This virus, Win32/spy.ursnif.A Virus, is apparently infecting my son's PC. ESET continually alerts me of this issue but can't seem to fix the problem. I have run MalwareBytes but it didn't seem to help. Any thoughts on what I can do?
Junior Member
This virus, Win32/spy.ursnif.A Virus, is apparently infecting my son's PC. ESET continually alerts me of this issue but can't seem to fix the problem. I have run MalwareBytes but it didn't seem to help. Any thoughts on what I can do?
Senior Member
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
Download HijackThis:
TrendSecure | Download TrendMicro HijackThis
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Junior Member
I did as instructed. Here are the ComboFix and HijackThis logs. Thanks so far for your help.
Mark
Senior Member
It's always better to paste all logs....
ComboFix 09-08-06.01 - Mark Fraser 08/07/2009 10:51.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1549 [GMT -5:00]
Running from: c:\documents and settings\Mark Fraser\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Installer\1d822.msi
c:\windows\Installer\5aeb0.msp
c:\windows\Installer\6b2a1c.msi
c:\windows\Installer\WinRMSrv.msi
c:\windows\jestertb.dll
c:\windows\patch.exe
c:\windows\twain_16.dll
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.
2009-08-06 19:11 . 2009-08-06 19:11 -------- d-----w- c:\documents and settings\Mark Fraser\Local Settings\Application Data\Temp
2009-08-06 18:32 . 2009-08-06 18:32 -------- d-----w- c:\program files\Western Digital Corporation
2009-08-06 18:22 . 2009-08-06 18:22 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-06 17:52 . 2009-08-06 17:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-07 15:56 . 2003-12-26 23:12 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000001-00000000-00000008-00001102-00000002-80611102}.dat
2009-08-07 15:56 . 2003-12-26 23:12 24 ----a-w- c:\windows\system32\DVCState-{00000001-00000000-00000008-00001102-00000002-80611102}.dat
2009-08-06 21:02 . 2009-04-19 22:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-06 19:12 . 2003-12-26 21:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 19:11 . 2007-06-22 23:51 -------- d-----w- c:\program files\Common Files\AOL
2009-08-06 19:11 . 2007-04-13 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-06 19:09 . 2008-12-06 20:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-06 18:23 . 2008-12-05 23:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 17:43 . 2009-08-06 17:43 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_0 1005.Wdf
2009-08-03 18:36 . 2008-12-05 23:29 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2008-12-05 23:29 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 17:09 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2001-08-23 17:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-23 17:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 00:42 . 2009-04-19 22:36 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-11 03:09 . 2006-12-24 23:49 -------- d-----w- c:\program files\Java
2009-06-11 03:08 . 2009-06-11 03:08 152576 ----a-w- c:\documents and settings\Mark Fraser\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2003-12-26 20:23 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 01:54 . 2009-06-02 01:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-25 05:24 . 2008-05-27 03:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-21 16:33 . 2008-12-06 20:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-12 20:12 . 2004-09-03 22:14 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2005-10-30 19:57 . 2005-10-30 19:57 774144 ----a-w- c:\program files\RngInterstitial.dll
.
------- Sigcheck -------
[7] 2004-08-04 07:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-11-29 16:41 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Google Update"="c:\documents and settings\Mark Fraser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-30 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-27 868352]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-02-09 86016]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2006-12-07 159744]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-09 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 21:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"f:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.5\\cnc3game.dat"=
"e:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"i:\\Starcraft\\StarCraft.exe"=
"i:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"i:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer .exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\ekrn.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"i:\\Program Files\\zt.exe"=
"i:\\Program Files\\Steam\\SteamApps\\pandatroopa95\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"i:\\Program Files\\Steam\\SteamApps\\pandatroopa95\\half-life 2 deathmatch\\hl2.exe"=
"i:\\Program Files\\Steam\\SteamApps\\common\\dawn of war soulstorm\\soulstorm.exe"=
"i:\\Program Files\\Steam\\SteamApps\\pandatroopa95\\day of defeat source\\hl2.exe"=
"i:\\Program Files\\Steam\\SteamApps\\pandatroopa95\\team fortress 2\\hl2.exe"=
"i:\\Program Files\\World of Warcraft\\World of Warcraft\\Launcher.exe"=
"i:\\Program Files\\World of Warcraft\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"i:\\Program Files\\Steam\\SteamApps\\pandatroopa95\\zombie panic! source\\hl2.exe"=
"i:\\Program Files\\Steam\\SteamApps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Updater
"6112:TCP"= 6112:TCP:Blizzard Updater
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfw tdir.sys [3/13/2008 4:52 PM 33800]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/17/2008 4:11 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 55024]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472320]
R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [12/27/2003 10:07 PM 151476]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/21/2009 8:50 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [9/14/2008 12:59 PM 22144]
S3 lac97inf;lac97inf;\??\c:\docume~1\MARKFR~1\LOCALS~ 1\Temp\lac97inf.sys --> c:\docume~1\MARKFR~1\LOCALS~1\Temp\lac97inf.sys [?]
S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [9/6/2008 10:16 PM 21888]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
2009-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-261903793-682003330-1003Core.job
- c:\documents and settings\Mark Fraser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-30 00:20]
2009-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-261903793-682003330-1003UA.job
- c:\documents and settings\Mark Fraser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-30 00:20]
2009-08-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHANS REMOVED - - - -
Notify-AtiExtEvent - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xoxide.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*Yahoo! SearchBar Home Page
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*Yahoo!
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mark Fraser\Application Data\Mozilla\Firefox\Profiles\cqv8y5c1.default\
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dl l
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-08-07 10:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1547161642-261903793-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Exp lorer\CLSID]
@Denied: (Full) (LocalSystem)
[HKEY_USERS\S-1-5-21-1547161642-261903793-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6f,6d,1c,b9,f6,24,1b,c7,23,97,f4,68,e2,08 ,0a,a8,f4,25,25,01,d3,90,35,
10,f2,d1,72,24,10,10,50,f7,92,65,fd,6c,7c,0e,72,ab ,11,78,63,3c,6b,b3,89,d0,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f ,d9,49
[HKEY_USERS\S-1-5-21-1547161642-261903793-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:f8,25,23,dd,8c,51,c7,3d,d9,ca,c3,98 ,2b,ee,fa,29,0a,09,ad,52,5e,
74,de,ea,f1,26,08,0a,d9,5a,b8,f8,15,8e,fa,68,e5,ec ,ee,9d,f1,71,ea,2a,76,d2,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29 ,89,3b,60,32
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\EPSON\ESM2\eEBSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\documents and settings\Mark Fraser\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.ex e
c:\program files\iPod\bin\iPodService.exe
c:\program files\Razer\DeathAdder\razerofa.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-08-07 11:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-07 16:02
Pre-Run: 21,515,010,048 bytes free
Post-Run: 21,336,911,872 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /fastdetect /NoExecute=OptIn
248 --- E O F --- 2009-08-06 19:18
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:50 AM, on 8/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Documents and Settings\Mark Fraser\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.ex e
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Xoxide.com - Custom ATX Computer Cases, PC Mods, Computer Case mods, and Modded PC Cases
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F1 - win.ini: run= E:\WESTWOOD\INSTICON.EXE
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mark Fraser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downl...19/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093050228734
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147650017109
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/game...utLauncher.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downl...2119/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 10427 bytes
Senior Member
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:File:: c:\docume~1\MARKFR~1\LOCALS~ 1\Temp\lac97inf.sys Folder:: Driver:: lac97inf Registry:: RegLockDel::
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.
Junior Member
My son decided to reload Win XP from scratch. Thank you very mcuh for trying to help resolve this problem. Sorry you wasted your time.
Senior Member
No problem
