WiredWX Hobby Weather ToolsLog in

 


descriptionSolvedGot something nasty

more_horiz
I've got something nasty on my PC. I have gotten AVG running on it, but the definitions are a little out of date. Hopefully it'll find something. In the meantime, can someone take a look at my HijackThis Log and advise me. The log's below.

Thanks so much,

Will


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:09 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\CCM\SMSCliUI.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070227
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iis.ncrnet.ncr.com/ncrnet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iis.ncrnet.ncr.com/ncrnet
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070227
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NCR Corporation
O1 - Hosts: 153.84.112.191 CRMOOCOP1
O1 - Hosts: 162.115.117.43 VZWCOP1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NCR-Netmeeting Check] C:\WINDOWS\NMTRepair.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ENDFORCEAgent] "C:\Program Files\ENDFORCE\AgntTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: pwreset.lnk = C:\Program Files\Avaya\DEFINITY IP Service Provider\pwreset.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NCRNet - {9DBFAEC0-FC9B-4A80-888D-9DC2C471F1E1} - http://iis.ncrnet.ncr.com/ncrnet (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://iis.ncrnet.ncr.com/ncrnet
O15 - Trusted Zone: http://*.ncr.com
O15 - Trusted Zone: http://*.teradata.com
O15 - ESC Trusted Zone: http://*.ncr.com
O15 - ESC Trusted Zone: http://*.teradata.com
O15 - ESC Trusted Zone: http://*.ncr.com (HKLM)
O15 - ESC Trusted Zone: http://*.teradata.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986D} - https://www.passwordmanager.ncr.com/psynch/docs/pslogoff.dll
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://access.sheetz.com/+CSCOL+/relayp.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/scanner2008/TenebrilSpywareScanner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215796665109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178201915702
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://wvpn.netflix.com/,DanaInfo=tscorp.netflix.com+msrdp.cab
O16 - DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} (CISCO Portforwarder Control) - https://access.sheetz.com/+CSCOL+/cscopf.cab
O16 - DPF: {BA2A9829-8040-4BF3-BDB6-51512826B68B} (Authentication.Authenticate) - http://web.ncrnet.ncr.com/cab/phonebook.cab
O16 - DPF: {DD3D661B-E8FA-11D2-A018-00A0C9AD89DF} (Phonebook.Application) - http://web.ncrnet.ncr.com/cab/phonebook.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://supporttrial.webex.com/client/T26L/support/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://sslgateway.teradata.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TD.TERADATA.COM
O17 - HKLM\Software\..\Telephony: DomainName = TD.TERADATA.COM
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = TD.TERADATA.COM
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: SearchList = pioneerstd.teradata.com,corp.ncr.com,elsegundoca.ncr.com,sandiegoca.ncr.com
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = TD.TERADATA.COM
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: SearchList = pioneerstd.teradata.com,corp.ncr.com,elsegundoca.ncr.com,sandiegoca.ncr.com
O17 - HKLM\System\CS11\Services\Tcpip\Parameters: Domain = TD.TERADATA.COM
O17 - HKLM\System\CS11\Services\Tcpip\Parameters: SearchList = pioneerstd.teradata.com,corp.ncr.com,elsegundoca.ncr.com,sandiegoca.ncr.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pioneerstd.teradata.com,corp.ncr.com,elsegundoca.ncr.com,sandiegoca.ncr.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 11170 bytes

descriptionSolvedRe: Got something nasty

more_horiz
Hello.
First I notice you are running two AV's (Anti-virus).
Running two AV's is bad, they conflict and cause more problems.
Press Start > Control Panel > open "Add/remove programs"
Allow the list to load and uninstall these items by selecting each one and pressing the "Remove" button to the right.

AVG8



  • Download combofix from here, use the top links - combofix.exe
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Got something nasty Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes

    Got something nasty Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionSolvedRe: Got something nasty

more_horiz
Here's my log. It looks like I had some rootkits. See anything else?

ComboFix 08-12-14.04 - Administrator 2008-12-15 0:15:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1614 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\-Combo-Fix-.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\wh180001\Local Settings\Temporary Internet Files\MF9729ED.gif
c:\program files\windows
c:\program files\windows\System32\Resources\1033\sqldmo.rll
c:\program files\windows\System32\Resources\1033\sqlsvc.rll
c:\program files\windows\System32\sqldmo.dll
c:\program files\windows\System32\sqlresld.dll
c:\program files\windows\System32\sqlsvc.dll
c:\program files\windows\System32\w95scm.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\Cache
c:\windows\system32\drivers\TDSSpxoe.sys
c:\windows\system32\TDSSehys.log
c:\windows\system32\TDSSirxy.dll
c:\windows\system32\TDSSmupe.dat
c:\windows\system32\TDSSncur.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoipa.dll
c:\windows\system32\TDSSqxnr.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSwgod.log
c:\windows\system32\TDSSyavu.dll

----- BITS: Possible infected sites -----

hxxp://SUSDAY7549:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-15 00:11 . 2008-12-15 00:21 d-------- C:\-Combo-Fix-
2008-12-14 20:56 . 2008-12-14 23:40 d--h----- C:\$AVG8.VAULT$
2008-12-13 23:03 . 2008-12-14 23:41 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-13 14:09 . 2008-12-13 14:09 d-------- c:\documents and settings\Administrator\Application Data\IDMComp
2008-12-13 14:08 . 2008-12-13 14:08 d-------- c:\program files\Trend Micro
2008-12-13 14:07 . 2008-12-13 14:07 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-13 14:07 . 2008-12-13 14:07 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-13 14:07 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-13 14:07 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 13:49 . 2008-12-13 13:49 d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-12-12 16:57 . 2008-12-12 16:57 d-------- c:\program files\Spybot - Search & Destroy
2008-12-12 16:57 . 2008-12-12 16:57 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-12 15:09 . 2008-12-12 15:09 d-------- c:\program files\Alwil Software
2008-11-18 07:25 . 2008-11-18 07:25 1,102,115 --a------ C:\netmoncaptures.zip
2008-11-17 11:49 . 2008-12-12 17:07 10,381 --a------ c:\windows\cfgall.ini
2008-11-17 10:57 . 2008-11-17 10:57 d-------- C:\Temp
2008-11-17 08:19 . 2007-02-20 09:47 50 --a------ c:\windows\DST2007_.FLG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 01:56 --------- d-----w c:\program files\Radmin
2008-12-14 04:07 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2008-12-14 04:07 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-12-13 19:01 --------- d-----w c:\program files\ENDFORCE
2008-12-12 15:46 --------- d-----w c:\program files\Trillian
2008-12-11 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-12-11 19:07 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 19:00 --------- d-----w c:\program files\Microsoft.NET
2008-12-08 15:45 --------- d-----w c:\documents and settings\wh180001\Application Data\VMware
2008-11-12 17:08 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2008-11-11 14:35 45,132 ------w c:\documents and settings\wh180001\Application Data\JuniperExtXP.exe
2008-11-11 14:35 --------- d-----w c:\documents and settings\wh180001\Application Data\Juniper Networks
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-05-15 17:17 32,768 ----a-w c:\documents and settings\wh180001\WebVpnRegKey6-access-sheetz-com.dll
2007-10-29 19:11 6,870,136 ----a-w c:\documents and settings\wh180001\server.log.zip
2000-04-13 18:10 73,184 -c--a-w c:\program files\Common Files\dao2535.tlb
2000-04-13 18:09 582,144 ----a-w c:\program files\Common Files\dao350.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"NCR-Netmeeting Check"="c:\windows\NMTRepair.EXE" [2006-01-03 164258]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-03-07 98304]
"ENDFORCEAgent"="c:\program files\ENDFORCE\AgntTray.exe" [2007-06-27 1650688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2007-10-08 55856]
"OfficeScanNT Monitor"="c:\program files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 356429]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-02-27 24576]
script execution time was exceeded on script "c:\-combo-fix-\lnkread.vbs".
script execution was terminated.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"tmlisten"=2 (0x2)
"TCRMAppBrokerService"=2 (0x2)
"STCAgent"=2 (0x2)
"SQLWriter"=2 (0x2)
"ose"=3 (0x3)
"OfcPfwSvc"=2 (0x2)
"ntrtscan"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"MDM"=2 (0x2)
"iClarityQoSService"=2 (0x2)
"gusvc"=3 (0x3)
"ExtranetAccess"=3 (0x3)
"ENDFORCE Agent API"=2 (0x2)
"dsNcService"=2 (0x2)
"CVPND"=2 (0x2)
"CRMinit"=3 (0x3)
"bynet"=2 (0x2)
"awhost32"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Avaya\\DEFINITY iClarity IP Audio\\iclarity.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Documents and Settings\\wh180001\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=

R0 bynetpnp;NCR Bynet Interconnect;c:\windows\system32\DRIVERS\bynetpnp.sys [2007-10-03 22016]
R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\DRIVERS\IABFilt.sys [2005-03-03 23040]
R0 ncrbynet;NCR Bynet Low Latency Interface;c:\windows\system32\DRIVERS\ncrbynet.sys [2007-10-03 351744]
R1 Appfilt;Appfilt;\??\c:\windows\system32\drivers\Appfilt.sys [2007-01-25 71192]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-12 78416]
R1 efpktftr;ENDFORCE Quarantine Filter;\??\c:\windows\System32\Drivers\efPktFtr.sys [2007-06-27 37808]
R1 NEOFLTR_530_11531;Juniper Networks TDI Filter Driver (NEOFLTR_530_11531);\??\c:\windows\system32\Drivers\NEOFLTR_530_11531.SYS [2007-01-30 57095]
R1 NEOFLTR_630_13619;Juniper Networks TDI Filter Driver (NEOFLTR_630_13619);\??\c:\windows\system32\Drivers\NEOFLTR_630_13619.SYS [2008-10-13 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-12 20560]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\DRIVERS\CdpPacket.sys [2008-01-24 35692]
R2 TmFilter;Trend Micro Filter;\??\c:\program files\Common Files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2007-03-05 203024]
R2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Common Files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2007-03-05 36112]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2007-03-05 26137]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\DRIVERS\CSVirtA.sys [2007-10-10 22136]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2007-03-05 155152]
S4 bynet;Bynet;"c:\program files\NCR\BYNET\blmsvc.exe" [2007-10-03 13312]
S4 CRMinit;CRMinit;c:\crm5\CRMInit\CRMservice.exe []
S4 ENDFORCE Agent API;ENDFORCE Agent API;"c:\program files\ENDFORCE\AgentAPI.exe" [2007-06-27 2945024]
S4 ExtranetAccess;Contivity VPN Service;"c:\program files\Nortel Networks\Extranet_serv.exe" [2007-03-05 835584]
S4 TCRMAppBrokerService;Teradata CRM AppBroker Service;c:\crm5\CIOSBroker.exe []

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://iis.ncrnet.ncr.com/ncrnet
mStart Page = hxxp://www.dell.com
mWindow Title = Microsoft Internet Explorer
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.ncr.com
Trusted Zone: *.teradata.com

c:\windows\Downloaded Program Files\pslogoff.dll - c:\windows\Downloaded Program Files\CONFLICT.1\pslogoff.dll
c:\windows\Downloaded Program Files\CONFLICT.2\pslogoff.dll
c:\windows\Downloaded Program Files\CONFLICT.3\pslogoff.dll
c:\windows\Downloaded Program Files\CONFLICT.4\pslogoff.dll
c:\windows\Downloaded Program Files\CONFLICT.5\pslogoff.dll
c:\windows\Downloaded Program Files\CONFLICT.6\pslogoff.dll
c:\windows\Downloaded Program Files\CONFLICT.7\pslogoff.dll
c:\windows\Downloaded Program Files\CONFLICT.8\pslogoff.dll
c:\windows\Downloaded Program Files\CONFLICT.9\pslogoff.dll
O16 -: {1E1BC012-AC2A-403F-AEE4-A32E1F18986D}
hxxps://www.passwordmanager.ncr.com/psynch/docs/pslogoff.dll

c:\windows\Downloaded Program Files\Relay.dll - c:\windows\Downloaded Program Files\RelayP.ocx
O16 -: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409}
hxxps://access.sheetz.com/+CSCOL+/relayp.cab
c:\windows\Downloaded Program Files\RelayP.inf

c:\windows\Downloaded Program Files\TenebrilSpywareScanner.ocx - O16 -: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
hxxp://download.tenebril.com/pub/bin/scanner2008/TenebrilSpywareScanner.ocx

c:\windows\Downloaded Program Files\cscopf.ocx - O16 -: {B8E73359-3422-4384-8D27-4EA1B4C01232}
hxxps://access.sheetz.com/+CSCOL+/cscopf.cab

c:\windows\system32\Phonebook.ocx - c:\windows\system32\NCRValidate.dll
c:\windows\system32\Log32.dll
c:\windows\system32\TABCTL32.OCX
c:\windows\system32\mscomctl.ocx
c:\windows\system32\ASYCFILT.DLL
c:\windows\system32\COMCAT.DLL
c:\windows\system32\msvbvm60.dll
c:\windows\system32\EasyX500.dll
c:\windows\system32\Authentication.ocx
O16 -: {BA2A9829-8040-4BF3-BDB6-51512826B68B}
hxxp://web.ncrnet.ncr.com/cab/phonebook.cab
c:\windows\Downloaded Program Files\Phonebook.inf

c:\windows\system32\mscomctl.ocx - c:\windows\system32\ASYCFILT.DLL
c:\windows\system32\COMCAT.DLL
c:\windows\system32\msvbvm60.dll
c:\windows\system32\TABCTL32.OCX
c:\windows\system32\Log32.dll
c:\windows\system32\EasyX500.dll
c:\windows\system32\NCRValidate.dll
c:\windows\system32\Authentication.ocx
c:\windows\system32\Phonebook.ocx
O16 -: {DD3D661B-E8FA-11D2-A018-00A0C9AD89DF}
hxxp://web.ncrnet.ncr.com/cab/phonebook.cab
c:\windows\Downloaded Program Files\Phonebook.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 00:20:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet007\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpxoe.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\awgina.dll
.
Completion time: 2008-12-15 0:23:33
ComboFix-quarantined-files.txt 2008-12-15 05:22:34

Pre-Run: 11,439,591,424 bytes free
Post-Run: 11,933,110,272 bytes free

256

descriptionSolvedRe: Got something nasty

more_horiz
Looks good.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoMSAppLogo5ChannelNotify"=-
    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
    "NoAutoUpdate"=-
    [-HKEY_LOCAL_MACHINE\system\ControlSet007\Services\TDSSserv.sys]


  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


What problems remain?

descriptionSolvedRe: Got something nasty

more_horiz
It's working fine now. Thank You!

I'll let you know if I have any more issues. It's running a little slower, but that's due to Avast doing scanning on the files I open. If it becomes intolerable, I'll likely stop doing that.

descriptionSolvedRe: Got something nasty

more_horiz
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.

descriptionSolvedRe: Got something nasty

more_horiz
Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

descriptionSolvedRe: Got something nasty

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum