02-28 20:42
d
w- c:\program files\Malwarebytes' Anti-Malware
2011-02-27 21:28 . 2011-02-28 20:27
d
w- c:\windows\system32\NtmsData
2011-02-25 23:34 . 2011-02-28 13:37 0 ----a-w- c:\windows\Dbujetelaguze.bin
2011-02-22 15:54 . 2011-02-22 15:54
d
w- C:\Temp
2011-02-22 15:51 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-02-22 15:51 . 2011-02-23 09:10
d
w- c:\documents and settings\Steven Nicholas\Local Settings\Application Data\Samsung
2011-02-22 15:50 . 2010-12-21 05:55 98432 ----a-w- c:\windows\system32\drivers\ss_bbus.sys
2011-02-22 15:50 . 2010-12-21 05:55 14848 ----a-w- c:\windows\system32\drivers\ss_bmdfl.sys
2011-02-22 15:50 . 2010-12-21 05:55 12416 ----a-w- c:\windows\system32\drivers\ss_bcmnt.sys
2011-02-22 15:47 . 2011-02-22 15:49
d
w- c:\documents and settings\All Users\Application Data\Samsung
2011-02-22 15:47 . 2011-02-22 15:47
d
w- c:\windows\system32\LogFiles
2011-02-22 15:45 . 2011-02-22 15:53
d
w- c:\windows\system32\drivers\umdf
2011-02-22 15:43 . 2011-02-22 15:43
d
w- c:\documents and settings\Steven Nicholas\Local Settings\Application Data\Downloaded Installations
2011-02-14 15:47 . 2011-02-14 15:47
d
w- c:\documents and settings\Steven Nicholas\Application Data\uk.co.symbiosgroup.shchat
2011-02-14 15:47 . 2011-02-14 15:47
d
w- c:\program files\SH Chat
2011-02-14 15:47 . 2011-02-14 15:47
d
w- c:\program files\Common Files\Adobe AIR
2011-02-08 21:49 . 2011-02-08 21:49
d-sh--w- c:\documents and settings\Steven Nicholas\IECompatCache
2011-02-08 21:25 . 2011-02-08 21:25
d
w- c:\documents and settings\Steven Nicholas\Application Data\OpenOffice.org
2011-02-08 21:21 . 2011-02-08 23:13
d
w- c:\program files\OpenOffice.org 3
2011-01-29 23:16 . 2011-01-29 23:16 30056 ----a-w- c:\windows\system32\MASetupCleaner.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 21:40 . 2011-01-16 11:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2011-01-16 11:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-29 17:00 . 2011-01-29 17:00 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2011-01-29 17:00 . 2011-01-29 17:00 325552 ----a-w- c:\windows\MASetupCaller.dll
2011-01-29 17:00 . 2011-01-29 17:00 30568 ----a-w- c:\windows\MusiccityDownload.exe
2011-01-29 17:00 . 2011-01-29 17:00 974848 ----a-w- c:\windows\system32\cis-2.4.dll
2011-01-29 17:00 . 2011-01-29 17:00 81920 ----a-w- c:\windows\system32\issacapi_bs-2.3.dll
2011-01-29 17:00 . 2011-01-29 17:00 65536 ----a-w- c:\windows\system32\issacapi_pe-2.3.dll
2011-01-29 17:00 . 2011-01-29 17:00 57344 ----a-w- c:\windows\system32\MTXSYNCICON.dll
2011-01-29 17:00 . 2011-01-29 17:00 57344 ----a-w- c:\windows\system32\MK_Lyric.dll
2011-01-29 17:00 . 2011-01-29 17:00 57344 ----a-w- c:\windows\system32\issacapi_se-2.3.dll
2011-01-29 17:00 . 2011-01-29 17:00 569344 ----a-w- c:\windows\system32\muzdecode.ax
2011-01-29 17:00 . 2011-01-29 17:00 491520 ----a-w- c:\windows\system32\muzapp.dll
2011-01-29 17:00 . 2011-01-29 17:00 49152 ----a-w- c:\windows\system32\MaJGUILib.dll
2011-01-29 17:00 . 2011-01-29 17:00 45056 ----a-w- c:\windows\system32\MaXMLProto.dll
2011-01-29 17:00 . 2011-01-29 17:00 45056 ----a-w- c:\windows\system32\MACXMLProto.dll
2011-01-29 17:00 . 2011-01-29 17:00 40960 ----a-w- c:\windows\system32\MTTELECHIP.dll
2011-01-29 17:00 . 2011-01-29 17:00 40960 ----a-w- c:\windows\system32\MAMACExtract.dll
2011-01-29 17:00 . 2011-01-29 17:00 352256 ----a-w- c:\windows\system32\MSLUR71.dll
2011-01-29 17:00 . 2011-01-29 17:00 258048 ----a-w- c:\windows\system32\muzoggsp.ax
2011-01-29 17:00 . 2011-01-29 17:00 245760 ----a-w- c:\windows\system32\MSCLib.dll
2011-01-29 17:00 . 2011-01-29 17:00 200704 ----a-w- c:\windows\system32\muzwmts.dll
2011-01-29 17:00 . 2011-01-29 17:00 155648 ----a-w- c:\windows\system32\MSFLib.dll
2011-01-29 17:00 . 2011-01-29 17:00 143360 ----a-w- c:\windows\system32\3DAudio.ax
2011-01-29 17:00 . 2011-01-29 17:00 135168 ----a-w- c:\windows\system32\muzaf1.dll
2011-01-29 17:00 . 2011-01-29 17:00 131072 ----a-w- c:\windows\system32\muzmpgsp.ax
2011-01-29 17:00 . 2011-01-29 17:00 122880 ----a-w- c:\windows\system32\muzeffect.ax
2011-01-29 17:00 . 2011-01-29 17:00 118784 ----a-w- c:\windows\system32\MaDRM.dll
2011-01-29 17:00 . 2011-01-29 17:00 110592 ----a-w- c:\windows\system32\muzmp4sp.ax
2011-01-21 14:44 . 2004-08-10 11:51 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 11:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 11:51 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-10 11:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-10 11:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-10 11:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-10 11:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-10 11:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-10 11:51 385024 ----a-w- c:\windows\system32\html.iec
2010-12-13 08:40 . 2011-01-04 15:52 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-13 08:40 . 2011-01-04 15:52 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-09 15:15 . 2004-08-10 11:51 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-10 11:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2004-08-10 11:51 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 21:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-22 2423752]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 393216]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-10 98304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-10 24576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=c:\windows\pss\Status Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Steven Nicholas^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\Steven Nicholas\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2006-05-10 14:55 61440 ----a-w- c:\dell\bldbubg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2005-07-22 21:36 933888
w- c:\program files\Brother\ControlCenter2\brctrcen.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2005-12-15 09:44 839680 ----a-w- c:\program files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 06:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-11-01 02:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesHelper]
2011-01-29 23:11 888120 ----a-w- c:\program files\Samsung\Kies\KiesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2011-01-29 23:11 3372856 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-12 18:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-05-10 15:21 98304 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-05-10 15:20 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [04/01/2011 15:53 135336]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [22/02/2011 15:50 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [22/02/2011 15:50 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [22/02/2011 15:50 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [22/02/2011 15:50 100224]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.mail.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Steven Nicholas\Application Data\Mozilla\Firefox\Profiles\xox9xrv5.default\
FF - prefs.js: browser.startup.homepage - www.mail.yahoo.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [EMAIL="jqs@sun.com"]jqs@sun.com[/EMAIL] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Cweqizagova - c:\windows\ahovatepinukon.dll
MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
MSConfigStartUp-Cweqizagova - c:\windows\ahovatepinukon.dll
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
MSConfigStartUp-Xketijirazohi - c:\windows\itceace.dll
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-28 22:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1024)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\brss01a.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2011-02-28 22:54:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-28 22:54
Pre-Run: 26,746,179,584 bytes free
Post-Run: 27,092,733,952 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 8B0FC630A62EB81B74239A37AB9B448B0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 349.8K Banking & Borrowing
- 252.6K Reduce Debt & Boost Income
- 453K Spending & Discounts
- 242.8K Work, Benefits & Business
- 619.5K Mortgages, Homes & Bills
- 176.4K Life & Family
- 255.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 15.1K Coronavirus Support Boards