1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Not sure what is going on need help

Discussion in 'Virus & Other Malware Removal' started by emoorehead, Mar 31, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. emoorehead

    emoorehead Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    60
    My computer is running super slow and my background screen has changed. I have run combofix and HJT. Here are the logs. Any help is greatly appreciated.


    COMBOFIX LOG

    "Ron Carbo" - 2008-03-31 16:48:53 - ComboFix 07-07-17.8 - Service Pack 2 FAT32


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\RONCAR~1\Desktop\internet.lnk
    C:\Program Files\seekmo
    C:\Program Files\seekmo\seekmohook.dll
    C:\WINDOWS\180ax.exe
    C:\WINDOWS\2020search.dll
    C:\WINDOWS\2020search2.dll
    C:\WINDOWS\bjam.dll
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\mssvr.exe
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\salm.exe
    C:\WINDOWS\stcloader.exe
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\system32\msixu.dll
    C:\WINDOWS\system32\wer8274.dll
    C:\WINDOWS\temp\salm.exe
    C:\WINDOWS\updatetc.exe
    C:\WINDOWS\voiceip.dll


    ((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))


    2008-03-31 17:00 8,448 --a------ C:\WINDOWS\2020search.dll
    2008-03-31 17:00 32,512 --a------ C:\WINDOWS\salm.exe
    2008-03-31 17:00 32,512 --a------ C:\WINDOWS\mssvr.exe
    2008-03-31 17:00 32,512 --a------ C:\WINDOWS\180ax.exe
    2008-03-31 17:00 29,696 --a------ C:\WINDOWS\bokja.exe
    2008-03-31 17:00 23,296 --a------ C:\WINDOWS\saiemod.dll
    2008-03-31 17:00 23,040 --a------ C:\WINDOWS\system32\WER8274.DLL
    2008-03-31 17:00 20,736 --a------ C:\WINDOWS\stcloader.exe
    2008-03-31 17:00 20,480 --a------ C:\WINDOWS\2020search2.dll
    2008-03-31 17:00 19,712 --a------ C:\WINDOWS\swin32.dll
    2008-03-31 17:00 12,800 --a------ C:\WINDOWS\system32\MSIXU.DLL
    2008-03-31 17:00 12,800 --a------ C:\WINDOWS\mspphe.dll
    2008-03-31 17:00 12,288 --a------ C:\WINDOWS\voiceip.dll
    2008-03-31 17:00 12,288 --a------ C:\WINDOWS\bjam.dll
    2008-03-31 17:00 10,240 --a------ C:\WINDOWS\cdsm32.dll
    2008-03-31 17:00 <DIR> d-------- C:\Program Files\seekmo
    2008-03-31 16:36 51,200 --a------ C:\WINDOWS\nircmd.exe
    2008-03-31 16:15 <DIR> d--hs---- C:\FOUND.044
    2008-03-31 14:56 9,728 --a------ C:\WINDOWS\updatetc.exe
    2008-03-31 14:56 11,264 --a------ C:\WINDOWS\system32\SIPSPI32.dll
    2008-03-31 14:46 <DIR> d-------- C:\Program Files\zango
    2008-03-31 14:46 <DIR> d-------- C:\Program Files\180solutions
    2008-03-31 14:46 <DIR> d-------- C:\Program Files\180searchassistant
    2008-03-31 14:46 <DIR> d-------- C:\Program Files\180search assistant
    2008-03-31 14:45 19,200 --a------ C:\WINDOWS\apphelp32.dll
    2008-03-31 14:45 <DIR> d-------- C:\WINDOWS\FLEOK
    2008-03-31 10:38 <DIR> d-------- C:\Program Files\Norton SystemWorks
    2008-03-31 10:22 87,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2008-03-31 10:22 108,168 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2008-03-31 09:59 <DIR> d-------- C:\Program Files\SpyMaxx
    2008-03-31 08:47 22,272 --a------ C:\WINDOWS\system32\shdocpe.dll
    2008-03-31 08:47 14,080 --a------ C:\WINDOWS\system32\ntnut32.exe
    2008-03-30 20:38 8,448 --a------ C:\WINDOWS\msapasrc.dll
    2008-03-30 20:38 8,192 --a------ C:\WINDOWS\ati2dvaa32.dll
    2008-03-30 20:38 32,512 --a------ C:\WINDOWS\browserad.dll
    2008-03-30 20:38 30,976 --a------ C:\WINDOWS\shdocpl.dll
    2008-03-30 20:38 28,672 --a------ C:\WINDOWS\winsb.dll
    2008-03-30 20:38 27,648 --a------ C:\WINDOWS\changeurl_30.dll
    2008-03-30 20:38 27,648 --a------ C:\WINDOWS\audiosrv32.dll
    2008-03-30 20:38 22,272 --a------ C:\WINDOWS\msa64chk.dll
    2008-03-30 20:38 21,760 --a------ C:\WINDOWS\avifile32.dll
    2008-03-30 20:38 21,248 --a------ C:\WINDOWS\asferror32.dll
    2008-03-30 20:38 20,480 --a------ C:\WINDOWS\ati2dvag32.dll
    2008-03-30 20:38 19,456 --a------ C:\WINDOWS\ntnut.exe
    2008-03-30 20:38 16,640 --a------ C:\WINDOWS\autodisc32.dll
    2008-03-30 20:38 15,616 --a------ C:\WINDOWS\avisynthex32.dll
    2008-03-30 20:38 14,080 --a------ C:\WINDOWS\aviwrap32.dll
    2008-03-30 20:38 12,288 --a------ C:\WINDOWS\asycfilt32.dll
    2008-03-30 20:38 11,776 --a------ C:\WINDOWS\system32\MSNSA32.dll
    2008-03-30 20:38 11,008 --a------ C:\WINDOWS\shdocpe.dll
    2008-03-30 20:38 10,240 --a------ C:\WINDOWS\athprxy32.dll
    2008-03-30 20:38 <DIR> d-------- C:\Program Files\Sysmnt
    2008-03-30 20:38 <DIR> d-------- C:\Program Files\stc
    2008-03-30 19:58 90,537 --a------ C:\WINDOWS\system32\sbwltbxa.exe
    2008-03-28 16:12 <DIR> d--hs---- C:\FOUND.043
    2008-03-14 21:30 <DIR> d--hs---- C:\FOUND.042
    2008-03-14 21:15 <DIR> d-------- C:\Program Files\iPod
    2008-03-14 21:14 <DIR> d-------- C:\Program Files\iTunes
    2008-03-13 13:04 <DIR> d--hs---- C:\FOUND.041
    2008-03-12 14:23 <DIR> d--hs---- C:\FOUND.040
    2008-03-12 13:23 <DIR> d--hs---- C:\FOUND.039
    2008-03-09 15:08 <DIR> d--hs---- C:\FOUND.038
    2008-03-06 12:44 <DIR> d--hs---- C:\FOUND.037
    2008-02-27 09:53 <DIR> d--hs---- C:\FOUND.036
    2008-02-22 10:38 <DIR> d--hs---- C:\FOUND.035
    2008-02-18 23:10 <DIR> d--hs---- C:\FOUND.034
    2008-02-15 01:15 <DIR> d--hs---- C:\FOUND.033
    2008-02-12 18:11 <DIR> d-------- C:\WINDOWS\CSC
    2008-02-11 10:11 <DIR> d--hs---- C:\FOUND.032
    2008-02-05 19:40 <DIR> d--hs---- C:\FOUND.031
    2008-02-05 19:00 <DIR> d--hs---- C:\FOUND.030
    2008-02-01 18:08 <DIR> d-------- C:\Program Files\Bonjour


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2008-03-26 17:16:56 256 ----a-w C:\WINDOWS\system32\pool.bin


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}]
    2006-11-07 13:21 1821184 --a------ C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
    2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]
    2006-08-01 15:27 825528 --a------ C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2008-02-22 04:25 509328 --a------ C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
    2003-05-15 01:03 147456 --a------ C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    2008-01-14 16:25 323568 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}]
    2006-08-01 15:23 850104 --a------ C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
    "PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 18:28]
    "DW4"="" []
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 22:22]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 12:49]
    "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40]
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-09-10 13:40]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

    C:\DOCUME~1\RONCAR~1\STARTM~1\Programs\Startup
    HotSync Manager.lnk - C:\Program Files\palmOne\HOTSYNC.EXE [2004-04-13 17:03:10]
    Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]
    Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-02 21:00:36]
    Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56]
    Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2005-10-03 11:30:12]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoViewOnDrive"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,"


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    AutoRun\command- E:\NCDSTART.EXE


    **************************************************************************

    catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-31 17:02:03
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden registry entries ...

    disk error: C:\WINDOWS\system32\config\software
    disk error: C:\Documents and Settings\RONCAR~1\ntuser.dat
    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2008-03-31 17:06:56
    C:\ComboFix-quarantined-files.txt ... 2008-03-31 17:06

    --- E O F ---

    HJT

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:09:12 PM, on 3/31/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\sbwltbxa.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1199347164343
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 11059 bytes
     
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, emoorehead :)

    Welcome.

    You are using a very old copy of Combofix. Please remove this copy and download the latest version as follows:

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      -----------------------------------------------------------​
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
        -----------------------------------------------------------​
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      -----------------------------------------------------------​
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  3. emoorehead

    emoorehead Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    60
    I downloaded the new version of combofix, here is the log:
    ComboFix 08-03-30.5 - Ron Carbo 2008-04-01 12:26:17.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.101 [GMT -5:00]
    Running from: C:\Documents and Settings\Ron Carbo\Local Settings\Temporary Internet Files\Content.IE5\V25C9OQG\ComboFix[1].exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\seekmo
    C:\Program Files\seekmo\seekmohook.dll
    C:\WINDOWS\180ax.exe
    C:\WINDOWS\2020search.dll
    C:\WINDOWS\2020search2.dll
    C:\WINDOWS\bjam.dll
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\default.htm
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\mssvr.exe
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\salm.exe
    C:\WINDOWS\stcloader.exe
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\system32\msixu.dll
    C:\WINDOWS\system32\wer8274.dll
    C:\WINDOWS\TEMP\salm.exe
    C:\WINDOWS\updatetc.exe
    C:\WINDOWS\voiceip.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
    .

    2008-04-01 12:38 . 2008-04-01 12:38 <DIR> d-------- C:\Program Files\seekmo
    2008-04-01 03:42 . 2008-04-01 03:42 <DIR> d-------- C:\WINDOWS\FLEOK
    2008-04-01 03:42 . 2008-04-01 03:42 <DIR> d-------- C:\Program Files\zango
    2008-04-01 03:42 . 2008-04-01 03:42 <DIR> d-------- C:\Program Files\180solutions
    2008-04-01 03:42 . 2008-04-01 03:42 <DIR> d-------- C:\Program Files\180searchassistant
    2008-04-01 03:42 . 2008-04-01 03:42 <DIR> d-------- C:\Program Files\180search assistant
    2008-04-01 03:42 . 2008-04-01 03:42 27,136 --a------ C:\WINDOWS\system32\SIPSPI32.dll
    2008-04-01 03:42 . 2008-04-01 03:42 26,880 --a------ C:\WINDOWS\apphelp32.dll
    2008-04-01 03:42 . 2008-04-01 03:42 22,272 --a------ C:\WINDOWS\system32\shdocpe.dll
    2008-04-01 03:42 . 2008-04-01 03:42 8,192 --a------ C:\WINDOWS\system32\ntnut32.exe
    2008-03-31 17:08 . 2008-03-31 17:08 <DIR> d-------- C:\Program Files\Trend Micro
    2008-03-31 16:36 . 2008-03-31 16:36 <DIR> d-------- C:\ComboFix
    2008-03-31 16:15 . 2008-03-31 16:15 <DIR> d--hs---- C:\FOUND.044
    2008-03-31 10:38 . 2008-03-31 10:38 <DIR> d-------- C:\Program Files\Norton SystemWorks
    2008-03-31 10:22 . 2005-09-17 02:20 108,168 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2008-03-31 10:22 . 2005-09-17 02:20 87,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2008-03-31 09:59 . 2008-03-31 09:59 <DIR> d-------- C:\Program Files\SpyMaxx
    2008-03-30 20:38 . 2008-03-30 20:38 <DIR> d-------- C:\Program Files\Sysmnt
    2008-03-30 20:38 . 2008-03-30 20:38 <DIR> d-------- C:\Program Files\stc
    2008-03-30 19:58 . 2008-03-30 19:58 90,537 --a------ C:\WINDOWS\system32\sbwltbxa.exe
    2008-03-28 16:12 . 2008-03-28 16:12 <DIR> d--hs---- C:\FOUND.043
    2008-03-14 21:30 . 2008-03-14 21:30 <DIR> d--hs---- C:\FOUND.042
    2008-03-14 21:15 . 2008-03-14 21:15 <DIR> d-------- C:\Program Files\iPod
    2008-03-14 21:14 . 2008-03-14 21:14 <DIR> d-------- C:\Program Files\iTunes
    2008-03-13 13:04 . 2008-03-13 13:04 <DIR> d--hs---- C:\FOUND.041
    2008-03-12 14:23 . 2008-03-12 14:23 <DIR> d--hs---- C:\FOUND.040
    2008-03-12 13:23 . 2008-03-12 13:23 <DIR> d--hs---- C:\FOUND.039
    2008-03-09 15:08 . 2008-03-09 15:08 <DIR> d--hs---- C:\FOUND.038
    2008-03-06 12:44 . 2008-03-06 12:44 <DIR> d--hs---- C:\FOUND.037

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-31 01:38 8,448 ----a-w C:\WINDOWS\msapasrc.dll
    2008-02-01 23:08 --------- d-----w C:\Program Files\Bonjour
    2008-01-11 04:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    2008-01-08 16:57 90,112 ----a-w C:\WINDOWS\DUMPe059.tmp
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
    "PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 18:28 212992]
    "DW4"="" []
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 22:22 68856]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 12:49 4670968]
    "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-09-10 13:40 2115728]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-09-10 13:40 2115728]

    C:\Documents and Settings\Ron Carbo\Start Menu\Programs\Startup\
    HotSync Manager.lnk - C:\Program Files\palmOne\HOTSYNC.EXE [2004-04-13 17:03:10 299008]
    Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16 2913584]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56 65588]
    Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-02 21:00:36 113664]
    Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56 217194]
    Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2005-10-03 11:30:12 857728]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoViewOnDrive"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 13:28]
    S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\NCDSTART.EXE

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-01 12:41:37
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
    "ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
    .
    Completion time: 2008-04-01 12:46:38
    ComboFix2.txt 2008-03-31 22:06:58
    ComboFix-quarantined-files.txt 2008-04-01 17:46:28
    Pre-Run: 5,530,681,344 bytes free
    Post-Run: 5,518,557,184 bytes free
    .
    2008-03-21 05:55:03 --- E O F ---

    Also the new HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:57:04 PM, on 4/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\sbwltbxa.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1199347164343
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 10511 bytes
     
  4. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi emoorehead :)

    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    Code:
    File::
    C:\WINDOWS\2020search.dll  
    C:\WINDOWS\salm.exe  
    C:\WINDOWS\mssvr.exe  
    C:\WINDOWS\180ax.exe  
    C:\WINDOWS\bokja.exe  
    C:\WINDOWS\saiemod.dll  
    C:\WINDOWS\system32\WER8274.DLL  
    C:\WINDOWS\stcloader.exe  
    C:\WINDOWS\2020search2.dll  
    C:\WINDOWS\swin32.dll  
    C:\WINDOWS\system32\MSIXU.DLL  
    C:\WINDOWS\mspphe.dll  
    C:\WINDOWS\voiceip.dll  
    C:\WINDOWS\bjam.dll  
    C:\WINDOWS\cdsm32.dll  
    C:\WINDOWS\apphelp32.dll  
    C:\WINDOWS\updatetc.exe  
    C:\WINDOWS\system32\SIPSPI32.dll  
    C:\WINDOWS\system32\shdocpe.dll  
    C:\WINDOWS\system32\ntnut32.exe  
    C:\WINDOWS\msapasrc.dll  
    C:\WINDOWS\ati2dvaa32.dll  
    C:\WINDOWS\browserad.dll  
    C:\WINDOWS\shdocpl.dll  
    C:\WINDOWS\winsb.dll  
    C:\WINDOWS\changeurl_30.dll  
    C:\WINDOWS\audiosrv32.dll  
    C:\WINDOWS\msa64chk.dll  
    C:\WINDOWS\avifile32.dll  
    C:\WINDOWS\asferror32.dll  
    C:\WINDOWS\ati2dvag32.dll  
    C:\WINDOWS\ntnut.exe  
    C:\WINDOWS\autodisc32.dll  
    C:\WINDOWS\avisynthex32.dll  
    C:\WINDOWS\aviwrap32.dll  
    C:\WINDOWS\asycfilt32.dll  
    C:\WINDOWS\system32\MSNSA32.dll  
    C:\WINDOWS\shdocpe.dll  
    C:\WINDOWS\athprxy32.dll  
    C:\WINDOWS\system32\sbwltbxa.exe  
    
    Folder::
    C:\Program Files\seekmo 
    C:\Program Files\zango 
    C:\Program Files\180solutions 
    C:\Program Files\180searchassistant 
    C:\Program Files\180search assistant
    C:\WINDOWS\FLEOK  
    C:\Program Files\Sysmnt 
    C:\Program Files\stc 
    C:\Program Files\SpyMaxx 
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoViewOnDrive"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\WINDOWS\system32\userinit.exe,"
    
    [​IMG]

    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..
     
  5. emoorehead

    emoorehead Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    60
    here are the new results:

    ComboFix

    ComboFix 08-03-30.5 - Ron Carbo 2008-04-01 23:21:52.2 - FAT32x86
    Running from: C:\Documents and Settings\Ron Carbo\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\seekmo
    C:\Program Files\seekmo\seekmohook.dll
    C:\WINDOWS\180ax.exe
    C:\WINDOWS\2020search.dll
    C:\WINDOWS\2020search2.dll
    C:\WINDOWS\bjam.dll
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\default.htm
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\mssvr.exe
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\salm.exe
    C:\WINDOWS\stcloader.exe
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\system32\msixu.dll
    C:\WINDOWS\system32\wer8274.dll
    C:\WINDOWS\TEMP\salm.exe
    C:\WINDOWS\updatetc.exe
    C:\WINDOWS\voiceip.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
    .

    2008-04-01 23:44 . 2008-04-01 23:44 <DIR> d-------- C:\Program Files\seekmo
    2008-04-01 22:22 . 2008-04-01 22:33 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2008-04-01 22:22 . 2008-04-01 22:33 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2008-04-01 17:46 . 2008-04-01 17:46 <DIR> d-------- C:\WINDOWS\FLEOK
    2008-04-01 17:46 . 2008-04-01 17:46 <DIR> d-------- C:\Program Files\zango
    2008-04-01 17:46 . 2008-04-01 17:46 <DIR> d-------- C:\Program Files\180solutions
    2008-04-01 17:46 . 2008-04-01 17:46 <DIR> d-------- C:\Program Files\180searchassistant
    2008-04-01 17:46 . 2008-04-01 17:46 <DIR> d-------- C:\Program Files\180search assistant
    2008-04-01 17:46 . 2008-04-01 17:46 28,416 --a------ C:\WINDOWS\system32\shdocpe.dll
    2008-04-01 17:46 . 2008-04-01 17:46 24,832 --a------ C:\WINDOWS\system32\SIPSPI32.dll
    2008-04-01 17:46 . 2008-04-01 17:46 21,248 --a------ C:\WINDOWS\apphelp32.dll
    2008-04-01 17:46 . 2008-04-01 17:46 17,920 --a------ C:\WINDOWS\system32\ntnut32.exe
    2008-03-31 17:08 . 2008-03-31 17:08 <DIR> d-------- C:\Program Files\Trend Micro
    2008-03-31 16:15 . 2008-03-31 16:15 <DIR> d--hs---- C:\FOUND.044
    2008-03-31 10:38 . 2008-03-31 10:38 <DIR> d-------- C:\Program Files\Norton SystemWorks
    2008-03-31 10:22 . 2008-04-01 22:33 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2008-03-31 10:22 . 2008-04-01 22:33 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2008-03-31 09:59 . 2008-03-31 09:59 <DIR> d-------- C:\Program Files\SpyMaxx
    2008-03-30 20:38 . 2008-03-30 20:38 <DIR> d-------- C:\Program Files\Sysmnt
    2008-03-30 20:38 . 2008-03-30 20:38 <DIR> d-------- C:\Program Files\stc
    2008-03-30 19:58 . 2008-03-30 19:58 90,537 --a------ C:\WINDOWS\system32\sbwltbxa.exe
    2008-03-28 16:12 . 2008-03-28 16:12 <DIR> d--hs---- C:\FOUND.043
    2008-03-14 21:30 . 2008-03-14 21:30 <DIR> d--hs---- C:\FOUND.042
    2008-03-14 21:15 . 2008-03-14 21:15 <DIR> d-------- C:\Program Files\iPod
    2008-03-14 21:14 . 2008-03-14 21:14 <DIR> d-------- C:\Program Files\iTunes
    2008-03-13 13:04 . 2008-03-13 13:04 <DIR> d--hs---- C:\FOUND.041
    2008-03-12 14:23 . 2008-03-12 14:23 <DIR> d--hs---- C:\FOUND.040
    2008-03-12 13:23 . 2008-03-12 13:23 <DIR> d--hs---- C:\FOUND.039
    2008-03-09 15:08 . 2008-03-09 15:08 <DIR> d--hs---- C:\FOUND.038
    2008-03-06 12:44 . 2008-03-06 12:44 <DIR> d--hs---- C:\FOUND.037

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-02 04:43 9,472 ----a-w C:\WINDOWS\2020search2.dll
    2008-04-02 04:43 30,976 ----a-w C:\WINDOWS\mspphe.dll
    2008-04-02 04:43 28,928 ----a-w C:\WINDOWS\cdsm32.dll
    2008-04-02 04:43 27,136 ----a-w C:\WINDOWS\voiceip.dll
    2008-04-02 04:43 24,832 ----a-w C:\WINDOWS\stcloader.exe
    2008-04-02 04:43 16,640 ----a-w C:\WINDOWS\mssvr.exe
    2008-04-02 04:43 13,568 ----a-w C:\WINDOWS\bjam.dll
    2008-04-02 04:43 13,568 ----a-w C:\WINDOWS\2020search.dll
    2008-04-02 04:43 11,520 ----a-w C:\WINDOWS\bokja.exe
    2008-04-02 04:43 11,264 ----a-w C:\WINDOWS\swin32.dll
    2008-04-02 04:42 29,696 ----a-w C:\WINDOWS\saiemod.dll
    2008-04-02 04:42 26,880 ----a-w C:\WINDOWS\system32\WER8274.DLL
    2008-04-02 04:42 25,856 ----a-w C:\WINDOWS\updatetc.exe
    2008-04-02 04:42 21,248 ----a-w C:\WINDOWS\salm.exe
    2008-04-02 04:42 16,384 ----a-w C:\WINDOWS\180ax.exe
    2008-04-02 04:42 11,776 ----a-w C:\WINDOWS\system32\MSIXU.DLL
    2008-01-11 04:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    2008-01-08 16:57 90,112 ----a-w C:\WINDOWS\DUMPe059.tmp
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
    "PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 18:28 212992]
    "DW4"="" []
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 22:22 68856]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 12:49 4670968]
    "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-09-10 13:40 2115728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 02:27 52848]
    "Norton Ghost 10.0"="C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2005-09-14 17:43 1537648]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-09-10 13:40 2115728]

    C:\Documents and Settings\Ron Carbo\Start Menu\Programs\Startup\
    HotSync Manager.lnk - C:\Program Files\palmOne\HOTSYNC.EXE [2004-04-13 17:03:10 299008]
    Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16 2913584]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56 65588]
    Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-02 21:00:36 113664]
    Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56 217194]
    Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2005-10-03 11:30:12 857728]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoViewOnDrive"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 13:28]
    S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\NCDSTART.EXE

