1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Pls check my log for any problems. Can't install Windws Updates

Discussion in 'Virus & Other Malware Removal' started by Bgormley, Nov 11, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Bgormley

    Bgormley Thread Starter

    Joined:
    Jan 6, 2005
    Messages:
    10
    Howdy, I have tried everything I can think of to get Windows Updates to install updates, including trying fixes given on Microsoft forums. One possibility I came across is that my OS or registry could be infected. I ran HGT but am not real knowledgeable so can someone tell me if things look OK here:

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\DRIVERS\dcfssvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Canon\MultiPASS\mpservic.exe
    C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINNT\system32\lxamsp32.exe
    C:\WINNT\system32\hkcmd.exe
    C:\WINNT\system32\Nkkoto.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    C:\Program Files\LexmarkX63\ACMonitor_X63.exe
    C:\Program Files\Canon\MultiPASS\monitr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Default\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {B35C0B48-99A2-B90A-A5F4-E33BF40224E0} - C:\WINNT\system32\sqt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {B35C0B48-99A2-B90A-A5F4-E33BF40224E0} - C:\WINNT\system32\sqt.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [version] C:\WINNT\system32\Coxybz.exe
    O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Nkkoto.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
    O4 - HKCU\..\Run: [zuff] C:\PROGRA~1\COMMON~1\zuff\zuffm.exe
    O4 - HKCU\..\Run: [Csy] C:\WINNT\system32\l?***.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Bdas] C:\Program Files\ubew\ahho.exe
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
    O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Qshelf.lnk.disabled
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
    O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://gras.aon.com/vdesk/terminal/InstallerControl.cab
    O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://gras.aon.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0223,0317
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194795949996
    O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://gras.aon.com/vdesk/terminal/vdeskctrl.cab#Version=6010,2007,0223,0322
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://optionsxpressevents.webex.com/client/T23L/event/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8A84AE32-4265-4D67-B368-88AEC4456FC3}: NameServer = 208.67.222.222,208.67.220.220
    O20 - AppInit_DLLs: C:\WINNT\system32\smss.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
    O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 7390 bytes
     
  2. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    You cut off the top part of your log, please re-post. Thanks.
     
  3. Bgormley

    Bgormley Thread Starter

    Joined:
    Jan 6, 2005
    Messages:
    10
    I thought the top part wasn't important but here is everything that HJT gave me:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:48:45 PM, on 11/11/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\DRIVERS\dcfssvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Canon\MultiPASS\mpservic.exe
    C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINNT\system32\lxamsp32.exe
    C:\WINNT\system32\hkcmd.exe
    C:\WINNT\system32\Nkkoto.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    C:\Program Files\LexmarkX63\ACMonitor_X63.exe
    C:\Program Files\Canon\MultiPASS\monitr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Default\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {B35C0B48-99A2-B90A-A5F4-E33BF40224E0} - C:\WINNT\system32\sqt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {B35C0B48-99A2-B90A-A5F4-E33BF40224E0} - C:\WINNT\system32\sqt.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [version] C:\WINNT\system32\Coxybz.exe
    O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Nkkoto.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
    O4 - HKCU\..\Run: [zuff] C:\PROGRA~1\COMMON~1\zuff\zuffm.exe
    O4 - HKCU\..\Run: [Csy] C:\WINNT\system32\l?***.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Bdas] C:\Program Files\ubew\ahho.exe
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
    O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Qshelf.lnk.disabled
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
    O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://gras.aon.com/vdesk/terminal/InstallerControl.cab
    O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://gras.aon.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0223,0317
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194795949996
    O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://gras.aon.com/vdesk/terminal/vdeskctrl.cab#Version=6010,2007,0223,0322
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://optionsxpressevents.webex.com/client/T23L/event/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8A84AE32-4265-4D67-B368-88AEC4456FC3}: NameServer = 208.67.222.222,208.67.220.220
    O20 - AppInit_DLLs: C:\WINNT\system32\smss.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
    O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 7390 bytes
     
  4. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Download Combofix and save it to your desktop.

    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    --------------------------------------------------------------------
    Please go to Start---> Run---> In the space provided, type "%userprofile%\Desktop\ComboFix.exe"/killall
    & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
     
  5. Bgormley

    Bgormley Thread Starter

    Joined:
    Jan 6, 2005
    Messages:
    10
    Hope they help! Here is Combofix (HJT log is below it):

    ComboFix 07-11-08.3 - Default 11/11/2007 23:07:32.1 - NTFSx86
    Running from: C:\Documents and Settings\Default\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Default\Application Data\YMANTE~1
    C:\Documents and Settings\Default\My Documents\ICROSO~1.NET
    C:\Documents and Settings\Default\My Documents\MCROSO~1.NET
    C:\Documents and Settings\Default\My Documents\PPATCH~1
    C:\Documents and Settings\Default\My Documents\SMANTE~1
    C:\Documents and Settings\Default\My Documents\SSTEM3~1
    C:\Program Files\Common Files\asembl~1
    C:\Program Files\Common Files\dobe~1
    C:\Program Files\Common Files\ecurit~1
    C:\Program Files\Common Files\sks~1
    C:\Program Files\Common Files\sstem3~1
    C:\Program Files\Common Files\sstem3~1\msiexec.exe
    C:\Program Files\Common Files\stem32~1
    C:\Program Files\Common Files\zuff
    C:\Program Files\Common Files\zuff\zuffa.lck
    C:\Program Files\Common Files\zuff\zuffd\class-barrel
    C:\Program Files\Common Files\zuff\zuffd\vocabulary
    C:\Program Files\Common Files\zuff\zuffh
    C:\Program Files\Common Files\zuff\zuffl.lck
    C:\Program Files\Common Files\zuff\zuffm.lck
    C:\Program Files\Common Files\zuff\zuffp.exe
    C:\Program Files\Common Files\zuff\zuffp.lck
    C:\Program Files\sks~1
    C:\Program Files\wnsxs~1
    C:\WINNT\crosof~1.net
    C:\WINNT\mcroso~1.net
    C:\WINNT\sstem3~1
    C:\WINNT\stem~1
    C:\WINNT\system32\smss.dll
    C:\WINNT\system32\tsks~1
    C:\WINNT\system32\wnscpcc.exe
    C:\WINNT\zuff
    C:\WINNT\zuff\wu
    C:\WINNT\zuff\zuff.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\nm


    ((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
    .

    2007-11-11 23:12 16,384 C:\WINNT\system32\Perflib_Perfdata_49c.dat
    2007-11-11 23:07 51,200 --a------ C:\WINNT\NirCmd.exe
    2007-11-11 13:00 557 --a------ C:\Documents and Settings\Default\SensLogn.reg
    2007-11-11 12:02 4,015 --a------ C:\fix.reg
    2007-11-09 14:04 <DIR> d-------- C:\WINNT\system32\DealHelper
    2007-11-06 16:28 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
    2007-11-06 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-11-05 10:59 <DIR> d-------- C:\Program Files\Java
    2007-11-05 10:55 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-10-29 16:09 <DIR> d-------- C:\Documents and Settings\Default\Application Data\AVG7
    2007-10-29 16:08 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\AVG7
    2007-10-29 16:08 499,712 --a------ C:\WINNT\system32\msvcp71.dll
    2007-10-29 16:08 348,160 --a------ C:\WINNT\system32\msvcr71.dll
    2007-10-29 16:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\avg7
    2007-10-29 13:17 <DIR> d-------- C:\Program Files\F5

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-11 19:22 --------- d-----w C:\Program Files\Symantec
    2007-11-11 19:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-11-11 19:16 --------- d-----w C:\Program Files\Norton SystemWorks
    2007-11-11 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-11-05 16:06 51,392 ----a-w C:\WINNT\system32\drivers\atnt40k.sys
    2003-04-09 16:27 271 ---h--w C:\Program Files\desktop.ini
    2003-04-09 16:27 21,952 ---h--w C:\Program Files\folder.htt
    2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
    2006-06-29 15:15:21 0 --sha-w C:\WINNT\system32\l?***.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B35C0B48-99A2-B90A-A5F4-E33BF40224E0}]
    06-02-14 14:05 139264 --a------ C:\WINNT\system32\sqt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
    "CookieWall"="C:\Program Files\AnalogX\CookieWall\cookie.exe" [03-06-02 16:58 ]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-02-12 12:07 ]
    "SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [04-11-02 15:59 ]
    "RegistryMechanic"="" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 ]
    "PrinTray"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe" [01-10-21 16:54 ]
    "LexStart"="" []
    "lxamsp32.exe"="lxamsp32.exe" [01-10-21 19:12 C:\WINNT\system32\lxamsp32.exe]
    "IgfxTray"="C:\WINNT\system32\igfxtray.exe" [02-07-17 07:59 ]
    "HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [02-07-17 07:45 ]
    "version"="C:\WINNT\system32\Coxybz.exe" [05-07-06 06:05 ]
    "secure"="C:\WINNT\system32\Nkkoto.exe" [05-07-06 06:05 ]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-11-06 16:27 ]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe" [03-02-06 10:30 ]
    "Forbes"="C:\Program Files\Forbes\ForbesAlerts.exe" []
    "Csy"="C:\WINNT\system32\l?***.exe" [04-12-19 17:30 ]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05-05-31 00:04 ]
    "Bdas"="C:\Program Files\ubew\ahho.exe" []

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    AcBtnMgr_X63.exe.lnk - C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe [2001-06-06 15:03:10]
    ACMonitor_X63.exe.lnk - C:\Program Files\LexmarkX63\ACMonitor_X63.exe [2001-06-06 15:02:28]
    Canon MultiPASS Status Monitor.lnk - C:\Program Files\Canon\MultiPASS\monitr32.exe [2003-04-10 20:10:50]
    Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-10 23:00:00]
    Qshelf.lnk.disabled [2003-04-17 21:30:58]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"= C:\WINNT\system32\smss.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "secure"=C:\WINNT\system32\Nkkoto.exe

    R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
    R2 cis1284;cis1284;\??\C:\WINNT\System32\drivers\cis1284.sys
    R2 ptssvc;ptssvc;C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys

    *Newly Created Service* - IPNAT
    *Newly Created Service* - RASAUTO
    *Newly Created Service* - SHAREDACCESS
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-01 13:03:32 C:\WINNT\Tasks\Disk Cleanup.job"
    - C:\WINNT\System32\cleanmgr.exe
    "2007-11-12 03:37:15 C:\WINNT\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-11 23:12:46
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-11 23:14:17 - machine was rebooted
    .
    --- E O F ---


    Here is Hijack This log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:20:17 PM, on 11/11/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\DRIVERS\dcfssvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINNT\system32\lxamsp32.exe
    C:\WINNT\system32\hkcmd.exe
    C:\WINNT\system32\Nkkoto.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    C:\Program Files\LexmarkX63\ACMonitor_X63.exe
    C:\WINNT\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Default\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {B35C0B48-99A2-B90A-A5F4-E33BF40224E0} - C:\WINNT\system32\sqt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {B35C0B48-99A2-B90A-A5F4-E33BF40224E0} - C:\WINNT\system32\sqt.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [version] C:\WINNT\system32\Coxybz.exe
    O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Nkkoto.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
    O4 - HKCU\..\Run: [Csy] C:\WINNT\system32\l?***.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Bdas] C:\Program Files\ubew\ahho.exe
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
    O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Qshelf.lnk.disabled
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
    O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://gras.aon.com/vdesk/terminal/InstallerControl.cab
    O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://gras.aon.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0223,0317
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194795949996
    O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://gras.aon.com/vdesk/terminal/vdeskctrl.cab#Version=6010,2007,0223,0322
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://optionsxpressevents.webex.com/client/T23L/event/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8A84AE32-4265-4D67-B368-88AEC4456FC3}: NameServer = 208.67.222.222,208.67.220.220
    O20 - AppInit_DLLs: C:\WINNT\system32\smss.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
    O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 7396 bytes
     
  6. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Download the attached file CFScript.txt to your Desktop


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt"

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall



    Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this computer only!!!!

    ====================================

    Please download and install SUPERAntiSpyware
    • Load SUPERAntiSpyware and click the Check for Updates button.
    • Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

    IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.
    • Open SUPERAntiSpyware and click the Scan your Computer button.
    • Check Perform Complete Scan and then click Next.
    • SUPERAntiSpyware will now scan your computer and when itÂ’s finished it will list all the infections it has found.
    • Make sure that they all have a check next to them, and then click Next.
    • Click Finish and you will be taken back to the main interface.
    • It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
    • I'll need a log afterwards of what has been found.
    • To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
    • Please post the results of the SUPERAntiSpyware login your next reply.
     

    Attached Files:

  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/650658

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice