sglo
-
Posts
10 -
Joined
-
Last visited
-
Thank you so much for all of your help! I really appreciate it!
-
One quick question (in Step 2), I renamed Combofix to Combo-Fix. Should my command be Combo-Fix /uninstall ?
-
Things seem to be okay... I am not seeing any symptoms or error messages.
-
I just ran ComboFix. For some reason, my Symantec Antivirus kept re-enabling itself... and, when ComboFix restarted my computer, all of my antivirus, malware, firewall protections came back on. I am not sure if this is a problem, but wanted to let you know just in case. Here is Combo-Fix.txt: ComboFix 10-07-24.04 - sg 07/25/2010 18:45:29.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.371 [GMT -4:00] Running from: c:\documents and settings\sg\Desktop\Combo-Fix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\sg\g2mdlhlpx.exe c:\documents and settings\sg\System c:\documents and settings\sg\System\win_qs8.jqx c:\windows\system32\drivers\etc\lmhosts c:\windows\system32\pwdmon.dll . ((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 ))))))))))))))))))))))))))))))) . 2010-07-25 18:28 . 2010-07-25 18:28 -------- d-----w- c:\program files\iPod 2010-07-18 12:06 . 2010-07-18 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO 2010-07-18 00:11 . 2010-07-18 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader 2010-07-14 16:54 . 2010-07-14 16:54 -------- d-----w- c:\program files\Citrix 2010-07-14 12:01 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-25 23:01 . 2007-12-01 14:20 -------- d-----w- c:\program files\Symantec AntiVirus 2010-07-25 22:16 . 2008-06-07 21:27 -------- d-----w- c:\program files\VMware 2010-07-25 22:15 . 2008-05-29 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware 2010-07-25 22:04 . 2008-06-07 21:38 -------- d-----w- c:\documents and settings\sg\Application Data\VMware 2010-07-25 20:00 . 2006-01-26 23:12 -------- d-----w- c:\program files\Common Files\Adobe 2010-07-25 18:30 . 2010-06-17 00:12 -------- d-----w- c:\program files\iTunes 2010-07-25 18:28 . 2009-11-05 18:49 -------- d-----w- c:\program files\Common Files\Apple 2010-07-25 18:06 . 2010-07-25 18:06 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe 2010-07-25 16:06 . 2008-05-29 20:13 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware 2010-07-24 17:34 . 2009-11-06 23:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-07-18 12:01 . 2008-07-12 13:19 -------- d-----w- c:\program files\COMODO 2010-07-16 17:21 . 2008-07-11 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-07-16 17:20 . 2009-01-23 04:08 -------- d-----w- c:\program files\Lavasoft 2010-07-01 17:52 . 2010-07-06 12:38 1496064 ----a-w- c:\documents and settings\sg\Application Data\Mozilla\Firefox\Profiles\w1abt06l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll 2010-07-01 17:51 . 2010-07-06 12:38 43008 ----a-w- c:\documents and settings\sg\Application Data\Mozilla\Firefox\Profiles\w1abt06l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll 2010-07-01 17:51 . 2010-07-06 12:38 338944 ----a-w- c:\documents and settings\sg\Application Data\Mozilla\Firefox\Profiles\w1abt06l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll 2010-07-01 17:51 . 2010-07-06 12:38 346112 ----a-w- c:\documents and settings\sg\Application Data\Mozilla\Firefox\Profiles\w1abt06l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll 2010-06-24 23:25 . 2010-06-19 18:41 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-17 00:01 . 2010-06-17 00:01 -------- d-----w- c:\program files\Bonjour 2010-06-04 20:45 . 2009-06-28 21:49 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-04 15:55 . 2010-06-04 15:55 229312 ----a-w- c:\windows\system32\drivers\cmdGuard.sys 2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr 2010-06-01 23:00 . 2010-06-01 23:00 278288 ----a-w- c:\windows\system32\guard32.dll 2010-06-01 23:00 . 2010-06-01 23:00 87824 ----a-w- c:\windows\system32\drivers\inspect.sys 2010-06-01 23:00 . 2010-06-01 23:00 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2010-06-01 23:00 . 2010-06-01 23:00 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys 2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-05-06 10:41 . 1980-01-01 00:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-03 23:51 . 2009-11-07 01:11 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-05-02 05:22 . 1980-01-01 00:00 1851264 ----a-w- c:\windows\system32\win32k.sys 2010-04-29 19:39 . 2009-11-06 23:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2009-11-06 23:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\sg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-10 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SprintModemUpdate"="javaw.exe -cp" [X] "TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-17 94208] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-12 344064] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000] "QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-11-09 81920] "BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-08-25 110592] "BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-08-25 20480] "BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-08-25 395776] "TpShocks"="TpShocks.exe" [2005-01-24 106496] "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024] "UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-14 36864] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-07-27 122939] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-30 52840] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904] "ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816] "QCTray"="c:\progra~1\ThinkPad\CONNEC~1\QCTray.exe" [2004-11-09 712704] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888] "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608] c:\documents and settings\sg\Start Menu\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-5 24576] Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2004-11-04 13:51 108636 ----a-w- c:\program files\IBM fingerprint software\psfus.