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-01 23:41:04 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
    - C:\Program Files\Norton SystemWorks\OBC.exe
    "2008-04-02 03:43:42 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    "2008-04-01 23:41:28 C:\WINDOWS\Tasks\Symantec Drmc.job"
    - C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
    "2008-04-02 00:10:12 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Ron Carbo.job"
    - C:\PROGRA~1\NORTON~1\NORTON~2\Navw32.exeh/TASK:
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-01 23:46:10
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EraserUtilDrvI4]
    "ImagePath"="\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI4.sys"

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
    "ImagePath"="\??\C:\WINDOWS\TEMP\mc22.tmp"
    .
    Completion time: 2008-04-01 23:52:11
    ComboFix3.txt 2008-03-31 22:06:58
    ComboFix-quarantined-files.txt 2008-04-02 04:51:46
    ComboFix2.txt 2008-04-01 17:46:44
    Pre-Run: 5,053,284,352 bytes free
    Post-Run: 5,088,772,096 bytes free
    .
    2008-03-21 05:55:03 --- E O F ---

    HJT

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:30:06 AM, on 4/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\sbwltbxa.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
    O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1199347164343
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
    O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 13720 bytes

    Thanks
     
  6. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, emoorehead :)

    The log doesn't show it came from the script created. Lets try this again.

    Remove the CFscript.txt from your desktop.

    Download the enclosed file. It is another CFScript.txt. Save it next to Combofix.

    [​IMG]

    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..
     

    Attached Files:

  7. emoorehead

    emoorehead Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    60
    ComboFix 08-03-30.5 - Ron Carbo 2008-04-02 21:03:29.1 - FAT32x86
    Running from: C:\Documents and Settings\Ron Carbo\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Ron Carbo\Desktop\CFScript.txt

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\180ax.exe
    C:\WINDOWS\2020search.dll
    C:\WINDOWS\2020search2.dll
    C:\WINDOWS\apphelp32.dll
    C:\WINDOWS\bjam.dll
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\DUMPe059.tmp
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\mssvr.exe
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\salm.exe
    C:\WINDOWS\stcloader.exe
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\system32\MSIXU.DLL
    C:\WINDOWS\system32\ntnut32.exe
    C:\WINDOWS\system32\sbwltbxa.exe
    C:\WINDOWS\system32\shdocpe.dll
    C:\WINDOWS\system32\SIPSPI32.dll
    C:\WINDOWS\system32\WER8274.DLL
    C:\WINDOWS\updatetc.exe
    C:\WINDOWS\voiceip.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\SpyMaxx
    C:\Program Files\SpyMaxx\stat.bin
    C:\Program Files\SpyMaxx\uninstall.exe
    C:\Program Files\SpyMaxx\uninstall.log
    C:\Program Files\stc
    C:\Program Files\Sysmnt
    C:\Program Files\Sysmnt\Ssmgr.exe
    C:\WINDOWS\180ax.exe
    C:\WINDOWS\2020search.dll
    C:\WINDOWS\bjam.dll
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\default.htm
    C:\WINDOWS\DUMPe059.tmp
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\system32\msixu.dll
    C:\WINDOWS\voiceip.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\WINDOWS\system32\mswsock.dll ... is infected !!

    C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)

    Code:
    <pre>
    </pre>
    C:\WINDOWS\system32\ws2_32.dll ... is infected !! (additional data below)



    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 13:28]
    S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\NCDSTART.EXE

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-02 21:16:33
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
    "ImagePath"="\??\C:\WINDOWS\TEMP\mc22.tmp"
    .
    Completion time: 2008-04-02 21:20:27
    ComboFix4.txt 2008-03-31 22:06:58
    ComboFix-quarantined-files.txt 2008-04-03 02:20:10
    ComboFix3.txt 2008-04-01 17:46:44
    ComboFix2.txt 2008-04-02 04:52:18
    Pre-Run: 5,444,878,336 bytes free
    Post-Run: 5,438,488,576 bytes free
    .
    2008-03-21 05:55:03 --- E O F ---

    HJT
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:33:19 AM, on 4/3/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\WgaTray.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1199347164343
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 10410 bytes

    THANKS
     
  8. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, emoorehead :)

    Please download the enclosed folder. Save and extract its contents to the desktop. It is a batch file, FindFiles.bat. Once extracted, open the folder and doubleclick on the batch file. It should take some time to scan your computer. A report will be produced, Results.txt. Please open this report in Notepad and post is contents in your next reply.
     

    Attached Files:

  9. emoorehead

    emoorehead Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    60
    ----a-w 82,944 2004-08-04 17:00:00 C:\Windows\system32\ws2_32.dll
    ----a-w 82,944 2004-08-04 11:00:00 C:\Windows\system32\dllcache\ws2_32.dll

    Entries: 2 (2)
    Directories: 0 Files: 2
    Bytes: 165,888 Blocks: 324

    ----a-w 360,064 2007-10-30 16:20:56 C:\Windows\system32\drivers\tcpip.sys
    ----a-w 360,064 2007-10-30 16:20:56 C:\Windows\system32\dllcache\tcpip.sys
    ------w 360,576 2006-04-20 11:18:36 C:\Windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
    ------w 360,832 2007-10-30 15:53:32 C:\Windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    ------w 359,040 2004-08-04 17:00:00 C:\Windows\$NtUninstallKB917953$\tcpip.sys
    ------w 359,808 2006-04-20 10:51:50 C:\Windows\$NtUninstallKB941644$\tcpip.sys

    Entries: 6 (6)
    Directories: 0 Files: 6
    Bytes: 2,160,384 Blocks: 4,223

    ----a-w 245,248 2004-08-04 17:00:00 C:\Windows\system32\mswsock.dll
    ----a-w 245,248 2004-08-04 11:00:00 C:\Windows\system32\dllcache\mswsock.dll

    Entries: 2 (2)
    Directories: 0 Files: 2
    Bytes: 490,496 Blocks: 958

    Total Entries: 10 (10)
    Total Directories: 0 Files: 10
    Total Bytes: 2,816,768 Blocks: 5,505

    **I have never used this program, what does it show you that is of importance?

    Thanks
     
  10. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, emoorehead :)

    Combofix is indicating these files are infected. These are legit files that may have been patched with the infection. We need to compare the copies available in your computer in an attempt to replace the infected ones.

    Please download and reinstall the following update:

    http://www.microsoft.com/downloads/...42-2342-4fa0-9b66-8953c54a2211&displaylang=en

    Download the enclosed folder. Save and extract its contents to the desktop. It contains a batch file to rename the ws2_32.dll and mswsock.dll files in the system and dllcache folders and replace them with clean copies attached. We have to do this in Safe Mode.

    Please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.

    Double click on the Fixme.bat on the desktop to run the batch file. The MSDOS window will be displayed for a second, this is normal. Once done, restart the computer.

    Run Combofix and the FindFiles.bat, and post their report.
     

    Attached Files:

  11. emoorehead

    emoorehead Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    60
    On friday jackson, ms - was hit with a torrnado and I just got power on today. I will send you the fixit log.
     
  12. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    (y)(y)

    I hope everything is fine there.
     
  13. emoorehead

    emoorehead Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    60
    I was attempting to run the Fixme program and my system locked up. Now when I try to start my computer, it keeps restarting after it shows the windows logo. I will not even start in Safe mode. Any idea what i did wrong or how I can get my system to boot.
     
  14. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, emoorehead :)

    I am sure it has nothing to do with the fix as that only thing that may result affected is your connectivity.

    Have you tried Last Know Configuration? Do you have a Windows XP Installation CD? Besides this fix, posted 11 days ago, have you done anything else such as, install new hardware or software? What transpired with this computer during the last 11 days?

    Any error message at startup?
     
  15. emoorehead

    emoorehead Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    60
    I tried Last know config but that didn't work. I have not added any new programs or hardware to my system since we started working on my computer. However, I was hit with a tornado that knocked out the power to my house for several day and my computer was running at the time. I didn't try to run the fixme program until my power was restored, but again my system locked up and I have not been able to get past the windows logo.

    I do have the XP PRO disc, is there anyway I can repair instead of wiping out my hard drive. There are a several things I REALLY NEED and I don't have all the driver info to start from scratch.

    Thanks
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved sure going
  1. Oxobius
    Replies:
    0
    Views:
    321
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/699026

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice