Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Dell 2400 PC with Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Dell 2400 PC with Malware

Unread postby cman1010 » February 18th, 2008, 6:47 pm

On a client's personal computer, I have downloaded and ran the recommended hijackthis, followed by an analyze. Please review & recommend. THank You, cman1010
Here is the results from NotePad:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:42 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {477840F3-BA52-44D9-8E41-38D61CAA010F} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: InternetExplorerAssistant.BrowserHelperObject - {59693FA9-25A3-4D8C-BB03-35658A5D83DA} - C:\PROGRA~1\INTERN~2\INTERN~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport-] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/active ... rdtinf.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss ... gctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se4009.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www1.pcpitstop.com/mhLbl.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/ins ... downde.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: dmadmin - Unknown owner - C:\WINDOWS\TEMP\50736000.exe
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\128734.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: UPS - Unknown owner - C:\WINDOWS\System32\ups.exe
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 10579 bytes
cman1010
Active Member
 
Posts: 13
Joined: February 18th, 2008, 4:41 pm
Advertisement
Register to Remove

Re: Dell 2400 PC with Malware

Unread postby Katana » February 22nd, 2008, 9:36 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.

----------------------------------------------------------------------------------------

On a client's personal computer,

Please note, these forums are designed for home users, not companys that need assistance.

No Antivirus

I can see no indication of any Antivirus software.

Use an AntiVirus Software - It is very important that you have anti-virus software running on your machine.
This alone can save you a lot of trouble with malware in the future.
Free AV list
AVG Free
Avira AntiVir
Avast

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week.
If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Antivirus is a MUST


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt



Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Dell 2400 PC with Malware

Unread postby cman1010 » February 24th, 2008, 7:00 pm

Katana,
Thank you for responding to my plea. Admittedly, after not hearing back from you, I did some digging and installing of my own (gulp). Not sure I did anything harmful, however did uninstall the Norton Antivirus software, which would not update even tho the client has 6 months of renewal left. I replaced it with PC-Tools Spyware Doctor with antivirus. Also installed and ran the AVG free version, also purchased RegCure for registry problems. As requested, here is the file from the Anti-Malware program, with the Uninstall list following:

Malwarebytes' Anti-Malware 1.05
Database version: 402

Scan type: Full Scan (C:\|)
Objects scanned: 120724
Time elapsed: 34 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 74
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 94

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Program Files\Internet Explorer Assistant\InternetExplorerAssistant.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{59693fa9-25a3-4d8c-bb03-35658a5d83da} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59693fa9-25a3-4d8c-bb03-35658a5d83da} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13} (Adware.AdGoblin) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271} (Adware.AdBreak) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} (Adware.AdBlaster) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8} (Adware.AdBlaster) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f} (Adware.AdBlaster) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0} (Adware.Aconti) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129} (Adware.AdBar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b} (Adware.4Arcade) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089} (Adware.AccessPlugin) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fc6e3735-57b3-48b8-9002-54c155215632} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{4a9967ab-4c5c-4325-b8c9-4f2be9142c81} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\internetexplorerassistant.browserhelperobject (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{efbd98b0-0c01-4325-85f8-5e791ab33570} (Rogue.DioCleaner) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c8ebbffa-881d-4f15-9d29-7435462e4294} (Rogue.DioCleaner) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208} (Adware.Accoona) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd} (Fake.Dropped.Malware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4} (Fake.Dropped.Malware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456} (Fake.Dropped.Malware) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspnet_state (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\aspnet_state (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\clipsrv (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\clipsrv (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clipsrv (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpclocator (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\rpclocator (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpclocator (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdtc (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msdtc (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdtc (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netdde (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\netdde (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netdde (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netddedsdm (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\netddedsdm (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netddedsdm (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rsvp (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\rsvp (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rsvp (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\scardsvr (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\scardsvr (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scardsvr (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdsessmgr (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\rdsessmgr (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdsessmgr (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysmonlog (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sysmonlog (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmonlog (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ups (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ups (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ups (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vss (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vss (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vss (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wmiapsrv (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wmiapsrv (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmiapsrv (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dmserver (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\dmserver (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dmadmin (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\dmadmin (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin (Trojan.DownLoader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Spruce (Adware.Spruce) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\egmulhxk.msdn_hlp (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Spruce (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Assistant_is1 (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dot1XCfg (Trojan.Downloader) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{59693fa9-25a3-4d8c-bb03-35658a5d83da} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Accoona (Adware.Accoona) -> No action taken.
C:\Program Files\e-zshopper (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\SYSTEM32\acespy (Fake.Dropped.Malware) -> No action taken.
C:\Program Files\Dot1XCfg (Trojan.Downloader) -> No action taken.
C:\Program Files\Internet Explorer Assistant (Trojan.BHO) -> No action taken.
C:\Program Files\Router (Trojan.Downloader) -> No action taken.

Files Infected:
c:\Program Files\Internet Explorer Assistant\InternetExplorerAssistant.dll (Trojan.BHO) -> No action taken.
C:\Documents and Settings\Buzbee's\Desktop\SearchUs.exe (Trojan.TagASaurus) -> No action taken.
C:\Documents and Settings\Buzbee's\Local Settings\Temp\msiexec.exe~ (Trojan.Clicker) -> No action taken.
C:\Documents and Settings\Buzbee's\Local Settings\Temp\setup.exe (Trojan.DownLoader) -> No action taken.
C:\Documents and Settings\Buzbee's\Local Settings\Temp\SpruceSetup.exe (Adware.Spruce) -> No action taken.
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\alg.exe.tmp (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\cisvc.exe.tmp (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\clipsrv.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\imapi.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\locator.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\mnmsrvc.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\msdtc.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\netdde.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\RSVP.EXE (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\scardsvr.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\sessmgr.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\smlogsvc.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\ups.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\vssvc.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\SYSTEM32\WBEM\wmiapsrv.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\Temp\125531.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\Temp\128734.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\Temp\130250.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\Temp\154453.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\Temp\50736000.exe (Trojan.DownLoader) -> No action taken.
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> No action taken.
C:\Program Files\Accoona\ASearchAssist.dll (Adware.Accoona) -> No action taken.
C:\Program Files\e-zshopper\BarLcher.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\SYSTEM32\acespy\systune.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\SYSTEM32\acespy\__acelog.ndx (Fake.Dropped.Malware) -> No action taken.
C:\Program Files\Internet Explorer Assistant\app.properties (Trojan.BHO) -> No action taken.
C:\Program Files\Internet Explorer Assistant\InstallerAssistant.exe (Trojan.BHO) -> No action taken.
C:\Program Files\Internet Explorer Assistant\unins000.dat (Trojan.BHO) -> No action taken.
C:\Program Files\Internet Explorer Assistant\unins000.exe (Trojan.BHO) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\blank.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\box_2.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\button_buynow.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\button_freescan.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\cell_bg.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\cell_footer.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\cell_header_block.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\cell_header_remove.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\cell_header_scan.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\download_btn.jpg (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\download_now_btn.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\footer_back.jpg (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\header_1.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\header_2.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\header_3.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\header_4.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\header_red_bg.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\header_red_free_scan.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\header_red_free_scan_bg.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\header_red_protect_your_pc.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\infected.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\main_back.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\product_2_header.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\product_2_name_small.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\product_features.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\rating.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\screenshot.jpg (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\sep_hor.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\sep_vert.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\shadow.jpg (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\shadow_bg.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\spacer.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\star.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\star_gray.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\star_gray_small.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\star_small.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\style.css (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\v.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\warning_icon.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\win_logo.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\DRIVERS\x.gif (Malware.Trace) -> No action taken.
C:\WINDOWS\absolute key logger.lnk (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\aconti.log (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\acontidialer.txt (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\adbar.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\daxtime.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\dp0.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\eventlowg.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\fhfmm-Uninstaller.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\ie_32.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\jd2002.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\kkcomp$.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\liqad$.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\liqui-Uninstaller.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\ngd.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\spredirect.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\wbeInst$.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\xadbrk_.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\xxxvideo.exe (Fake.Dropped.Malware) -> No action taken.

UNINSTALL LIST:
2Wire Wireless Client
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
ArcSoft PhotoImpression 4
AT&T Yahoo! Applications
AVG Anti-Rootkit Free
Crash Analysis Tool
Dell Media Experience
Dell Photo AIO Printer 922
Dell Solution Center
Dell Support Center
DellSupport
Digimax Viewer 2.1
EarthLink Setup Files
Google Earth
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB906569)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Assistant 1.0
Internet Explorer Default Page
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
PC Pitstop Driver Alert 1.0
PowerDVD 5.1
RegCure 1.3.0.2
SBC Yahoo! DSL Home Networking Installer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Shockwave
Spyware Doctor 5.5
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
WebCyberCoach 3.2 Dell
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WordPerfect Office 12
cman1010
Active Member
 
Posts: 13
Joined: February 18th, 2008, 4:41 pm

Re: Dell 2400 PC with Malware

Unread postby Katana » February 24th, 2008, 7:26 pm

On a client's personal computer,

Please note, these forums are designed for home users, not companys that need assistance.
Please can you clarify what you mean by this.

There seems to be evidence of "server" settings on this machine ?


Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {477840F3-BA52-44D9-8E41-38D61CAA010F} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: InternetExplorerAssistant.BrowserHelperObject - {59693FA9-25A3-4D8C-BB03-35658A5D83DA} - C:\PROGRA~1\INTERN~2\INTERN~1.DLL
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O23 - Service: dmadmin - Unknown owner - C:\WINDOWS\TEMP\50736000.exe
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\128734.exe

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


If this is a company machine, or used as a server then DO NOT use the following tool



Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Dell 2400 PC with Malware

Unread postby cman1010 » February 24th, 2008, 10:02 pm

Katana,
Sorry for the confusion - this is NOT a company computer. The "client" is the wife of a local attorney (I live in a small town -6500) and she called me to help her get her useless computer back. Now as frugel as her husband seems (this machine had a whopping 256MB Ram - until I added a stick of the same) i would not be surprised if he purchased a Dell refurb - or dragged it home from his office, but it is not currently being used as a server, nor an office machine. Her computer was useless to her because of the abundance of Malware.
When downloading the program from MS - this computer came up with an error and wouldn't let me download or run the program - so I ran the ComboFix without it. Here are the files you requested:

ComboFix 08-02-25.2 - ALICE 2008-02-24 18:27:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.208 [GMT -6:00]
Running from: C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\IXZOTCNM\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Buzbee's\Desktop\searchus.exe
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\Router
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.log
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\Temp\125531.exe
C:\WINDOWS\Temp\128734.exe
C:\WINDOWS\Temp\130250.exe
C:\WINDOWS\Temp\154453.exe
C:\WINDOWS\Temp\50736000.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SYMAVC32
-------\symavc32


((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 15:13 . 2008-02-24 16:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-24 15:13 . 2008-02-24 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 15:13 . 2008-02-24 15:13 <DIR> d-------- C:\Documents and Settings\ALICE\Application Data\Malwarebytes
2008-02-18 14:06 . 2008-02-18 14:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-17 14:46 . 2008-02-17 14:51 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-17 14:31 . 2008-02-17 14:31 <DIR> d-------- C:\Program Files\WebCyberCoach
2008-02-17 14:28 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-17 14:17 . 2005-07-04 16:03 1,650,688 --a------ C:\WINDOWS\SYSTEM32\qdiagdwc.ocx
2008-02-17 14:17 . 2004-06-15 15:55 7,882 --a------ C:\WINDOWS\SYSTEM32\GTKCMOS.sys
2008-02-17 14:17 . 2005-02-08 12:37 7,626 --a------ C:\WINDOWS\SYSTEM32\GPCIEnum.sys
2008-02-17 14:17 . 2005-02-09 13:08 7,168 --a------ C:\WINDOWS\SYSTEM32\DLPT64.sys
2008-02-17 14:17 . 2004-06-09 09:29 6,977 --a------ C:\WINDOWS\SYSTEM32\DDMI2.sys
2008-02-17 14:17 . 2005-03-13 16:54 6,656 --a------ C:\WINDOWS\SYSTEM32\DLPT2.sys
2008-02-17 14:17 . 2005-02-08 13:04 5,632 --a------ C:\WINDOWS\SYSTEM32\GPCIEn64.sys
2008-02-17 14:17 . 2005-02-08 15:46 5,120 --a------ C:\WINDOWS\SYSTEM32\GTKCMO64.sys
2008-02-17 14:17 . 2005-02-07 19:07 4,608 --a------ C:\WINDOWS\SYSTEM32\DDMI64.sys
2008-02-16 14:26 . 2008-02-16 14:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\Dell
2008-02-16 13:34 . 2008-02-16 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-02-16 13:33 . 2008-02-16 13:34 <DIR> d-------- C:\Program Files\Dell Support Center
2008-02-16 13:33 . 2008-02-16 13:33 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-02-15 22:15 . 2008-02-15 23:15 <DIR> d-------- C:\Program Files\RegCure
2008-02-15 21:43 . 2008-02-15 21:42 23,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TVICHW32.SYS
2008-02-13 14:58 . 2008-02-13 14:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-02-13 14:58 . 2008-02-13 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-02-13 14:31 . 2008-02-13 14:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-13 14:31 . 2008-02-13 14:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-11 21:12 . 2008-02-11 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-11 21:12 . 2008-02-11 20:51 218,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys
2008-02-11 20:51 . 2008-02-11 21:12 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-02-08 09:32 . 2008-02-08 09:32 <DIR> d-------- C:\Documents and Settings\ALICE\Application Data\MSN6
2008-02-06 16:53 . 2008-02-06 16:53 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-03 22:17 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2008-02-02 01:50 . 2008-02-02 01:50 51,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nkv2.sys
2008-02-02 00:41 . 2005-06-21 23:43 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-02-02 00:13 . 2005-06-22 00:04 61,440 --a------ C:\WINDOWS\SYSTEM32\iAlmCoIn_v4342.dll
2008-01-30 05:42 . 2008-01-30 05:42 <DIR> d---s---- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\UserData
2008-01-29 00:40 . 2008-01-29 01:21 <DIR> d-------- C:\Program Files\Netcom3 Cleaner
2008-01-28 22:08 . 2008-01-28 22:08 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-28 10:15 . 2008-01-28 10:20 <DIR> d-------- C:\Program Files\PCPitstop
2008-01-25 17:12 . 2008-01-25 17:12 2 --a------ C:\52.tmp
2008-01-25 17:10 . 2002-08-29 04:00 15,872 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\smierrsm.dll
2008-01-25 17:10 . 2002-08-29 04:00 10,240 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\snmpstup.dll
2008-01-25 17:10 . 2002-08-29 04:00 5,632 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\smimsgif.dll
2008-01-25 17:10 . 2002-08-29 04:00 5,632 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\smierrsy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 00:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-25 00:14 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-21 14:10 --------- d-----w C:\Program Files\Yahoo!
2008-02-21 14:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-21 05:06 --------- d-----w C:\Documents and Settings\Buzbee's\Application Data\Yahoo!
2008-02-17 20:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-17 20:31 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-17 20:28 --------- d-----w C:\Program Files\Java
2008-02-16 20:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 20:45 --------- d-----w C:\Program Files\Dell
2008-02-16 20:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-16 05:59 --------- d-----w C:\Program Files\Google
2008-02-10 01:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 22:52 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-01-29 00:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-28 21:49 --------- d-----w C:\Program Files\Common Files\Real
2008-01-25 08:42 --------- d-----w C:\Program Files\Jbkt
2008-01-25 08:42 --------- d-----w C:\Program Files\Dot1XCfg
2008-01-25 05:24 --------- d-----w C:\Program Files\EA GAMES
2008-01-25 03:19 --------- d-----w C:\Documents and Settings\ALICE\Application Data\PC Tools
2008-01-24 22:50 --------- d-----w C:\Documents and Settings\ALICE\Application Data\Yahoo!
2008-01-22 17:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-22 17:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-22 17:32 --------- d-----w C:\Program Files\Internet Explorer Assistant
2008-01-09 23:03 8,704 ----a-w C:\WINDOWS\SYSTEM32\vssvc.exe
2008-01-09 23:02 8,704 ----a-w C:\WINDOWS\SYSTEM32\ups.exe
2008-01-09 23:00 8,704 ----a-w C:\WINDOWS\SYSTEM32\smlogsvc.exe
2008-01-09 22:52 8,704 ----a-w C:\WINDOWS\SYSTEM32\scardsvr.exe
2008-01-09 22:49 8,704 ----a-w C:\WINDOWS\SYSTEM32\RSVP.EXE
2008-01-09 22:48 8,704 ----a-w C:\WINDOWS\SYSTEM32\sessmgr.exe
2008-01-09 22:48 8,704 ----a-w C:\WINDOWS\SYSTEM32\locator.exe
2008-01-09 22:41 8,704 ----a-w C:\WINDOWS\SYSTEM32\netdde.exe
2008-01-09 22:38 8,704 ----a-w C:\WINDOWS\SYSTEM32\msdtc.exe
2008-01-09 22:21 8,704 ----a-w C:\WINDOWS\SYSTEM32\clipsrv.exe
2008-01-09 22:08 8,704 ----a-w C:\WINDOWS\SYSTEM32\alg.exe.tmp
2008-01-08 18:52 8,704 ----a-w C:\WINDOWS\SYSTEM32\mnmsrvc.exe
2008-01-08 18:51 8,704 ----a-w C:\WINDOWS\SYSTEM32\imapi.exe
2008-01-08 18:45 8,704 ----a-w C:\WINDOWS\SYSTEM32\cisvc.exe.tmp
2007-12-27 05:47 58,368 ----a-w C:\tsqfy.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2006-12-12 16:03 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.
The HJT file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:31, on 2008-02-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport-] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/active ... rdtinf.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss ... gctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se4009.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www1.pcpitstop.com/mhLbl.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/ins ... downde.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe

--
End of file - 6760 bytes
cman1010
Active Member
 
Posts: 13
Joined: February 18th, 2008, 4:41 pm

Re: Dell 2400 PC with Malware

Unread postby Katana » February 25th, 2008, 10:38 am

Do you have the Kaspersky log ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Dell 2400 PC with Malware

Unread postby cman1010 » February 25th, 2008, 5:42 pm

Katana,
My bad - here is the antivirus file:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-25 15:37
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/02/2008
Kaspersky Anti-Virus database records: 580494
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 93662
Number of viruses found: 16
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 01:07:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\ALICE\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp Object is locked skipped
C:\Documents and Settings\ALICE\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\ALICE\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\ALICE\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSBrws.log Object is locked skipped
C:\Documents and Settings\ALICE\Application Data\GTek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\ALICE\Application Data\GTek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\ALICE\Application Data\GTek\GTUpdate\AUpdate\DellSupport\qdiagd_DSBrws.log Object is locked skipped
C:\Documents and Settings\ALICE\Application Data\GTek\GTUpdate\AUpdate\DellSupport\Settings.log Object is locked skipped
C:\Documents and Settings\ALICE\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
C:\Documents and Settings\ALICE\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\ALICE\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
C:\Documents and Settings\ALICE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ALICE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ALICE\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{401685D3-819D-46FE-B1FA-ACBB539C0F14} Object is locked skipped
C:\Documents and Settings\ALICE\Local Settings\Application Data\SupportSoft\DellSupportCenter\ALICE\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\ALICE\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\ALICE\Local Settings\History\History.IE5\MSHist012008022520080226\index.dat Object is locked skipped
C:\Documents and Settings\ALICE\Local Settings\Temp\Perflib_Perfdata_740.dat Object is locked skipped
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\mrofinu[1].zip/mrofinu.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\mrofinu[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\mrofinu[1].zip/mrofinu.exe Infected: Trojan-Downloader.Win32.Agent.hvx skipped
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\mrofinu[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\ALICE\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ALICE\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\17fd7c4511dcfcb9f4dcd4da001c2a09_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\27677051d83b4be200096dcf64edbd67_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3f0e1e8afe64d5ab28b4312bd48149a2_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5567843bce04113878c27d0bf5fb9f06_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55a686f09bec5204d9d5c001f905501c_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5a57fe2914d8e8f2e37115ec0724253a_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\753cba8a8b527d80c5978c83043ce60c_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\807d3f355eef4ec7b7acb3b73a683a9a_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\82f838029fc31c612f3743574e28ca39_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ca7fb0b9200b4d31bc42a953e792685f_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fa0913b76556bc5a50765e0e09a729d8_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02062008-165327.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Buzbee's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc0-6f9a3342.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Buzbee's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc0-6f9a3342.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temp\msiexec.exe~ Infected: Trojan-Clicker.Win32.Agent.mv skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temp\setup.exe Infected: Trojan-Downloader.Win32.VB.bwb skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temp\Setup195.exe/data0002 Infected: Trojan-Clicker.Win32.VB.yh skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temp\Setup195.exe/data0008 Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temp\Setup195.exe/data0009 Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temp\Setup195.exe NSIS: infected - 3 skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temp\Tear.exe Infected: Trojan-Downloader.Win32.Agent.gvh skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\1239.exe Infected: Trojan-Downloader.Win32.Small.hhp skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\2314.exe/data0006 Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\2314.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\wr-1-1000512.exe Infected: Trojan-Downloader.Win32.Small.hhp skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\sdfsdf[1].htm Infected: Trojan.Win32.Agent.eeu skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\sdfsdf[2].htm Infected: Trojan.Win32.Agent.eeu skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\sdfsdf[1].htm Infected: Trojan.Win32.Agent.eeu skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\sdfsdf[2].htm Infected: Trojan.Win32.Agent.eeu skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9m.EXE/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9m.EXE WiseSFX: infected - 1 skipped
C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9m.EXE WiseSFXDropper: infected - 1 skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\58CD9DBF-5EF6-4B38-B8A0-1A8F24\1A27100A-677F-4E65-92B2-96237E Object is locked skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\58CD9DBF-5EF6-4B38-B8A0-1A8F24\E96DD5A8-BBAC-47BC-9C82-616E70 Object is locked skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\A57298E2-59DD-47EE-A0A7-92EBCF\203A4F02-84F6-41FC-B138-9AAA56 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ao skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\DB584E8F-90E0-4965-AAA8-04D29C\A00E6D7D-139C-4F22-BED8-2828D4 Object is locked skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\E3BFC44C-67BE-4D4D-B43D-B51030\5ED6472E-4078-4B71-9881-F4B597 Object is locked skipped
C:\Program Files\Spyware Doctor\NetworkLayer\InterfaceDLL.txt Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_ALICE.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_ALICE.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_ALICE.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\Temp\125531.exe.vir Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\QooBox\Quarantine\C\WINDOWS\Temp\128734.exe.vir Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\QooBox\Quarantine\C\WINDOWS\Temp\130250.exe.vir Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\QooBox\Quarantine\C\WINDOWS\Temp\154453.exe.vir Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\QooBox\Quarantine\C\WINDOWS\Temp\50736000.exe.vir Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1046\change.log Object is locked skipped
C:\tsqfy.exe Infected: Trojan-Clicker.Win32.Costrat.cz skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\alg.exe.tmp Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\cisvc.exe.tmp Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\clipsrv.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\nkv2.sys Infected: Rootkit.Win32.Agent.abb skipped
C:\WINDOWS\SYSTEM32\imapi.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\locator.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\mnmsrvc.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\msdtc.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\netdde.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\RSVP.EXE Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\scardsvr.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\sessmgr.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\smlogsvc.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\ups.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\vssvc.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\wmiapsrv.exe Infected: Trojan-Downloader.Win32.Agent.hbx skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
cman1010
Active Member
 
Posts: 13
Joined: February 18th, 2008, 4:41 pm

Re: Dell 2400 PC with Malware

Unread postby Katana » February 25th, 2008, 6:07 pm

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    
    File::
    C:\tsqfy.exe
    C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
    C:\WINDOWS\SYSTEM32\alg.exe.tmp
    C:\WINDOWS\SYSTEM32\cisvc.exe.tmp
    C:\WINDOWS\SYSTEM32\clipsrv.exe
    C:\WINDOWS\SYSTEM32\DRIVERS\nkv2.sys
    C:\WINDOWS\SYSTEM32\imapi.exe
    C:\WINDOWS\SYSTEM32\locator.exe
    C:\WINDOWS\SYSTEM32\mnmsrvc.exe
    C:\WINDOWS\SYSTEM32\msdtc.exe
    C:\WINDOWS\SYSTEM32\netdde.exe
    C:\WINDOWS\SYSTEM32\RSVP.EXE
    C:\WINDOWS\SYSTEM32\scardsvr.exe
    C:\WINDOWS\SYSTEM32\sessmgr.exe
    C:\WINDOWS\SYSTEM32\smlogsvc.exe
    C:\WINDOWS\SYSTEM32\ups.exe
    C:\WINDOWS\SYSTEM32\vssvc.exe
    C:\WINDOWS\SYSTEM32\WBEM\wmiapsrv.exe
    C:\Documents and Settings\Buzbee's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc0-6f9a3342.zip
    C:\Documents and Settings\Buzbee's\Local Settings\Temp\msiexec.exe~
    C:\Documents and Settings\Buzbee's\Local Settings\Temp\setup.exe
    C:\Documents and Settings\Buzbee's\Local Settings\Temp\Setup195.exe
    C:\Documents and Settings\Buzbee's\Local Settings\Temp\Tear.exe
    C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\1239.exe
    C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\2314.exe
    C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\wr-1-1000512.exe
    Folder::
    C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW
    C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R
    C:\Program Files\AWS\WeatherBug
    C:\Program Files\Microsoft AntiSpyware
    
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Dell 2400 PC with Malware

Unread postby cman1010 » February 26th, 2008, 12:25 am

Katana,
While running the CombFix file - the Dell locked up - so I Hard-booted. Then on the second try it seems to be hung at Completed Stage_3. What to do now?
Thank You,
Cman1010
cman1010
Active Member
 
Posts: 13
Joined: February 18th, 2008, 4:41 pm

Re: Dell 2400 PC with Malware

Unread postby cman1010 » February 26th, 2008, 11:02 am

Well, the Dell is back up, however there's no ComboFix Log, but here is the current HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:59, on 2008-02-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport-] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/active ... rdtinf.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss ... gctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se4009.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www1.pcpitstop.com/mhLbl.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/ins ... downde.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 6210 bytes
cman1010
Active Member
 
Posts: 13
Joined: February 18th, 2008, 4:41 pm

Re: Dell 2400 PC with Malware

Unread postby Katana » February 26th, 2008, 12:44 pm

Please try this again, lets see if we can get a log this time


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    
    File::
    C:\tsqfy.exe
    C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
    C:\WINDOWS\SYSTEM32\alg.exe.tmp
    C:\WINDOWS\SYSTEM32\cisvc.exe.tmp
    C:\WINDOWS\SYSTEM32\clipsrv.exe
    C:\WINDOWS\SYSTEM32\DRIVERS\nkv2.sys
    C:\WINDOWS\SYSTEM32\imapi.exe
    C:\WINDOWS\SYSTEM32\locator.exe
    C:\WINDOWS\SYSTEM32\mnmsrvc.exe
    C:\WINDOWS\SYSTEM32\msdtc.exe
    C:\WINDOWS\SYSTEM32\netdde.exe
    C:\WINDOWS\SYSTEM32\RSVP.EXE
    C:\WINDOWS\SYSTEM32\scardsvr.exe
    C:\WINDOWS\SYSTEM32\sessmgr.exe
    C:\WINDOWS\SYSTEM32\smlogsvc.exe
    C:\WINDOWS\SYSTEM32\ups.exe
    C:\WINDOWS\SYSTEM32\vssvc.exe
    C:\WINDOWS\SYSTEM32\WBEM\wmiapsrv.exe
    C:\Documents and Settings\Buzbee's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc0-6f9a3342.zip
    C:\Documents and Settings\Buzbee's\Local Settings\Temp\msiexec.exe~
    C:\Documents and Settings\Buzbee's\Local Settings\Temp\setup.exe
    C:\Documents and Settings\Buzbee's\Local Settings\Temp\Setup195.exe
    C:\Documents and Settings\Buzbee's\Local Settings\Temp\Tear.exe
    C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\1239.exe
    C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\2314.exe
    C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\wr-1-1000512.exe
    Folder::
    C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW
    C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R
    C:\Program Files\AWS\WeatherBug
    C:\Program Files\Microsoft AntiSpyware
    
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Dell 2400 PC with Malware

Unread postby cman1010 » February 26th, 2008, 6:07 pm

Here is the latedt ComboFix:
ComboFix 08-02-25.2 - ALICE 2008-02-26 15:22:02.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.208 [GMT -6:00]
Running from: C:\Documents and Settings\ALICE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALICE\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Buzbee's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc0-6f9a3342.zip
C:\Documents and Settings\Buzbee's\Local Settings\Temp\msiexec.exe~
C:\Documents and Settings\Buzbee's\Local Settings\Temp\setup.exe
C:\Documents and Settings\Buzbee's\Local Settings\Temp\Setup195.exe
C:\Documents and Settings\Buzbee's\Local Settings\Temp\Tear.exe
C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\1239.exe
C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\2314.exe
C:\Documents and Settings\Buzbee's\Local Settings\Temporary Internet Files\wr-1-1000512.exe
C:\tsqfy.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
C:\WINDOWS\SYSTEM32\alg.exe.tmp
C:\WINDOWS\SYSTEM32\cisvc.exe.tmp
C:\WINDOWS\SYSTEM32\clipsrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\nkv2.sys
C:\WINDOWS\SYSTEM32\imapi.exe
C:\WINDOWS\SYSTEM32\locator.exe
C:\WINDOWS\SYSTEM32\mnmsrvc.exe
C:\WINDOWS\SYSTEM32\msdtc.exe
C:\WINDOWS\SYSTEM32\netdde.exe
C:\WINDOWS\SYSTEM32\RSVP.EXE
C:\WINDOWS\SYSTEM32\scardsvr.exe
C:\WINDOWS\SYSTEM32\sessmgr.exe
C:\WINDOWS\SYSTEM32\smlogsvc.exe
C:\WINDOWS\SYSTEM32\ups.exe
C:\WINDOWS\SYSTEM32\vssvc.exe
C:\WINDOWS\SYSTEM32\WBEM\wmiapsrv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\_;ord=1204033396228857[1]
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\120407_h548e_pinksweater[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\234by60412[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\6CDE404B4BFEC334D023E5422081E0[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\ADSAdClient31[1].htm
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\ADSAdClient31[2].htm
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\ADSAdClient31[3].htm
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\alien[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\B9CA883DF3764A768F91E3E23F939[1].jpg
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\bp.specificclick[1]
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\client_ad[1].htm
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\ebBanner_63_38[1].js
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\ebInteractionTimeV62_12[1].swf
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\F5E4857CECEE2BF8EB6E8FFB406[1].jpg
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\flashwrite_1_2[2].js
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\forum_read[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\icon_cheers[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\icon_confused[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\icon_exclaim[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\icon_flower[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\icon_geek[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\icon_mini_faq[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\icon_mini_members[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\icon_rolleyes[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\perc1[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\px_w[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\rc_c4c3w_se_1[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\spacer[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\ult_ylc_061112[1].js
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\73PV3PCW\y2[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\021908_25x25_pss_dot[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\32E46DE281A68B9C33FC582D2569D[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\86F1396496DFE1BAD68AB5F28409[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\adopt[1].htm
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\btn_2[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\bulb1[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\bullet[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\CA49IVEZ.gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\CA764JR5
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\CAA70DU9.swf
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\CAIR8589.gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\CAL4K3P5.gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\CFScript[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\client_ad[1].htm
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\desktop.ini
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\folderview[2].js
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\forum_home[1].png
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\forum_unread[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\global_061112[1].js
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\hpb[2].js
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\icon_brilsmurf[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\icon_cyclops[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\icon_eek[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\icon_evil[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\icon_monkey[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\icon_mrgreen[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\ieW[2].css
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\index[1].htm
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\posting[1].htm
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\rc_wg2w_ne_1[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\rc_wg2w_nw_1[1].gif
C:\Documents and Settings\ALICE\Local Settings\Temporary Internet Files\Content.IE5\PK0711WX\ucp[1].htm
C:\WINDOWS\SYSTEM32\clipsrv.exe
C:\WINDOWS\SYSTEM32\imapi.exe
C:\WINDOWS\SYSTEM32\locator.exe
C:\WINDOWS\SYSTEM32\mnmsrvc.exe
C:\WINDOWS\SYSTEM32\msdtc.exe
C:\WINDOWS\SYSTEM32\netdde.exe
C:\WINDOWS\SYSTEM32\RSVP.EXE
C:\WINDOWS\SYSTEM32\scardsvr.exe
C:\WINDOWS\SYSTEM32\sessmgr.exe
C:\WINDOWS\SYSTEM32\smlogsvc.exe
C:\WINDOWS\SYSTEM32\ups.exe
C:\WINDOWS\SYSTEM32\vssvc.exe
C:\WINDOWS\SYSTEM32\WBEM\wmiapsrv.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 13:34 . 2008-02-25 13:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-25 13:34 . 2008-02-25 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-24 15:13 . 2008-02-24 16:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-24 15:13 . 2008-02-24 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 15:13 . 2008-02-24 15:13 <DIR> d-------- C:\Documents and Settings\ALICE\Application Data\Malwarebytes
2008-02-18 14:06 . 2008-02-18 14:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-17 14:46 . 2008-02-17 14:51 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-17 14:31 . 2008-02-17 14:31 <DIR> d-------- C:\Program Files\WebCyberCoach
2008-02-17 14:28 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-17 14:17 . 2005-07-04 16:03 1,650,688 --a------ C:\WINDOWS\SYSTEM32\qdiagdwc.ocx
2008-02-17 14:17 . 2004-06-15 15:55 7,882 --a------ C:\WINDOWS\SYSTEM32\GTKCMOS.sys
2008-02-17 14:17 . 2005-02-08 12:37 7,626 --a------ C:\WINDOWS\SYSTEM32\GPCIEnum.sys
2008-02-17 14:17 . 2005-02-09 13:08 7,168 --a------ C:\WINDOWS\SYSTEM32\DLPT64.sys
2008-02-17 14:17 . 2004-06-09 09:29 6,977 --a------ C:\WINDOWS\SYSTEM32\DDMI2.sys
2008-02-17 14:17 . 2005-03-13 16:54 6,656 --a------ C:\WINDOWS\SYSTEM32\DLPT2.sys
2008-02-17 14:17 . 2005-02-08 13:04 5,632 --a------ C:\WINDOWS\SYSTEM32\GPCIEn64.sys
2008-02-17 14:17 . 2005-02-08 15:46 5,120 --a------ C:\WINDOWS\SYSTEM32\GTKCMO64.sys
2008-02-17 14:17 . 2005-02-07 19:07 4,608 --a------ C:\WINDOWS\SYSTEM32\DDMI64.sys
2008-02-16 14:26 . 2008-02-16 14:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\Dell
2008-02-16 13:34 . 2008-02-16 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-02-16 13:33 . 2008-02-16 13:34 <DIR> d-------- C:\Program Files\Dell Support Center
2008-02-16 13:33 . 2008-02-16 13:33 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-02-15 22:15 . 2008-02-15 23:15 <DIR> d-------- C:\Program Files\RegCure
2008-02-15 21:43 . 2008-02-15 21:42 23,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TVICHW32.SYS
2008-02-13 14:58 . 2008-02-13 14:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-02-13 14:58 . 2008-02-13 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-02-13 14:31 . 2008-02-13 14:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-13 14:31 . 2008-02-13 14:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-11 21:12 . 2008-02-11 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-11 21:12 . 2008-02-11 20:51 218,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys
2008-02-11 20:51 . 2008-02-11 21:12 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-02-08 09:32 . 2008-02-08 09:32 <DIR> d-------- C:\Documents and Settings\ALICE\Application Data\MSN6
2008-02-06 16:53 . 2008-02-06 16:53 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-03 22:17 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2008-02-02 00:41 . 2005-06-21 23:43 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-02-02 00:13 . 2005-06-22 00:04 61,440 --a------ C:\WINDOWS\SYSTEM32\iAlmCoIn_v4342.dll
2008-01-30 05:42 . 2008-01-30 05:42 <DIR> d---s---- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\UserData
2008-01-29 00:40 . 2008-01-29 01:21 <DIR> d-------- C:\Program Files\Netcom3 Cleaner
2008-01-28 22:08 . 2008-01-28 22:08 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-28 10:15 . 2008-01-28 10:20 <DIR> d-------- C:\Program Files\PCPitstop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 21:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-26 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-26 14:14 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-26 01:12 --------- d-----w C:\Program Files\AWS
2008-02-21 14:10 --------- d-----w C:\Program Files\Yahoo!
2008-02-21 14:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-21 05:06 --------- d-----w C:\Documents and Settings\Buzbee's\Application Data\Yahoo!
2008-02-17 20:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-17 20:31 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-17 20:28 --------- d-----w C:\Program Files\Java
2008-02-16 20:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 20:45 --------- d-----w C:\Program Files\Dell
2008-02-16 05:59 --------- d-----w C:\Program Files\Google
2008-02-10 01:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-29 00:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-28 21:49 --------- d-----w C:\Program Files\Common Files\Real
2008-01-25 08:42 --------- d-----w C:\Program Files\Jbkt
2008-01-25 08:42 --------- d-----w C:\Program Files\Dot1XCfg
2008-01-25 05:24 --------- d-----w C:\Program Files\EA GAMES
2008-01-25 03:19 --------- d-----w C:\Documents and Settings\ALICE\Application Data\PC Tools
2008-01-24 22:50 --------- d-----w C:\Documents and Settings\ALICE\Application Data\Yahoo!
2008-01-22 17:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-22 17:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-22 17:32 --------- d-----w C:\Program Files\Internet Explorer Assistant
2007-12-18 09:51 179,584 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
2007-12-07 14:37 3,059,200 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-12-06 13:07 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\oleaut32.dll
2006-12-12 16:03 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"DellSupport-"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 23:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 23:44 126976]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43 53248]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15 290816]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-26 01:49 77824]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-04 01:56 388608]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys [2008-02-11 20:51]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
S0 Jos83;Jos83;C:\WINDOWS\system32\Drivers\Jos83.sys []
S0 Kpt48;Kpt48;C:\WINDOWS\system32\Drivers\Kpt48.sys []
S3 USB2_04;USB2_04 driver;C:\WINDOWS\system32\drivers\nkv2.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-26 21:36:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-26 21:42:35 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-21 09:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 15:45:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-26 15:49:53 - machine was rebooted [ALICE]
ComboFix-quarantined-files.txt 2008-02-26 21:49:44
.
2008-02-24 19:25:51 --- E O F ---

Thanks!
cman1010
Active Member
 
Posts: 13
Joined: February 18th, 2008, 4:41 pm

Re: Dell 2400 PC with Malware

Unread postby Katana » February 26th, 2008, 6:51 pm

Please Re-Run the MalwareBytes tool, and let it fix everything it finds


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Folder::
    C:\Program Files\AWS
    C:\Program Files\Jbkt
    C:\Program Files\Dot1XCfg
    Driver::
    Jos83
    Kpt48
    USB2_04
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan << LINK
  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.

How are things running now ?


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u4
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) 6 update 4 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 3
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.



Recovery Console
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image


Download the file & save it as its originally named, next to ComboFix.exe.



Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Dell 2400 PC with Malware

Unread postby cman1010 » February 27th, 2008, 12:55 am

Here are the results of the latest ComboFix:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
cman1010
Active Member
 
Posts: 13
Joined: February 18th, 2008, 4:41 pm

Re: Dell 2400 PC with Malware

Unread postby Katana » February 27th, 2008, 6:17 am

That's fine, you can reboot when ready.

Please proceed with the Total Scan
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 485 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware