Solved

Need help removing a browser hijack/redirect. Can't access Windows Update

Posted on 2009-04-07
16
1,687 Views
Last Modified: 2012-05-06
I found Antivirus Number 1 and ran Malwarebytes in safe mode, I also ran a startup avast scan/fix. It found it and said it removed it along with other infections. I also manually deleted the registry keys that I knew were associated with the viruses. I installed sp3 from a CD. I then ran sysinternals autorun and found some abnormal entries, I deleted these keys. The computer can access anything on the internet except windows update related sites. It originally had IE6 and I manually installed IE7. PLEASE HELP! Thank you

Logfile of HijackThis v1.99.1
Scan saved at 12:58:13 PM, on 4/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\dlcicoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlci_device -   - C:\WINDOWS\System32\dlcicoms.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

0
Comment
Question by:BinaryStealth
  • 9
  • 4
  • 2
  • +1
16 Comments
 
LVL 26

Expert Comment

by:souseran
ID: 24089971
What happens when you try to go to a Windows Update site? Do you get an error message? If so, what is it? Are you redirected to another page?

After you disinfected, did you run SFC /purgecache followed by SFC /scannow?

Can you download Dial-a-Fix and check all the boxes under WU/WUAU and Registration center?

http://wiki.lunarsoft.net/wiki/Dial-a-fix
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24090051
It sounds as if you are a victim of the Conficker virus. It prevents accessing Windows updates if you are infected.
Microsoft has a removal tool but I've listed a download site from CNet in case you can't reach the Microsoft source.

Microsoft Removal Tool:
http://support.microsoft.com/kb/962007

CNet Removal Tool:
http://download.cnet.com/Conficker-Removal-Tool/3000-2239_4-10911447.html

As for your HiJackThis log file there are two entries listed as unknown.
Log File:
Unknown processes. If you do not know their origins they can be removed.
C:\WINDOWS\System32\dlcicoms.exe

O23 - Service: dlci_device - - C:\WINDOWS\System32\dlcicoms.exe
0
 

Author Comment

by:BinaryStealth
ID: 24090187
Thank you for your quick response. The client's business is closing for the day. I ran the cnet Conflicker removal tool like you suggested and it said it wasn't detected. I didn't have time to try your solutions "souseran". They we reopen tomorrow morning and I will continue my mission. I just left the microsoft malicious removal tool scanning and will check the results in the morning.
0
 

Author Comment

by:BinaryStealth
ID: 24090202
I also removed/cleaned the unknown registry keys from my hijack this report as you suggested
0
 
LVL 26

Expert Comment

by:souseran
ID: 24090633
dlcicoms.exe is the Dell AIO 946 Communications service. If the user has a Dell 946 Photo multifunction printer/scanner/copier, the service was installed when they installed the drivers, and will likely need to be reinstalled.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24091584
You appear to be running an older version of HijackThis.  To guard against newer infections it would be advisable to install and run HijackThis 2.02:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

From your first HJT scan this entry looks rather suspicious .. it may need Fixing, will investigate it further>

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
0
 
LVL 27

Accepted Solution

by:
Jonvee earned 250 total points
ID: 24091837
Have investigated this entry and although i'm not 100% sure, i do believe that this may be the culprit that is preventing you from reaching Windows update sites.  Suggest therefore you 'Fix' it with HijackThis>

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe

If the issue is not resolved may i suggest you run Combofix.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, so physically disconnect from the internet.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

Try initially to run Combofix in normal mode.
0
 

Author Comment

by:BinaryStealth
ID: 24091898
I installed the microsoft patch manually. When attempting to go to the windows update page or even the microsoft  start page (I can't remember exact url) I get a white screen.   Not a "Page cannot be displayed" message and no redirection to a specific page. Although originally before I started cleansing the system I believe it was giving a redirection to the Rouge Antivirus site. Maybe the system files got currupt. I like "souseran's" suggestions I just didn't have time to imply them yet. I will in the morning. Oh and thanks Jonvee on looking at the Registry Key, Let me know if you think it needs fixing. I will also download the latest Hijack this.   And yes they do have the dell printer, I guess I might need to reinstall that after all this. Thanks Everyone
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:BinaryStealth
ID: 24091932
Sorry Jonvee I didn't refresh before posting that last comment. Thanks for the update. I will download the latest Hijack this and rescan and fix that key. And then use the combofix if the problem persists. Thanks
0
 

Author Comment

by:BinaryStealth
ID: 24091970
Should I be running Hijack this in safe mode??
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24092407
You should try to run HijackThis in normal mode where it will be most effective.  If an infection ever prevents you doing this, try to run it in Safe mode.  
If still unsuccessful you can rename hijackthis.exe to hijackthis.com or hijackthis.bat, if infections are preventing it from running.

Here's a handy in-depth tutorial for HijackThis >
http://www.bleepingcomputer.com/tutorials/tutorial42.html
0
 

Author Comment

by:BinaryStealth
ID: 24092491
Thank you, I didn't know if it was more effective in safe mode or normal.
0
 

Author Comment

by:BinaryStealth
ID: 24099804
I removed/fixed the key  "R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe" with the latest Hijack this.   Im pretty sure it was malware as you suggested but after that windows update still did not work. I then downloaded and ran Combofix. Immediately following the completion of combofix Windows Update worked flawlessly.  Oh, and thanks for the tip "souseran" I should have ran SFC following disinfection so after everything I ran it to be safe. And who know maybe Dial-a-Fix would have fixed the problem as well. I don't know the mechanics of both programs so I don't know but I do know that combofix officially solved the problem.   Thanks Everyone
0
 

Author Closing Comment

by:BinaryStealth
ID: 31567619
Thanks, you saved me time
0
 

Author Comment

by:BinaryStealth
ID: 24099829
Here was my Final ComboFix and Hijack this Log:


ComboFix 09-04-04.01 -  2009-04-08 12:00:48.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.255.72 [GMT -4:00]
Running from: c:\documents and settings\USERNAME\My Documents\Tech\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Process.exe

.
(((((((((((((((((((((((((   Files Created from 2009-03-08 to 2009-04-08  )))))))))))))))))))))))))))))))
.

2009-04-07 13:23 . 2009-04-07 13:23 <DIR> d-------- c:\windows\LastGood
2009-04-07 13:04 . 2009-04-07 13:04 <DIR> d--h----- c:\windows\SYSTEM32\GroupPolicy
2009-04-07 11:28 . 2008-12-20 19:15 6,066,688 --------- c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2009-04-07 11:28 . 2007-04-17 05:32 2,455,488 --------- c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat
2009-04-07 11:28 . 2007-03-08 01:10 991,232 --------- c:\windows\SYSTEM32\DLLCACHE\ieframe.dll.mui
2009-04-07 11:28 . 2008-12-20 19:15 459,264 --------- c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
2009-04-07 11:28 . 2008-12-20 19:15 383,488 --------- c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
2009-04-07 11:28 . 2008-12-20 19:15 267,776 --------- c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
2009-04-07 11:28 . 2008-12-20 19:15 63,488 --------- c:\windows\SYSTEM32\DLLCACHE\icardie.dll
2009-04-07 11:28 . 2008-12-20 19:15 52,224 --------- c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
2009-04-07 11:28 . 2008-12-19 05:10 13,824 --------- c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-04-07 11:16 . 2009-04-07 12:04 <DIR> d-------- c:\program files\roguescanfix
2009-04-07 10:06 . 2009-04-07 10:06 24 --a------ c:\windows\wininit.ini
2009-04-07 10:06 . 2009-04-07 10:06 4 --a------ c:\windows\msoffice.ini
2009-04-06 18:43 . 2009-04-06 18:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-06 17:31 . 2009-04-06 17:31 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-04-06 17:25 . 2008-04-13 22:58 2,940,928 --------- c:\windows\SYSTEM32\DLLCACHE\wmploc.dll
2009-04-06 17:22 . 2008-04-13 22:06 144,384 --------- c:\windows\SYSTEM32\DRIVERS\hdaudbus.sys
2009-04-06 17:22 . 2008-04-14 00:10 10,240 --------- c:\windows\SYSTEM32\DRIVERS\sffp_mmc.sys
2009-04-06 17:19 . 2006-12-29 00:31 19,569 --a------ c:\windows\[u]0[/u]05663_.tmp
2009-04-06 14:48 . 2009-04-06 14:48 <DIR> d-------- c:\program files\CCleaner
2009-04-06 14:43 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\SYSTEM32\MFC71.dll
2009-04-06 14:43 . 2003-03-18 15:14 499,712 --a------ c:\windows\SYSTEM32\MSVCP71.dll
2009-04-06 14:43 . 2003-02-20 22:42 348,160 --a------ c:\windows\SYSTEM32\MSVCR71.dll
2009-04-06 14:42 . 2009-04-06 14:42 <DIR> d-------- c:\program files\Alwil Software
2009-04-06 14:26 . 2009-04-06 14:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 14:26 . 2009-04-06 14:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-06 14:26 . 2009-04-06 14:26 <DIR> d-------- c:\documents and settings\USERNAME\Application Data\Malwarebytes
2009-04-06 14:26 . 2009-03-26 16:49 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-04-06 14:26 . 2009-03-26 16:49 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-04-06 14:11 . 2009-04-06 14:43 54,156 --ah----- c:\windows\QTFont.qfn
2009-04-06 14:11 . 2009-04-06 14:43 1,409 --a------ c:\windows\QTFont.for
2009-03-18 15:45 . 2009-03-18 15:45 <DIR> d-------- C:\brother

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 14:19 --------- d-----w c:\program files\Dl_cats
2009-04-07 16:06 --------- d-----w c:\documents and settings\USERNAME\Application Data\MSN6
2009-04-07 14:28 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-07 14:26 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-26 22:45 --------- d-----w c:\documents and settings\USERNAME\Application Data\AdobeUM
2009-03-16 18:58 64,736 ----a-w c:\documents and settings\USERNAME\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-01-17 01:35 3,594,752 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-14 09:42 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 09:42 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 09:42 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 09:42 84,992 --sha-w c:\windows\SYSTEM32\olepro32.dll
2008-04-14 09:42 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"DLCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-02-24 73728]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

[HKLM\~\startupfolder\C:^Documents and Settings^USERNAME^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\USERNAME\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 18:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 03:01 135264 c:\program files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcimon.exe]
--a------ 2006-02-14 05:26 430080 c:\program files\Dell AIO Printer 946\DLCImon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a------ 2001-07-25 12:00 184376 c:\program files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
--a------ 2001-07-25 12:00 241714 c:\program files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 14:16 5058560 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-26 21:30 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2003-01-28 02:35 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 03:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 14:16 741376 c:\windows\SYSTEM32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2009-04-06 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [2009-04-06 20560]
R4 dlci_device;dlci_device;c:\windows\System32\dlcicoms.exe -service --> c:\windows\System32\dlcicoms.exe -service [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2008-04-14 05:42]

2002-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-14 05:42]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-NAV Agent - c:\progra~1\NORTON~1\navapw32.exe


.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 12:05:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g ???V??g ???SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp????X??????????????????>?w0 ?w????3??w???g???????????g?????CY?????????"???2???????????<???? @???X???X???????????????????Y?????F?Q?????
  DLCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-08 12:10:37
ComboFix-quarantined-files.txt  2009-04-08 16:10:26

Pre-Run: 69,973,716,992 bytes free
Post-Run: 70,036,500,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

161 --- E O F --- 2009-03-13 22:40:50
 
 
 
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:11 PM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\USERNAME\My Documents\Tech\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 2882 bytes
 
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24102046
Thanks for the fine reports throughout, i'll be taking a longer look at the ComboFix log later.

You can uninstall ComboFix as follows >
Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.

Thank you.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now