Look on the computer for this file:
uninstallwinclient.exe
Look on the computer for this file:
uninstallwinclient.exe
Look on the computer for this file:
uninstallwinclient.exe
sorry couldnt find it tried both ways:
1. Searching
2. tried to locate it in the directory of LAN Desk
Is there somebody you can check with in your mother's office who may know what to do with this program? I have a "feeling" this might be what is causing the excessive svchost usage, but I cannot say for certain. Obviously this is a business program, meant to be used with other computers on an office network I imagine. This is why you probably cannot uninstall it. They wouldn't want somebody in an office to be able to do that. See if you can check on it.
i asked my mom to check on it and she was told that bring the laptop to the office and they can format it.
that is the last option for me .
the computer is running better today, which is the first day i am using it for writing on this thread.
svchost is not running on 100% anymore infact it is normal now.
although there are 46 process running and the overall performance is slow
i get this message when windows starts "windows\MKMKrnl.dll specified module was not found.
do u think the files got removed now.
i have not run any scan since posting the last hjt log.
do u want another hjt log?
MKMKrnl.dll was one of the trojans removed. It must still be set to run in Start Up. The computer doesn't know it is a bad file, is looking for it and since it isn't there it tells you it cannot be found.
Update MBA-M and run a Full System Scan with it. Allow it to Remove all found. Then Reboot the computer. and run a new HJT scan and post both logs.
Judy
i updated MBA-M and ran a full scan here is the log:
Malwarebytes' Anti-Malware 1.36
Database version: 2025
Windows 5.1.2600 Service Pack 2
4/22/2009 8:09:42 PM
mbam-log-2009-04-22 (20-09-42).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 136179
Time elapsed: 37 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-293d48b2ae99} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\msnmsg (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\admin\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
here is the hjt log:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.adobe.com/WebObjects/WEC?pageID=RegMp1&awe_301001&platformCode=WIN&version=5.0&nameCode=ACRO&languageCode=USENGLIS&systemCode=AOLN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [MPMKrnl] rundll32 "C:\WINDOWS\MKMKrnl.dll",KMainProc
O4 - Global Startup: PC Information.lnk = C:\Program Files\Bayer\Compi\compi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\Software\..\Telephony: DomainName = DE.BAYER.cnb
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7025 bytes
however my antivirus also found a couple of things here is the log:
Risk Filename Original Location Status Date
Trojan Horse dump_wmimmc.sys C:\Documents and Settings\admin\Local Settings\Temp\ Infected 4/22/2009 19:33
Trojan Horse ComboFix.exe C:\Documents and Settings\admin\Desktop\ Infected 4/22/2009 19:33
Trojan Horse ?????? ?????? Infected 4/21/2009 18:11
Trojan Horse oleadp.dll C:\WINDOWS\system32\ Infected 4/21/2009 6:13
hope u have all the information
I found this while searching it says it uninstalls LANDesk but i m not sure UninstallWinClient.exe . Do u think i should try
do u think deleting the folder would help? and later removing the registry values.
I found this while searching it says it uninstalls LANDesk but i m not sure UninstallWinClient.exe . Do u think i should try
do u think deleting the folder would help? and later removing the registry values.
You need to check with the tech people at your Mom's office before attempting this.
The items found by MBA-M should probably have taken care of your
MKMKrnl.dll message.
Items found by your AV program probably are related to the combofixes you ran. You need to UNINSTALL Combofix ASAP.
Do it this way and follow the instructions EXACTLY:
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. The space between the combofix and the /u, it must be there.
When shown the disclaimer, Select "2"
they said u can try it . although they did not sound certain
what do u think we should take a gamble
they said u can try it . although they did not sound certain
what do u think we should take a gamble
If they sound uncertain and they are the one's who installed it then frankly I would let them do it. I would hate to remove key files, which could happen. If they have given you the computer and are willing to reformat it for you then I would let them do it.
i dont want it to be reformatted.
1. my mom does not want to talk it back to the office for reasonsi dont know.
2. i dont want it reformatted either because i will lose a licensed windows.
3. i think i can try
Items found by your AV program probably are related to the combofixes you ran. You need to UNINSTALL Combofix ASAP.
Do it this way and follow the instructions EXACTLY:* Click START then RUN
* Now type Combofix /u in the runbox and click OK. The space between the combofix and the /u, it must be there.
When shown the disclaimer, Select "2"
it says windows cannot find combofix.
my combofix file i think has been deleted
i dont want it to be reformatted.
1. my mom does not want to talk it back to the office for reasonsi dont know.
2. i dont want it reformatted either because i will lose a licensed windows.
3. i think i can try
I find this a bit confusing. Why would you lose licensed windows? That doesn't make you lose the license, unless you don't own the computer or the license. Do you have the disks that came with the computer?
Remember, if you do try and it fails then you will have no computer at all.
If the computer is working well then just leave it alone.
i dont have the disks that came with it.
thats why.
i think i should let it be as the pc is running fine.
what are all the other process that are running.
what are all the other process that are running.
I don't know because you didn't post a complete HJT log. You have to post ALL of it from top to bottom.
Run a new Full Scan, and post the entire log.
well here is hjtlog :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:47 PM, on 4/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\LANDesk\LDClient\BBSConfig\tools\mandatoryactions.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bayer\Compi\compi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Software\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.adobe.com/WebObjects/WEC?pageID=RegMp1&awe_301001&platformCode=WIN&version=5.0&nameCode=ACRO&languageCode=USENGLIS&systemCode=AOLN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [MPMKrnl] rundll32 "C:\WINDOWS\MKMKrnl.dll",KMainProc
O4 - Global Startup: PC Information.lnk = C:\Program Files\Bayer\Compi\compi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\Software\..\Telephony: DomainName = DE.BAYER.cnb
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7014 bytes
i think it is complete
Yes, this log is complete. Most of the processes showing are legitimate processes for the various things on the computer.
Not sure which ones you are questioning.
I honestly cannot say for sure the system is clean however.
This one in auto starting programs:
O4 - HKLM\..\Policies\Explorer\Run: [MPMKrnl] rundll32 "C:\WINDOWS\MKMKrnl.dll",KMainProc
this appears to be a trojan.
Now I want you to follow these instructions EXACTLY. No doing things on your own or running other programs except this one, PLEASE.
Download ComboFix from Here to your Desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
* Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****
I would do that but i think what u mentioned i only get the message that it was not found as i had mentioned earlier in a message
I would do that but i think what u mentioned i only get the message that it was not found as i had mentioned earlier in a message
You know it would be really nice here if you would follow instructions.
In post #47 I asked you to DOWNLOAD combofix. I did NOT ask you to remove it. Obviously you don't pay attention. You said before that your mother could take this to her office and have it reformatted.
Take this to your mother's office and let them reformat it. You obviously cannot follow instructions.
You know it would be really nice here if you would follow instructions.
In post #47 I asked you to DOWNLOAD combofix. I did NOT ask you to remove it. Obviously you don't pay attention. You said before that your mother could take this to her office and have it reformatted.
Take this to your mother's office and let them reformat it. You obviously cannot follow instructions.
you did not get my msg correct i said nothing about removing combofix i said when i start i get that MKMD something message not found.
I will post after combofix an hjtlog
All right, I misunderstood you. Sorry.
here is the combofix log:
ComboFix 09-04-25.A1 - admin 04/25/2009 20:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.130 [GMT 5:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Fonts\6e6EUdxVeWUYJynN.ttf
c:\windows\Fonts\bEtc8bhrp6SQmPrn.ttf
c:\windows\Fonts\bKkCsU7Z6YntjH4G.ttf
c:\windows\Fonts\cD9KArZZUHxCqnyM.ttf
c:\windows\Fonts\cFDPmh3MDPjcHMPd.ttf
c:\windows\Fonts\d2MP6z9zUaFDsyqu.ttf
c:\windows\Fonts\D9PjvuvCAeWudqwq.ttf
c:\windows\Fonts\DmYqJAPsv3KjBFCN.ttf
c:\windows\Fonts\du3Q2JXbHYGxcSAe.ttf
c:\windows\Fonts\eCgMhGRkPUcdutd0.ttf
c:\windows\Fonts\EEUJgNKN6xmNqKr6.ttf
c:\windows\Fonts\fKzf9wP6bhq6Bcxa.ttf
c:\windows\Fonts\G49AhKxDmsj6uxnu.ttf
c:\windows\Fonts\hBRNYhzGWu6vwg6G.ttf
c:\windows\Fonts\JNwybEjgUVaxBU5d.ttf
c:\windows\Fonts\KXBqRpa2mrNPeXKb.ttf
c:\windows\Fonts\MhaUKGazkr3fZZKp.ttf
c:\windows\Fonts\PACNkAWTwg4Cyb3e.ttf
c:\windows\Fonts\pDuuqr4BgFn65AeW.ttf
c:\windows\Fonts\Qq3qg7RGSp9raxWW.ttf
c:\windows\Fonts\S8a8cnEuaydPJGg8.ttf
c:\windows\Fonts\tggjVkabXrzPWkM9.ttf
c:\windows\Fonts\tTRCPmKvA9gmv7zk.ttf
c:\windows\Fonts\ubZJmeB3bJjsGEbf.ttf
c:\windows\Fonts\WtEZSTBurjKEKSB9.ttf
c:\windows\Fonts\xmAs4SNxpTUjdpJ5.ttf
c:\windows\Fonts\xmU4U5Yy6TPvm6YF.ttf
c:\windows\Fonts\yGMHUAj5Npydj8FZ.ttf
c:\windows\Fonts\yKY54UdeQT3pEaq2.ttf
c:\windows\Fonts\YywxhF7TSnkktrJw.ttf
c:\windows\Fonts\zZ5kDff9es3wZ9YZ.ttf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NVMINI
-------\Service_nvmini
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-24 16:30 . 2009-04-24 16:30 -------- d-----w c:\documents and settings\admin\Application Data\InterVideo
2009-04-20 17:20 . 2009-04-20 17:20 0 ----a-w c:\windows\vpc32.INI
2009-04-20 16:31 . 2009-04-20 16:31 -------- d-----w c:\documents and settings\admin\Local Settings\Application Data\Symantec
2009-04-20 16:29 . 2006-09-18 12:55 48816 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-20 16:29 . 2006-09-18 12:55 109744 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-20 16:28 . 2009-04-20 16:29 -------- d-----w c:\program files\Symantec
2009-04-20 16:28 . 2009-04-25 15:59 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-20 16:28 . 2009-04-20 16:30 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-20 16:28 . 2009-04-20 16:28 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-20 14:58 . 2009-04-20 14:58 -------- d-----w c:\documents and settings\admin\Application Data\Malwarebytes
2009-04-20 14:58 . 2009-04-06 10:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-20 14:58 . 2009-04-06 10:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 14:58 . 2009-04-20 14:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 14:58 . 2009-04-20 14:58 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-20 12:22 . 2009-04-20 12:22 -------- d-----w c:\documents and settings\admin\Local Settings\Application Data\WMTools Downloaded Files
2009-04-20 12:22 . 2001-08-17 08:53 6784 -c--a-w c:\windows\system32\dllcache\serscan.sys
2009-04-20 12:22 . 2001-08-17 08:53 6784 ----a-w c:\windows\system32\drivers\serscan.sys
2009-04-20 12:22 . 2001-08-17 17:36 92160 -c--a-w c:\windows\system32\dllcache\fuusd.dll
2009-04-20 12:22 . 2001-08-17 17:36 92160 ----a-w c:\windows\system32\fuusd.dll
2009-04-20 12:22 . 2001-08-17 17:36 71680 -c--a-w c:\windows\system32\dllcache\fnfilter.dll
2009-04-20 12:22 . 2001-08-17 17:36 71680 ----a-w c:\windows\system32\fnfilter.dll
2009-04-19 15:11 . 2005-11-08 19:26 38400 ----a-w c:\windows\system32\moveex.exe
2009-04-19 07:01 . 2009-04-19 07:01 -------- d-----w c:\windows\Cache
2009-04-19 03:36 . 2009-04-19 03:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-19 03:36 . 2009-04-19 03:36 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-19 03:36 . 2009-04-19 03:36 -------- d-----w c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2009-04-19 03:35 . 2009-04-19 03:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-13 13:40 . 2009-04-13 13:40 -------- d-----w c:\documents and settings\admin\Application Data\acccore
2009-04-12 04:42 . 2009-04-20 10:35 -------- d-----w c:\program files\DC++
2009-04-11 19:10 . 2009-04-11 19:10 -------- d-----w c:\documents and settings\admin\Local Settings\Application Data\AOL OCP
2009-04-11 19:10 . 2009-04-11 19:10 -------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-04-11 19:09 . 2009-04-11 19:09 -------- d-----w c:\program files\VideoLAN
2009-04-11 19:08 . 2009-04-11 19:08 -------- d-----w c:\program files\Common Files\AOL
2009-04-11 19:07 . 2009-04-11 19:10 -------- d-----w c:\program files\AIM6
2009-04-11 19:07 . 2009-04-11 19:10 369 ---ha-w C:\IPH.PH
2009-04-11 19:06 . 2009-04-11 19:06 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-04-11 19:06 . 2009-04-25 02:35 -------- d-----w c:\documents and settings\admin\Application Data\skypePM
2009-04-11 19:04 . 2009-04-25 03:39 -------- d-----w c:\documents and settings\admin\Application Data\Skype
2009-04-11 19:01 . 2009-04-11 19:02 -------- d-----w c:\program files\Skype
2009-04-11 19:01 . 2009-04-11 19:01 -------- d-----w c:\program files\Common Files\Skype
2009-04-11 19:00 . 2009-04-11 19:02 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-11 17:01 . 2009-04-11 17:01 -------- d-----w c:\program files\DAEMON Tools
2009-04-11 16:19 . 2009-04-11 16:19 685816 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-11 16:16 . 2009-04-11 16:16 2 ----a-w c:\windows\msoffice.ini
2009-04-11 16:11 . 2009-04-19 03:44 -------- d-----w c:\program files\FlashFXP
2009-04-11 15:39 . 2009-04-11 15:39 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\AOL
2009-04-11 15:38 . 2009-04-11 16:16 -------- d-----w c:\documents and settings\admin\Application Data\AOL
2009-04-11 15:34 . 2009-04-11 19:10 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-11 15:34 . 2009-04-11 19:10 -------- d-----w c:\program files\Viewpoint
2009-04-11 15:34 . 2009-04-11 15:34 -------- d-----w c:\program files\Common Files\Nullsoft
2009-04-11 15:31 . 2009-04-11 15:31 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-04-11 15:31 . 2009-04-11 15:38 -------- d-----w c:\documents and settings\admin\Local Settings\Application Data\AOL
2009-04-11 15:29 . 2009-04-11 16:20 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-04-11 14:07 . 2009-04-11 14:07 -------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32a2.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\winsiscsi.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\fdzld.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\drivers\winsiscsi.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\drivers\pcidump.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\drivers\npf.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\drivers\kjkiuiuo.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\drivers\DogKiller.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\drivers\winsawids.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\drivers\syskenuyt.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\drivers\jsphelp.sys
2009-04-11 13:54 . 2009-04-11 13:54 -------- d-sh--r c:\windows\system32\drivers\EASYDOWNS.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 10:40 . 2002-06-20 11:02 -------- d-----w c:\program files\Common Files\Adobe
2009-04-19 15:22 . 2009-04-19 15:22 828 ----a-w C:\ComboFix-quarantined-files.txt
2009-04-19 15:11 . 2009-04-19 15:06 13331 ----a-w C:\ComboFix2.txt
2009-04-19 13:39 . 2008-11-19 08:47 -------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2009-03-18 05:20 . 2002-06-20 11:08 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-18 05:04 . 2002-06-20 10:25 -------- d---a-w c:\program files\OfficeScan NT
2009-03-17 12:14 . 2008-06-20 11:51 -------- d-----w c:\program files\HP
2009-03-17 12:10 . 2008-06-20 13:18 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-11 11:13 . 2009-03-11 11:13 63592 ----a-w c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-11 16:25 . 2009-02-11 16:25 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-02-11 16:25 . 2009-02-11 16:25 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-01-05 04:34 . 2009-01-05 04:34 63592 ----a-w c:\documents and settings\pniad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-05 04:34 . 2009-01-05 04:34 128 ----a-w c:\documents and settings\pniad\Local Settings\Application Data\fusioncache.dat
2008-12-15 04:42 . 2008-12-15 04:42 63592 ----a-w c:\documents and settings\pnazn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-15 04:42 . 2008-12-15 04:42 128 ----a-w c:\documents and settings\pnazn\Local Settings\Application Data\fusioncache.dat
2008-12-15 04:25 . 2008-12-15 04:25 128 ----a-w c:\documents and settings\admin\Local Settings\Application Data\fusioncache.dat
2008-10-22 05:32 . 2008-10-22 05:32 63592 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-22 05:32 . 2008-10-22 05:32 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2008-07-23 10:34 . 2008-07-23 10:34 128 ----a-w c:\documents and settings\ctjfa\Local Settings\Application Data\fusioncache.dat
2008-06-20 13:44 . 2008-06-20 13:44 63592 ----a-w c:\documents and settings\ctjfa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2006-11-01 258048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2002-10-18 87751]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
PC Information.lnk - c:\program files\Bayer\Compi\compi.exe [2008-11-25 228815]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 08:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HelpSvc.exe]
"Debugger"=ntsd -d
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UIHost.kxp]
"Debugger"=ntsd -d
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\DRIVERS\cxbu0wdm.sys [2004-10-22 59151]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
S2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [2006-11-21 122880]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-15 101936]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00bc9570-26c8-11de-bf23-000d607fdcea}]
\shell\explore\Command - G:\boot.exe
\shell\open\Command - G:\boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3a3e570-13a9-11de-bf13-000d607fdcea}]
\Shell\Auto\command - F:\asp.net
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
HKLM-Run-MMReminderService - c:\program files\Mindjet\MindManager 6\MMReminderService.exe
HKLM-Run-pdfSaver3 - (no file)
HKLM-Explorer_Run-MPMKrnl - c:\windows\MKMKrnl.dll
ShellExecuteHooks-{AD83BEAC-608A-4E03-B4A4-118EABD95834} - c:\windows\fonts\CN28BSk5wje.fon
ShellExecuteHooks-{D90958B6-FA15-4643-942E-8AC717BB15D1} - c:\windows\system32\a643af61f812.dll
ShellExecuteHooks-{9AA26BDE-8565-4568-BDFB-6DB6BCE7A794} - c:\windows\fonts\hfKMT5na.fon
ShellExecuteHooks-{71C14A99-FCFD-4ED1-82CF-8C40286778E8} - c:\windows\system32\sFp9MGAh.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.daemonsearch.com/intl/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://store.adobe.com/WebObjects/WEC?pageID=RegMp1&awe_301001&platformCode=WIN&version=5.0&nameCode=ACRO&languageCode=USENGLIS&systemCode=AOLN
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\jazw8nam.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 20:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(548)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(2600)
c:\docume~1\admin\LOCALS~1\Temp\catchme.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\cba\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\LANDesk\LDClient\rcgui.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\LANDesk\LDClient\BBSconfig\Tools\mandatoryactions.exe
c:\combofix\hidec.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-04-25 21:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 16:01
ComboFix2.txt 2009-04-19 15:22
Pre-Run: 10,003,632,128 bytes free
Post-Run: 10,275,864,576 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
258
here is the hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:29 PM, on 4/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\LANDesk\LDClient\BBSConfig\Tools\MandatoryActions.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bayer\Compi\compi.exe
C:\WINDOWS\system32\userinit.exe
D:\Software\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.adobe.com/WebObjects/WEC?pageID=RegMp1&awe_301001&platformCode=WIN&version=5.0&nameCode=ACRO&languageCode=USENGLIS&systemCode=AOLN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: PC Information.lnk = C:\Program Files\Bayer\Compi\compi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\Software\..\Telephony: DomainName = DE.BAYER.cnb
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7126 bytes
Ok, combofix removed a lot. How about trying another run of MBA-M. Updating first of course. Run a Full System scan and then allow it to remove all items found.
Save the log.
Reboot the computer and run a new HJT scan, save the log and post back here with both.
no special instruction so i assume it has to be done in a normal way
Yes, run MBA-M in normal mode. Remove everything found. Reboot and then do the Full scan with HJT.
Post back with both logs.
Judy
oh well i think this is what u wanted MBA-M log:
Malwarebytes' Anti-Malware 1.36
Database version: 2043
Windows 5.1.2600 Service Pack 2
4/26/2009 8:56:11 AM
mbam-log-2009-04-26 (08-56-11).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 141743
Time elapsed: 34 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
here is the hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:15 PM, on 4/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\LANDesk\LDClient\BBSConfig\Tools\MandatoryActions.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bayer\Compi\compi.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Software\HiJackThis.exe
C:\Program Files\LANDesk\LDClient\BBSConfig\tools\mandatoryactions.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.adobe.com/WebObjects/WEC?pageID=RegMp1&awe_301001&platformCode=WIN&version=5.0&nameCode=ACRO&languageCode=USENGLIS&systemCode=AOLN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: PC Information.lnk = C:\Program Files\Bayer\Compi\compi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\Software\..\Telephony: DomainName = DE.BAYER.cnb
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7246 bytes
now the items in bold are the ones i want u to tell me about and probably how to remove them. Since LANDesk is not a option i havent highlighted it
by the way i do not think my taskbar opens properly. I mean the microphone option, speech toolhas never opened completely.
Also can i run a scan of SUPER AntiSpyware.
Also can i run a scan of SUPER AntiSpyware.
Sure, good program.
You can go to Add/Remove and Uninstall that Viewpoint Manager. It is considered foistware, not bad but you didn't ask for it. It is a media player added by some other program.
I will get back with you on those other entries you question.
Here is the info you requested:
spoolsv.exe>Print+Fax Spooler
AGRSMMSG>IBM AMR modem driver>required
ATIModeChange>System Tray icon to access ATI graphics card settings>not required
HP Software Update>HP software updates>not required can be done manually
HP Component Manager>Checks the internet for updated drivers/utilities for your HP product>not required. Do it manually
ctfmon.exe>CTFMon is involved with the language/alternative input services in Office XP
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL>Microsoft Office related. Removal is not needed perfectly legal isting
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll> Microsoft Client Services for Netware
Ati HotKey Poller>Part of the ATI video driver that allows you to specify hotkeys to change various display settings.
IBMPMSVC> Power management driver for IBM laptops
InstallDriver Table Manager (IDriverT) >Program associated with InstallShield. This startup should only be created when a software that uses installshield is being installed. If you are not in the middle of installing a program, you can disable this entry.
IviRegMgr - InterVideo>Related to InterVideo applications.
Pml Driver HPZ12 - HP >Used by HP Printer/Scanner/Copier printers to prevent Windows from entering hibernation mode.
I could find absolutely NO information about the entries below. Who is your Internet Provider?
O4 - Global Startup: PC Information.lnk = C:\Program Files\Bayer\Compi\compi.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\Software\..\Telephony: DomainName = DE.BAYER.cnb
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
Judy
i think that the entries in the red belong to moms office setup.
they are no longer required i think get rid of them,
HP components can be removed tell me the way.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.