Jump to content

MJN

Members
 View Profile  See their activity

  • Posts

    19

  • Joined

  • Last visited

Reputation

0 Neutral
  1. MJN
    I just noticed that a new folder managed to load itself in my program files called 'SelectRebates'. Will Malwarebytes remove this and is it a virus? I've already deleted it from my startup. I'm running XP w/SP3. Virus protection is Microsoft Security Essentials. Any help would be greatly appreciated.
  2. MJN
    I take that back, after waiting 65 min and no 'recovery complete', I realized the screen was frozen, a recovery never started. I'm back to square 1. Good nite.
  3. MJN
    Here
  4. MJN
    I ran Malwarebyetes(quick scan) and nothing showed up. Here's the key: Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags] [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell] "BagMRU Size"=dword:00001f40 [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam] "BagMRU Size"=dword:00001f40 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoSaveSettings"=dword:00000000 Here's the logs you requested: DDS (Ver_10-11-10.01) - NTFSx86 Run by Administrator at 2:25:22.59 on Mon 02/28/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2943.2640 [GMT -5:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Owner\My Documents\Info\Computer\Specialty Progs\A-exe's\b-SysTrayMeter\SysTrayMeter.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - No File BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File TB: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File Hosts: 127.0.0.1 www.spywareinfo.com ============= SERVICES / DRIVERS =============== R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-1-28 15328] R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-1-20 14776] R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2010-3-14 6016] S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\dm9usb.sys [2009-1-30 21376] S4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-1-28 220128] =============== Created Last 30 ================ 2011-02-28 05:37:47 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2011-02-28 05:29:09 -------- d-----w- c:\program files\Trend Micro 2011-02-28 03:48:00 -------- d-----w- c:\docume~1\admini~1\applic~1\ElevatedDiagnostics 2011-02-28 00:00:59 -------- d-----w- C:\$WINDOWS.~BT 2011-02-26 00:24:40 -------- d-----w- c:\docume~1\admini~1\applic~1\r2 Studios 2011-02-26 00:13:31 -------- d-----w- c:\documents and settings\administrator\.gimp-2.6 2011-02-25 23:23:29 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\AOL 2011-02-25 23:23:29 -------- d-----w- c:\docume~1\admini~1\applic~1\AOL 2011-02-25 23:19:03 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE 2011-02-25 21:44:31 -------- d-sh--w- c:\documents and settings\administrator\IETldCache 2011-02-11 05:41:01 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll 2011-02-11 05:40:48 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe 2011-02-11 05:40:44 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys 2011-02-11 04:53:40 -------- d-----w- c:\windows\system32\URTTEMP 2011-02-10 07:41:12 -------- d-----w- c:\windows\Performance 2011-02-10 07:40:40 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor 2011-01-31 04:53:33 274944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp64X.dll 2011-01-31 04:53:33 117760 ----a-w- c:\windows\system32\hpzll64X.dll 2011-01-31 04:53:15 271704 ----a-w- c:\windows\system32\SET9B.tmp 2011-01-30 16:27:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\WEBREG 2011-01-30 16:24:15 -------- d-----w- c:\program files\common files\HP 2011-01-30 16:23:16 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys 2011-01-30 16:23:16 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys 2011-01-30 16:14:22 267864 ------w- c:\windows\system32\hpzids01.dll 2011-01-30 16:14:19 274944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5ha.dll 2011-01-30 16:14:19 117760 ----a-w- c:\windows\system32\hpzll5ha.dll 2011-01-30 16:12:46 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys 2011-01-30 16:12:46 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys ==================== Find3M ==================== 2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec 2010-12-13 22:03:50 28496 ----a-w- c:\windows\system32\SmartDefragBootTime.exe 2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-12-02 03:35:18 4280320 -c--a-w- c:\windows\system32\GPhotos.scr ============= FINISH: 2:26:03.21 =============== Attach.zip
  5. MJN
    I recently did a registry change where I increased the folder view size to '8000' with a registry script I downloaded from 'kellys_korner_xp.com'. The reason for the change was to hopefully correct a problem with my folders view that keeps changing even with the 'Remember each folder's view setting' checked in folder options. I looked at the script in notepad and did not see anything unusual so I made the reg change. No problems occurred with the change however when I initially went to look at the registry before I made the registry change, I noticed that my registry was open to the following hklm software microsoft windows nt currentversion winlogon notify wlballoon. Is this registry entry supposed to be there, is it safe or should I be concerned? I tried finding some info on it and found some info from 'threatexpert.com' that indicates it may be part of a trojan? Any help will be welcome. BTW, the reg fix to '8000' did not help my folder views from changing. Any help on that would also be welcome too. Here is a current log file from Hijack This: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:32:31 AM, on 2/28/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Owner\My Documents\Info\Computer\Specialty Progs\A-exe's\b-SysTrayMeter\SysTrayMeter.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - (no file) O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O3 - Toolbar: (no name) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - (no file) O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 3341 bytes I'll run a Malwarebytes scan right after I post this. Thanks MJN
  6. MJN
    Have an ASUS Eee PC w/ XP SP-3 the following screen appears at startup...... American Megatrends CPU : Intel® Atom
  7. MJN
    I recently uninstalled SUPERAntispyware w/ 'RevoUninstall'. I guess not all the files are gone. Should I be concerned? I did have a portable version of SUPERAntispyware on my USB stick that I was using on the infected computer. Might they be files from there? Below is the report from the F-Secure Online scan. Scanning Report Saturday, November 20, 2010 05:06:30 - 05:14:58 Computer name: JAX Scanning type: Quick scan Target: System -------------------------------------------------------------------------------- 7 malware found TrackingCookie.Questionmarket (spyware) System (Disinfected) TrackingCookie.Advertising (spyware) System (Disinfected) TrackingCookie.Atdmt (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Adbrite (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) TrackingCookie.Atwola (spyware) System (Disinfected) -------------------------------------------------------------------------------- Statistics Scanned: Files: 2899 System: 2899 Not scanned: 0 Actions: Disinfected: 7 Renamed: 0 Deleted: 0 Not cleaned: 0 Submitted: 0
  8. MJN
    I am currently being helped by 'negster22' regarding a 'think point' virus that infected my wifes netbook. After many posts and following the routines that 'negster22' has provided me with, I am at a point where I am being asked to run the ESET scanner. The problem is that it won't run. Below I have posted 'negster22' last post and my response to him. If I am breaking any rules or protocol, I will certainly wait for a response from 'negster22'. Up to this point, 'negster22' has been great with his responses and has been persistant in trying to help me solve my problem. It's just that I am so damn anxious to solve this (with 99% of 'negster22' help to date). negster22 11-18, 09:05 AM Post #15 Elite Member That looks good now! Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry: http://www.eset.com/onlinescan/index.php
  9. MJN
    I cannot run the ESET scanner. I follow the last 'routine' you posted and after I check the 'yes' box for the terms of agreement, nothing happens. I've checked my internet security settings and the active x download is set to prompt and the run active x is set to enable and the active x scripting is also set to enable. Is there something in services that I need to enable? I have not done much with the infected computer since your last post other than checking to see if I can access the internet, I open IE8 and it connects me to my home page of google. Also, MSE was disabled as requested and I have rebooted the computer and tried a second time with the same results. I also tried in safe mode and was unable to connect. I also tried adding the www.eset.com url to the list of trusted sites and added eset.com url to the exceptions list for cookie blocking and got the same results. ????
  10. MJN
    I ran ComboFix with the script and below is the resulting log: ComboFix 10-11-16.02 - Jaquelina 11/18/2010 1:48.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.357 [GMT -5:00] Running from: c:\documents and settings\Jaquelina\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Jaquelina\Desktop\CFScript.txt AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: "c:\windows\Edutik.bin" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\oGeIg02041 c:\documents and settings\All Users\Application Data\oGeIg02041\oGeIg02041 c:\windows\Edutik.bin . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_cufohxrz -------\Service_xxjbepu ((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 ))))))))))))))))))))))))))))))) . 2010-11-18 06:47 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D5921DE-4EF5-4D25-A78C-78B5598EA3FB}\mpengine.dll 2010-11-16 23:11 . 2010-11-16 23:12 -------- d-----w- C:\ARK 2010-11-16 08:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-16 08:57 . 2010-11-16 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-16 08:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-15 07:09 . 2010-11-15 07:09 -------- d-----w- c:\windows\system32\MpEngineStore 2010-11-13 23:54 . 2010-11-13 23:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-13 23:54 . 2010-11-13 23:54 -------- d-----w- c:\windows\Sun 2010-11-12 10:55 . 2010-11-12 10:55 -------- d-----w- c:\documents and settings\Jaquelina\Application Data\SUPERAntiSpyware.com 2010-11-12 10:55 . 2010-11-12 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-11-12 07:47 . 2010-11-12 07:47 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-11-11 03:04 . 2010-11-11 03:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-19 20:51 . 2010-03-31 01:07 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-10-13 02:14 . 2010-03-31 17:52 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe 2010-10-07 23:21 . 2010-04-01 03:39 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2010-09-18 16:23 . 2009-05-20 19:07 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2009-05-20 19:07 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2009-05-20 19:07 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2009-05-20 19:07 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2009-05-20 19:07 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2009-05-20 19:07 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2009-05-20 19:07 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2009-05-20 19:06 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2009-05-20 19:07 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2009-05-20 19:07 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2009-05-20 19:07 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2009-05-20 19:07 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-06-23 03:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2009-05-20 19:07 617472 ----a-w- c:\windows\system32\comctl32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1] @="{fe25455d-b4c2-4e32-97d2-92632ec1c224}" [HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}] 2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2] @="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}" [HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}] 2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224] "ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-07-08 3054136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLogoff"= 01000000 "NoNetworkConnections"= 01000000 "NoSMHelp"= 01000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ SuperHybridEngine.lnk] backup=c:\windows\pss\ SuperHybridEngine.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk] backup=c:\windows\pss\Bluetooth.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jaquelina^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk] backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] 2010-03-23 14:54 29520 ----a-w- c:\program files\AOL 9.5\aol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusACPIServer] 2009-04-17 02:46 630784 ----a-w- c:\program files\EeePC\ACPI\AsAcpiSvr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusEPCMonitor] 2009-03-13 23:15 98304 ----a-w- c:\program files\EeePC\ACPI\AsEPCMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusTray] 2009-04-17 01:58 118784 ----a-w- c:\program files\EeePC\ACPI\AsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking] 2009-06-08 14:15 397312 ----a-w- c:\program files\ASUS\Eee Docking\Eee Docking.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2010-02-10 13:19 41800 ----a-w- c:\program files\Common Files\aol\1270017813\ee\aolsoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-12-19 15:08 159744 ----a-w- c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-12-19 15:08 135168 ----a-w- c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] 2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate] 2009-06-25 15:25 712704 ----a-w- c:\program files\ASUS\LiveUpdate\LiveUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch] 2006-03-01 15:58 712704 ----a-w- c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] 2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu] 2005-10-17 20:24 81920 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2007-12-19 15:07 131072 ----a-w- c:\windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] 2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] 2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2009-03-27 03:22 17567744 ----a-w- c:\windows\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-01-11 19:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynAsusAcpi] 2009-03-06 08:58 79144 ----a-w- c:\program files\Synaptics\SynTP\SynAsusAcpi.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2009-03-06 08:57 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"= "c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"= "c:\\Program Files\\Common Files\\aol\\1270017813\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.5\\waol.exe"= "c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"= "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [6/1/2009 2:26 AM 39040] S1 SASDIFSV;SASDIFSV;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASDIFSV.SYS --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASKUTIL.sys --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASKUTIL.sys [?] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 10:49 PM 1684736] S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/1/2009 2:26 AM 38912] S3 SASENUM;SASENUM;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASENUM.SYS --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASENUM.SYS [?] . Contents of the 'Scheduled Tasks' folder 2010-09-17 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2010-05-10 14:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-18 01:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1200) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\program files\ASUS\Eee Storage\XPClient.dll c:\program files\ASUS\Eee Storage\LogicNP.EZShellExtensions.dll c:\program files\ASUS\Eee Storage\EcaremeDLL.dll c:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3390.31024__0d0f4b69e50e559b\SqliteShared.dll c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Essentials\MsMpEng.exe . ************************************************************************** . Completion time: 2010-11-18 01:56:06 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-18 06:56 ComboFix2.txt 2010-11-17 20:53 Pre-Run: 67,939,901,440 bytes free Post-Run: 68,025,307,136 bytes free - - End Of File - - 38EF182150EDC2225BFD13DD565AEEB5
  11. MJN
    I re-booted in safe mode and ran the combofix as instructed. The scan log is listed below. ComboFix 10-11-16.02 - Jaquelina 11/17/2010 15:32:56.1.2 - x86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.795 [GMT -5:00] Running from: c:\documents and settings\Jaquelina\Desktop\ComboFix.exe AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Jaquelina\Application Data\install c:\documents and settings\Jaquelina\Local Settings\Application Data\{1EDA8181-E71B-4C88-8D90-5FFDA32E1B60} c:\documents and settings\Jaquelina\Local Settings\Application Data\{1EDA8181-E71B-4C88-8D90-5FFDA32E1B60}\chrome.manifest c:\documents and settings\Jaquelina\Local Settings\Application Data\{1EDA8181-E71B-4C88-8D90-5FFDA32E1B60}\chrome\content\_cfg.js c:\documents and settings\Jaquelina\Local Settings\Application Data\{1EDA8181-E71B-4C88-8D90-5FFDA32E1B60}\chrome\content\overlay.xul c:\documents and settings\Jaquelina\Local Settings\Application Data\{1EDA8181-E71B-4C88-8D90-5FFDA32E1B60}\install.rdf c:\documents and settings\Jaquelina\Start Menu\Programs\System Tool c:\documents and settings\Jaquelina\Start Menu\Programs\System Tool\System Tool 2011.lnk c:\windows\system32\Thumbs.db . ((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 ))))))))))))))))))))))))))))))) . 2010-11-17 06:50 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ABE54CAE-2469-48CD-847A-99F2D6F30775}\mpengine.dll 2010-11-16 23:11 . 2010-11-16 23:12 -------- d-----w- C:\ARK 2010-11-16 08:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-16 08:57 . 2010-11-16 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-16 08:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-15 07:09 . 2010-11-15 07:09 -------- d-----w- c:\windows\system32\MpEngineStore 2010-11-13 23:54 . 2010-11-13 23:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-13 23:54 . 2010-11-13 23:54 -------- d-----w- c:\windows\Sun 2010-11-12 10:55 . 2010-11-12 10:55 -------- d-----w- c:\documents and settings\Jaquelina\Application Data\SUPERAntiSpyware.com 2010-11-12 10:55 . 2010-11-12 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-11-12 07:47 . 2010-11-12 07:47 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-11-12 07:23 . 2010-11-12 07:23 0 ----a-w- c:\windows\Edutik.bin 2010-11-12 06:28 . 2010-11-16 09:11 -------- d-----w- c:\documents and settings\All Users\Application Data\oGeIg02041 2010-11-11 03:04 . 2010-11-11 03:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-19 20:51 . 2010-03-31 01:07 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-10-13 02:14 . 2010-03-31 17:52 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe 2010-10-07 23:21 . 2010-04-01 03:39 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2010-09-18 16:23 . 2009-05-20 19:07 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2009-05-20 19:07 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2009-05-20 19:07 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2009-05-20 19:07 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2009-05-20 19:07 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2009-05-20 19:07 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2009-05-20 19:07 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2009-05-20 19:06 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2009-05-20 19:07 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2009-05-20 19:07 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2009-05-20 19:07 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2009-05-20 19:07 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-06-23 03:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2009-05-20 19:07 617472 ----a-w- c:\windows\system32\comctl32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1] @="{fe25455d-b4c2-4e32-97d2-92632ec1c224}" [HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}] 2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2] @="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}" [HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}] 2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224] "ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-07-08 3054136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLogoff"= 01000000 "NoNetworkConnections"= 01000000 "NoSMHelp"= 01000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ SuperHybridEngine.lnk] backup=c:\windows\pss\ SuperHybridEngine.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk] backup=c:\windows\pss\Bluetooth.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jaquelina^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk] backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] 2010-03-23 14:54 29520 ----a-w- c:\program files\AOL 9.5\aol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusACPIServer] 2009-04-17 02:46 630784 ----a-w- c:\program files\EeePC\ACPI\AsAcpiSvr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusEPCMonitor] 2009-03-13 23:15 98304 ----a-w- c:\program files\EeePC\ACPI\AsEPCMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusTray] 2009-04-17 01:58 118784 ----a-w- c:\program files\EeePC\ACPI\AsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking] 2009-06-08 14:15 397312 ----a-w- c:\program files\ASUS\Eee Docking\Eee Docking.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2010-02-10 13:19 41800 ----a-w- c:\program files\Common Files\aol\1270017813\ee\aolsoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-12-19 15:08 159744 ----a-w- c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-12-19 15:08 135168 ----a-w- c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] 2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate] 2009-06-25 15:25 712704 ----a-w- c:\program files\ASUS\LiveUpdate\LiveUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch] 2006-03-01 15:58 712704 ----a-w- c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] 2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu] 2005-10-17 20:24 81920 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2007-12-19 15:07 131072 ----a-w- c:\windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] 2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] 2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2009-03-27 03:22 17567744 ----a-w- c:\windows\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-01-11 19:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynAsusAcpi] 2009-03-06 08:58 79144 ----a-w- c:\program files\Synaptics\SynTP\SynAsusAcpi.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2009-03-06 08:57 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"= "c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"= "c:\\Program Files\\Common Files\\aol\\1270017813\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.5\\waol.exe"= "c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"= "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [6/1/2009 2:26 AM 39040] S0 xxjbepu;xxjbepu;c:\windows\system32\drivers\tkln.sys --> c:\windows\system32\drivers\tkln.sys [?] S1 cufohxrz;cufohxrz;\??\c:\windows\system32\drivers\cufohxrz.sys --> c:\windows\system32\drivers\cufohxrz.sys [?] S1 SASDIFSV;SASDIFSV;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASDIFSV.SYS --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASKUTIL.sys --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASKUTIL.sys [?] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 10:49 PM 1684736] S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/1/2009 2:26 AM 38912] S3 SASENUM;SASENUM;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASENUM.SYS --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASENUM.SYS [?] . Contents of the 'Scheduled Tasks' folder 2010-09-17 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2010-05-10 14:32] 2010-03-31 c:\windows\Tasks\SmartDefrag.job - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-03-31 19:30] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-3.6 - c:\windows\gdi32.exe MSConfigStartUp-SUPERAntiSpyware - f:\specialty programs\A-exe's\SUPERAntiSpyware\SUPERAntiSpyware.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-17 15:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1920) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\program files\ASUS\Eee Storage\XPClient.dll c:\program files\ASUS\Eee Storage\LogicNP.EZShellExtensions.dll c:\program files\ASUS\Eee Storage\EcaremeDLL.dll c:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3390.31024__0d0f4b69e50e559b\SqliteShared.dll c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Essentials\MsMpEng.exe . ************************************************************************** . Completion time: 2010-11-17 15:52:59 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-17 20:52 Pre-Run: 68,180,480,000 bytes free Post-Run: 68,119,875,584 bytes free - - End Of File - - 51FCE3FABB7F8F09F53B0E86611B8969
  12. MJN
    I opened MSConfig and saw them there. I re-booted and got the internet connection back. I deleted the old hijackthis.log
  13. MJN
    My internet service was okay however..........After I ran the TFC program and the 'Antirootkit' program as described (I disabled MSE and turned off the Windows firewall), I proceeded to run the Combofix program (renamed it to 'iexplore.exe') and it started to run up to the point it tried to download/install the 'recovery console'. At that point an error message came up saying that I was not connected to the internet. But my connection appears as 'connected'! I tried to access iexplorer and was unable to. Now I cannot access the internet but I'm connected? I re-ran Malwarebytes and no infections were detected. I also happened to notice that in my startup two files were listed and checked that I was not familiar with, they were both C:\windows\gdi32.exe at two different locations. One @ HKLM\software\microsoft\windows\current version\run and the other @ HKCU\(same as the first). I unchecked them from the startup. I did save the one log from the 'Antirootkit' program. see below GMER 1.0.15.15530 - http://www.gmer.net Rootkit quick scan 2010-11-16 18:47:52 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916031 rev.0002 Running: vc63ij4v.exe; Driver: C:\DOCUME~1\JAQUEL~1\LOCALS~1\Temp\pxtdypow.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- Thanks again for the help. I'll be awaiting your next instructions.
  14. MJN
    Since my last post, I was able to run an updated version of Malwarebytes. After researching a little on my own I ended up copying (from a clean computer) an updated mbam_log_2010_11_16__04_11_07_.txt
  15. MJN
    I followed the routine you posted for me right up to the step:
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.