Jump to content

sweetjones

Members
 View Profile  See their activity

  • Posts

    11

  • Joined

  • Last visited

 Content Type 

Everything posted by sweetjones

  1. sweetjones
    Looks like everything is working completely. Thank you! We really appreciate your help. We can't thank you enough.
  2. sweetjones
    F.Y.I. yesterday Microsoft Windows Malicious Software Removal Tool detected this, ndis.sys file, to be infected and supposedly cleaned it. Well I followed your instructions and dragged the CFScript file onto ComboFix. When it got to the Installation of the Recovery Console that error message popped up again, but I still continued with the malware scan this time. It did not ask to reboot and here are the results: ComboFix 09-05-15.08 - Owner 05/17/2009 10:01.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.893.488 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\ServicePackFiles\i386\ndis.sys --> c:\windows\system32\drivers\ndis.sys . ((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 ))))))))))))))))))))))))))))))) . 2009-05-15 22:22 . 2009-05-15 22:22 -------- d-----w C:\earthday 2009-05-12 23:54 . 2009-05-12 23:54 -------- d-sh--w c:\documents and settings\LocalService\IETldCache 2009-05-12 23:50 . 2003-10-13 20:30 94208 ----a-w c:\windows\system32\GTW32N50.dll 2009-05-12 23:50 . 2003-09-26 03:15 15872 ----a-w c:\windows\system32\GTNDIS5.sys 2009-05-12 23:50 . 2005-11-25 00:51 245248 ----a-w c:\windows\system32\drivers\rt73.sys 2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\bcm42rly.sys 2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\system32\drivers\bcm42rly.sys 2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\system32\bcm42rly.sys 2009-05-12 23:50 . 2005-11-03 22:41 32768 ----a-w c:\windows\system32\GTGina.dll 2009-05-12 23:49 . 2009-05-12 23:49 -------- d-----w C:\Linksys Driver 2009-05-10 23:17 . 2009-05-17 14:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-05-10 23:17 . 2009-05-17 14:55 -------- d-----w c:\program files\SpywareBlaster 2009-05-10 21:59 . 2009-05-10 22:00 8 ----a-w C:\settings.dat 2009-05-10 20:42 . 2009-05-10 20:42 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant 2009-04-20 17:19 . 2009-04-20 17:19 -------- d-sh--w c:\documents and settings\Owner\IECompatCache 2009-04-20 17:17 . 2009-04-20 17:17 -------- d-sh--w c:\documents and settings\Owner\PrivacIE 2009-04-20 17:16 . 2009-04-20 17:16 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache 2009-04-20 17:13 . 2009-04-20 17:13 -------- d-sh--w c:\documents and settings\Owner\IETldCache 2009-04-20 17:11 . 2009-04-20 17:11 -------- d-----w c:\windows\ie8updates 2009-04-20 17:10 . 2009-04-20 17:10 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2009-04-20 17:07 . 2009-04-20 17:08 -------- dc-h--w c:\windows\ie8 2009-04-20 17:07 . 2009-04-20 17:11 -------- d--h--w c:\windows\msdownld.tmp 2009-04-20 17:04 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll 2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\documents and settings\All Users\Application Data\Motive 2009-04-20 15:45 . 2005-07-12 07:28 6048 ----a-w c:\windows\system32\MCC16.dll 2009-04-20 15:45 . 2005-07-12 07:28 69632 ----a-w c:\windows\system32\MCCDevice.dll 2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\Common Files\Motive 2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\ATT 2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Application Data\pmwppcbk 2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\pmwppcbk 2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Application Data\pmwppcbk 2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\pmwppcbk 2009-04-19 21:28 . 2009-04-20 15:16 10752 ----a-w c:\windows\DCEBoot.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-12 23:50 . 2006-08-19 07:51 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-20 17:38 . 2009-01-05 19:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-20 17:32 . 2006-08-19 07:58 -------- d-----w c:\program files\Gateway Games 2009-04-20 17:29 . 2006-08-19 08:02 -------- d-----w c:\program files\Napster 2009-04-20 17:23 . 2006-08-19 08:04 -------- d-----w c:\program files\BigFix 2009-04-20 17:10 . 2008-01-12 23:26 -------- d-----w c:\program files\Yahoo! 2009-04-06 20:32 . 2009-01-05 19:29 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 20:32 . 2009-01-05 19:29 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys 2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys 2009-04-02 23:08 . 2009-01-01 02:39 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys 2009-03-08 09:34 . 2006-06-17 09:23 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 09:34 . 2006-06-17 09:23 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 09:33 . 2006-06-17 09:23 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 09:33 . 2006-06-17 09:23 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 09:32 . 2006-06-17 09:23 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 09:32 . 2006-06-17 09:23 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 09:31 . 2006-06-17 09:23 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 09:31 . 2006-06-17 09:23 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 09:31 . 2006-06-17 09:23 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 09:22 . 2006-06-17 09:23 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2006-06-17 09:23 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-06 02:17 . 2009-01-01 02:45 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys 2009-03-06 02:17 . 2009-01-01 02:45 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys 2009-03-06 02:17 . 2009-01-01 02:45 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys 2009-03-03 23:12 . 2008-07-30 16:59 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-15 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872] "CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\ehome\\ehtray.exe"= "c:\\Program Files\\Digital Media Reader\\readericon45G.exe"= R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/31/2008 9:39 PM 50192] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/31/2008 9:45 PM 36368] R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/31/2008 9:39 PM 677128] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 3:48 PM 602392] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/19/2006 2:50 AM 29744] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . Contents of the 'Scheduled Tasks' folder 2009-05-17 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-17 14:55] 2006-11-25 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12] 2006-11-25 c:\windows\Tasks\ISP signup reminder 2.job - c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12] 2006-11-25 c:\windows\Tasks\ISP signup reminder 3.job - c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yov1zt5d.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-17 10:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(548) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(1396) c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-05-17 10:05 ComboFix-quarantined-files.txt 2009-05-17 15:05 Pre-Run: 179,109,900,288 bytes free Post-Run: 179,117,219,840 bytes free 191 --- E O F --- 2009-05-16 17:08
  3. sweetjones
    I just tried to let ComboFix automatically download the Recovery Console, but I still got that error message after the download was complete. What other options are there? Thanks in Advance!!!
  4. sweetjones
    Just for the record, I am staying online without any problems now, but the recovery console still is not being installed.
  5. sweetjones
    When I drag the, "WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe," it's still giving me the error message, "Boot Partition cannot be enumerated correctly." Should I continue with the malware scan? Thanks in Advance!!!
  6. sweetjones
    I followed your instructions for a manual install of the recovery console. They have XP Media Center installed so according to your instructions I should download XP Pro SP2. I dragged the icon onto ComboFix. After the dialog, "Attempt to create a new System Restore Point," an error message popped up and says, "Boot Partition cannot be enumerated correctly." Then ComboFix continues with the scanning for malware. I should've mentioned this before, sorry. I'll run ComboFix again right now, and post my log results in my next reply.
  7. sweetjones
    Here's my latest logs. I manually installed the recovery console and re-ran ComboFix, then rebooted, then re-scanned with Malwarebytes, then rebooted and re-scanned Malwarebytes after the deletion after rebooting: ComboFix 09-05-11.08 - Owner 05/15/2009 16:35.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.893.449 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\earthday.exe Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 ))))))))))))))))))))))))))))))) . 2009-05-12 23:54 . 2009-05-12 23:54 -------- d-sh--w c:\documents and settings\LocalService\IETldCache 2009-05-12 23:50 . 2009-05-12 23:50 20747 ----a-w c:\windows\system32\drivers\AegisP.sys 2009-05-12 23:50 . 2005-11-25 00:51 245248 ----a-w c:\windows\system32\rt73.sys 2009-05-12 23:50 . 2003-10-13 20:30 94208 ----a-w c:\windows\system32\GTW32N50.dll 2009-05-12 23:50 . 2003-09-26 03:15 15872 ----a-w c:\windows\system32\GTNDIS5.sys 2009-05-12 23:50 . 2005-11-25 00:51 245248 ----a-w c:\windows\system32\drivers\rt73.sys 2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\bcm42rly.sys 2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\system32\drivers\bcm42rly.sys 2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\system32\bcm42rly.sys 2009-05-12 23:50 . 2005-11-03 22:41 32768 ----a-w c:\windows\system32\GTGina.dll 2009-05-12 23:50 . 2009-05-12 23:50 -------- d-----w c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor 2009-05-12 23:49 . 2009-05-12 23:49 -------- d-----w C:\Linksys Driver 2009-05-10 23:17 . 2009-05-12 21:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-05-10 23:17 . 2009-05-12 21:56 -------- d-----w c:\program files\SpywareBlaster 2009-05-10 21:59 . 2009-05-10 22:00 8 ----a-w C:\settings.dat 2009-05-10 20:42 . 2009-05-10 20:42 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant 2009-04-20 17:19 . 2009-04-20 17:19 -------- d-sh--w c:\documents and settings\Owner\IECompatCache 2009-04-20 17:17 . 2009-04-20 17:17 -------- d-sh--w c:\documents and settings\Owner\PrivacIE 2009-04-20 17:16 . 2009-04-20 17:16 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache 2009-04-20 17:13 . 2009-04-20 17:13 -------- d-sh--w c:\documents and settings\Owner\IETldCache 2009-04-20 17:11 . 2009-04-20 17:11 -------- d-----w c:\windows\ie8updates 2009-04-20 17:10 . 2009-04-20 17:10 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2009-04-20 17:07 . 2009-04-20 17:08 -------- dc-h--w c:\windows\ie8 2009-04-20 17:07 . 2009-04-20 17:11 -------- d--h--w c:\windows\msdownld.tmp 2009-04-20 17:04 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll 2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\documents and settings\All Users\Application Data\Motive 2009-04-20 15:45 . 2005-07-12 07:28 6048 ----a-w c:\windows\system32\MCC16.dll 2009-04-20 15:45 . 2005-07-12 07:28 69632 ----a-w c:\windows\system32\MCCDevice.dll 2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\Common Files\Motive 2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\ATT 2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Application Data\pmwppcbk 2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\pmwppcbk 2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Application Data\pmwppcbk 2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\pmwppcbk 2009-04-19 21:28 . 2009-04-20 15:16 10752 ----a-w c:\windows\DCEBoot.exe 2009-04-16 16:16 . 2009-04-16 16:16 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\{339B899D-1382-4419-BF98-F9A7FFE09B90} 2009-04-16 02:02 . 2009-04-16 02:02 213120 -c--a-w c:\windows\system32\dllcache\ndis.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-12 23:50 . 2006-08-19 07:51 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-20 17:38 . 2009-01-05 19:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-20 17:32 . 2006-08-19 07:58 -------- d-----w c:\program files\Gateway Games 2009-04-20 17:29 . 2006-08-19 08:02 -------- d-----w c:\program files\Napster 2009-04-20 17:23 . 2006-08-19 08:04 -------- d-----w c:\program files\BigFix 2009-04-20 17:10 . 2008-01-12 23:26 -------- d-----w c:\program files\Yahoo! 2009-04-16 02:02 . 2006-06-17 09:23 213120 ----a-w c:\windows\system32\drivers\ndis.sys 2009-04-06 20:32 . 2009-01-05 19:29 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 20:32 . 2009-01-05 19:29 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys 2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys 2009-04-02 23:08 . 2009-01-01 02:39 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys 2009-03-08 09:34 . 2006-06-17 09:23 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 09:34 . 2006-06-17 09:23 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 09:33 . 2006-06-17 09:23 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 09:33 . 2006-06-17 09:23 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 09:32 . 2006-06-17 09:23 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 09:32 . 2006-06-17 09:23 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 09:31 . 2006-06-17 09:23 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 09:31 . 2006-06-17 09:23 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 09:31 . 2006-06-17 09:23 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 09:22 . 2006-06-17 09:23 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2006-06-17 09:23 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-06 02:17 . 2009-01-01 02:45 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys 2009-03-06 02:17 . 2009-01-01 02:45 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys 2009-03-06 02:17 . 2009-01-01 02:45 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys 2009-03-03 23:12 . 2008-07-30 16:59 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys . ------- Sigcheck ------- [-] 2004-08-10 19:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys [7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys [-] 2009-04-16 02:02 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\dllcache\ndis.sys [-] 2009-04-16 02:02 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\drivers\ndis.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6060DAE-068A-4D56-8CF3-71FA5529FECE}] 2004-08-10 19:00 103424 ----a-w c:\windows\system32\qykdttu.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-15 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-19 98304] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872] "CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lzzdxord] 2004-08-10 19:00 103424 ----a-w c:\windows\system32\qykdttu.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\ehome\\ehtray.exe"= "c:\\Program Files\\Digital Media Reader\\readericon45G.exe"= R0 lneddqdi;lneddqdi;c:\windows\system32\drivers\lneddqdi.sys [6/17/2006 4:23 AM 23424] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/31/2008 9:39 PM 50192] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/31/2008 9:45 PM 36368] R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/31/2008 9:39 PM 677128] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 3:48 PM 602392] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/19/2006 2:50 AM 29744] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs wejnocdg [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd6dd551-2f55-11db-b3c1-806d6172696f}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . Contents of the 'Scheduled Tasks' folder 2009-05-07 c:\windows\Tasks\At1.job - c:\windows\system32\qykdttu.dll [2006-06-17 19:00] 2009-05-15 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-17 14:55] 2006-11-25 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12] 2006-11-25 c:\windows\Tasks\ISP signup reminder 2.job - c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12] 2006-11-25 c:\windows\Tasks\ISP signup reminder 3.job - c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yov1zt5d.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-15 16:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(548) c:\windows\system32\GTGina.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2444) c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-05-15 16:40 ComboFix-quarantined-files.txt 2009-05-15 21:40 ComboFix2.txt 2009-05-12 22:19 Pre-Run: 178,616,803,328 bytes free Post-Run: 178,614,022,144 bytes free 206 --- E O F --- 2009-05-11 01:39 ------------------------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.36 Database version: 2138 Windows 5.1.2600 Service Pack 3 5/15/2009 4:58:07 PM mbam-log-2009-05-15 (16-58-07).txt Scan type: Quick Scan Objects scanned: 83846 Time elapsed: 7 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6060dae-068a-4d56-8cf3-71fa5529fece} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lzzdxord (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{a6060dae-068a-4d56-8cf3-71fa5529fece} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lneddqdi (Rootkit.Sentinel) -> Delete on reboot. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\qykdttu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\drivers\lneddqdi.sys (Rootkit.Sentinel) -> Delete on reboot. -------------------------------------------------------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.36 Database version: 2138 Windows 5.1.2600 Service Pack 3 5/15/2009 5:08:31 PM mbam-log-2009-05-15 (17-08-31).txt Scan type: Quick Scan Objects scanned: 84409 Time elapsed: 4 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ---------------------------------------------------------------------------------------- Everthing seems to be deleted after reboot. I'll continue to test my online time to see if the problem persist. By looking at my logs, is there anything else that I need to do? Thanks in Advance!!!
  8. sweetjones
    Also, I did press yes to install the recovery console, but I guess it did not do it. I noticed that ComboFix has to access the web to do it, so I guess during that time was when my internet was not accessible.
  9. sweetjones
    I will do this ASAP. Please, do not close this topic. The computer is at my in-law's house so it might be a couple of days until I am able to reply to your instructions. Thank you, once again!
  10. sweetjones
    I have been trying to fix my in-law's computer, but to no avail. After about 5-10 min they're not able to browse anymore unless a you restart the computer. I have contacted the ISP, but there is nothing wrong with the DSL modem. When I could not browse on the desktop computer, at the same time I connected my laptop to another port on the modem and was able to browse. So I disconnected the ethernet cord from the back of the desktop computer and plugged it back in and I was able to browse. So I figured the ethernet port on the computer is going bad. So I installed a wireless adapter to the USB port and the same thing happened. I was able to browse, but after a little while I could not browse. I ran Malwarebytes and ComboFix and have logs. Malwarebytes does not delete the files upon reboot. So I ran ComboFix. After ComboFix, I did another quick scan with Malwarebytes, but it still does not delete the files it finds after a reboot. Whatelse do i need to do to fix this issue? Thanks in Advance!!! Here are the logs: Malwarebytes' Anti-Malware 1.36 Database version: 2118 Windows 5.1.2600 Service Pack 3 5/12/2009 5:35:54 PM mbam-log-2009-05-12 (17-35-54).txt Scan type: Quick Scan Objects scanned: 83070 Time elapsed: 5 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6060dae-068a-4d56-8cf3-71fa5529fece} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lzzdxord (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{a6060dae-068a-4d56-8cf3-71fa5529fece} (Trojan.Vundo.H) -> Delete on reboot. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\qykdttu.dll (Trojan.Vundo.H) -> Delete on reboot. ------------------------------------------------------------------------------------------------------------------------------------------------ ComboFix 09-05-12.04 - Owner 05/12/2009 17:10.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.893.473 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\earthday.exe AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 ))))))))))))))))))))))))))))))) . 2009-05-10 23:17 . 2009-05-12 21:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-05-10 23:17 . 2009-05-12 21:56 -------- d-----w c:\program files\SpywareBlaster 2009-05-10 21:59 . 2009-05-10 22:00 8 ----a-w C:\settings.dat 2009-05-10 20:42 . 2009-05-10 20:42 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant 2009-04-20 17:19 . 2009-04-20 17:19 -------- d-sh--w c:\documents and settings\Owner\IECompatCache 2009-04-20 17:17 . 2009-04-20 17:17 -------- d-sh--w c:\documents and settings\Owner\PrivacIE 2009-04-20 17:16 . 2009-04-20 17:16 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache 2009-04-20 17:13 . 2009-04-20 17:13 -------- d-sh--w c:\documents and settings\Owner\IETldCache 2009-04-20 17:11 . 2009-04-20 17:11 -------- d-----w c:\windows\ie8updates 2009-04-20 17:10 . 2009-04-20 17:10 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2009-04-20 17:07 . 2009-04-20 17:08 -------- dc-h--w c:\windows\ie8 2009-04-20 17:07 . 2009-04-20 17:11 -------- d--h--w c:\windows\msdownld.tmp 2009-04-20 17:04 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll 2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\documents and settings\All Users\Application Data\Motive 2009-04-20 15:45 . 2005-07-12 07:28 6048 ----a-w c:\windows\system32\MCC16.dll 2009-04-20 15:45 . 2005-07-12 07:28 69632 ----a-w c:\windows\system32\MCCDevice.dll 2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\Common Files\Motive 2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\ATT 2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Application Data\pmwppcbk 2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\pmwppcbk 2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Application Data\pmwppcbk 2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\pmwppcbk 2009-04-19 21:28 . 2009-04-20 15:16 10752 ----a-w c:\windows\DCEBoot.exe 2009-04-16 16:16 . 2009-04-16 16:16 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\{339B899D-1382-4419-BF98-F9A7FFE09B90} 2009-04-16 02:02 . 2009-04-16 02:02 213120 -c--a-w c:\windows\system32\dllcache\ndis.sys 2009-04-15 15:42 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 15:42 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe 2009-04-15 15:42 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 15:42 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 15:42 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 15:42 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 15:42 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 15:42 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 15:42 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 15:42 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 15:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 15:38 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-20 17:38 . 2009-01-05 19:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-20 17:32 . 2006-08-19 07:58 -------- d-----w c:\program files\Gateway Games 2009-04-20 17:29 . 2006-08-19 08:02 -------- d-----w c:\program files\Napster 2009-04-20 17:23 . 2006-08-19 08:04 -------- d-----w c:\program files\BigFix 2009-04-20 17:10 . 2008-01-12 23:26 -------- d-----w c:\program files\Yahoo! 2009-04-16 02:02 . 2006-06-17 09:23 213120 ----a-w c:\windows\system32\drivers\ndis.sys 2009-04-06 20:32 . 2009-01-05 19:29 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 20:32 . 2009-01-05 19:29 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys 2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys 2009-04-02 23:08 . 2009-01-01 02:39 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys 2009-03-08 09:34 . 2006-06-17 09:23 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 09:34 . 2006-06-17 09:23 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 09:33 . 2006-06-17 09:23 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 09:33 . 2006-06-17 09:23 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 09:32 . 2006-06-17 09:23 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 09:32 . 2006-06-17 09:23 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 09:31 . 2006-06-17 09:23 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 09:31 . 2006-06-17 09:23 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 09:31 . 2006-06-17 09:23 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 09:22 . 2006-06-17 09:23 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2006-06-17 09:23 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-06 02:17 . 2009-01-01 02:45 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys 2009-03-06 02:17 . 2009-01-01 02:45 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys 2009-03-06 02:17 . 2009-01-01 02:45 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys 2009-03-03 23:12 . 2008-07-30 16:59 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys . ------- Sigcheck ------- [-] 2004-08-10 19:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys [7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys [-] 2009-04-16 02:02 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\dllcache\ndis.sys [-] 2009-04-16 02:02 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\drivers\ndis.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6060DAE-068A-4D56-8CF3-71FA5529FECE}] 2004-08-10 19:00 103424 ----a-w c:\windows\system32\qykdttu.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-15 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-19 98304] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872] "CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lzzdxord] 2004-08-10 19:00 103424 ----a-w c:\windows\system32\qykdttu.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\ehome\\ehtray.exe"= "c:\\Program Files\\Digital Media Reader\\readericon45G.exe"= R0 lneddqdi;lneddqdi;c:\windows\system32\drivers\lneddqdi.sys [6/17/2006 4:23 AM 23424] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/31/2008 9:39 PM 50192] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/31/2008 9:45 PM 36368] R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/31/2008 9:39 PM 677128] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 3:48 PM 602392] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/19/2006 2:50 AM 29744] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs wejnocdg [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd6dd551-2f55-11db-b3c1-806d6172696f}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . Contents of the 'Scheduled Tasks' folder 2009-05-07 c:\windows\Tasks\At1.job - c:\windows\system32\qykdttu.dll [2006-06-17 19:00] 2009-05-12 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-17 14:55] 2006-11-25 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12] 2006-11-25 c:\windows\Tasks\ISP signup reminder 2.job - c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12] 2006-11-25 c:\windows\Tasks\ISP signup reminder 3.job - c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yov1zt5d.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-12 17:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(552) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2984) c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\Trend Micro\BM\TMBMSRV.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\program files\Trend Micro\Internet Security\SfCtlCom.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\windows\ehome\ehmsas.exe c:\program files\HP\Digital Imaging\bin\hpqimzone.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe . ************************************************************************** . Completion time: 2009-05-12 17:19 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-12 22:19 Pre-Run: 178,843,172,864 bytes free Post-Run: 178,767,695,872 bytes free 223 --- E O F --- 2009-05-11 01:39
  11. sweetjones
    Per this thread: http://www.malwarebytes.org/forums/index.php?showtopic=13868 If you use gooredfix for Firefox Browser, what tool can do the same for IE Browser? I am having the same exact problems as that person in that thread. On top of that my Windows Firewall is being disabled upon every startup. I have XP Pro and Norton Corporate Edition. Thanks in Advance!!!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.