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina] 2004-11-09 07:53 262144 ----a-w- c:\windows\system32\QConGina.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2004-08-13 01:11 24576 ----a-w- c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\guard32.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"= "c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"= "c:\\Program Files\\IBM\\Updater\\ucsmb.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%ProgramFiles%\Symantec AntiVirus\Rtvscan.exe"= %ProgramFiles%\Symantec AntiVirus\Rtvscan.exe:152.2.0.0/255.255.0.0,152.19.0.0/255.255.0.0,152.23.0.0/255.255.0.0:Enabled:Symantec Antivirus "c:\\Program Files\\att-nap\\McciBrowser.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2967:UDP"= 2967:UDP:Symantec AntiVirus Managed Client (2967:UDP) "7001:UDP"= 7001:UDP:AFS CacheManager Callback (7001:UDP) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowInboundTimestampRequest"= 1 (0x1) "AllowInboundMaskRequest"= 1 (0x1) "AllowInboundRouterRequest"= 1 (0x1) "AllowOutboundDestinationUnreachable"= 1 (0x1) "AllowOutboundSourceQuench"= 1 (0x1) "AllowOutboundParameterProblem"= 1 (0x1) "AllowOutboundTimeExceeded"= 1 (0x1) "AllowRedirect"= 1 (0x1) "AllowOutboundPacketTooBig"= 1 (0x1) R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [12/17/2004 4:05 AM 6912] R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/5/2005 6:48 PM 14208] R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 229312] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 25240] R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/5/2005 6:54 PM 16384] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/6/2009 7:43 PM 304464] R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 5:24 PM 116928] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 6:21 PM 102448] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2009 7:43 PM 20952] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/5/2005 6:48 PM 6016] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S2 gupdate1ca542a25fe1a90;Google Update Service (gupdate1ca542a25fe1a90);c:\program files\Google\Update\GoogleUpdate.exe [10/23/2009 5:45 PM 133104] S2 gupdate1cab68245a9797e;Google Update Service (gupdate1cab68245a9797e);c:\program files\Google\Update\GoogleUpdate.exe [10/23/2009 5:45 PM 133104] S3 G200;G200;c:\windows\system32\drivers\G200m.sys [3/10/2005 11:02 AM 320384] S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [6/5/2005 6:51 PM 12288] . Contents of the 'Scheduled Tasks' folder 2005-06-05 c:\windows\Tasks\BMMTask.job - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-06-05 06:37] 2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 21:45] 2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 21:45] 2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2205483085-4243528523-596922065-1008Core.job - c:\documents and settings\sg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-10 01:29] 2010-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2205483085-4243528523-596922065-1008UA.job - c:\documents and settings\sg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-10 01:29] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.unc.edu/ uInternet Settings,ProxyOverride = *.local IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {7F349D82-1BCD-4899-8E70-DE675ADA27AB} = 156.154.70.22,156.154.71.22 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\sg\Application Data\Mozilla\Firefox\Profiles\w1abt06l.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\documents and settings\sg\Application Data\Mozilla\Firefox\Profiles\w1abt06l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - plugin: c:\documents and settings\sg\Application Data\Move Networks\plugins\npqmp071505000011.dll FF - plugin: c:\documents and settings\sg\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07030901.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - ORPHANS REMOVED - - - - HKLM-Run-IUWORK - c:\iuwork\LAUNCH.LNK HKLM-Run-UC_SMB - (no file) HKLM-Run-COMODO Firewall Pro - c:\program files\COMODO\Firewall\cfp.exe AddRemove-Dell Photo Printer 720 - c:\windows\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-25 19:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(800) c:\windows\system32\vrlogon.dll c:\program files\IBM fingerprint software\ExtVapi.dll c:\program files\Common Files\Virtual Token\psutil.dll c:\program files\Common Files\Virtual Token\resmgr.dll c:\program files\Common Files\Virtual Token\Remote.dll c:\windows\system32\Ati2evxx.dll c:\program files\IBM fingerprint software\psfus.dll c:\windows\system32\tphklock.dll c:\program files\Common Files\Virtual Token\passport.dll c:\program files\Common Files\Virtual Token\psdlg.dll - - - - - - - > 'Explorer.exe'(2588) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Virtual Token\vtserver.exe c:\windows\system32\ibmpmsvc.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\System32\QCONSVC.EXE c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\System32\TPHDEXLG.EXE c:\windows\system32\TpKmpSVC.exe c:\windows\system32\acs.exe c:\windows\system32\Ati2evxx.exe c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe c:\windows\system32\RunDll32.exe c:\windows\system32\rundll32.exe c:\windows\system32\TpShocks.exe c:\documents and settings\sg\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-07-25 19:19:22 - machine was rebooted ComboFix-quarantined-files.txt 2010-07-25 23:19 Pre-Run: 6,250,263,040 bytes free Post-Run: 6,983,825,408 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 735B988F53552D38BB83D4E96EED0738
-
I uninstalled Adobe Reader 8.1.2... I am not finding "Adobe Reader 8.1.2 Security Update 1 (KB403742)" to uninstall. Would it have uninstalled this when I removed the main program? I also uninstalled all versions of Java and Java updates, and then ran JavaRa. Here is the log file: JavaRa 1.15 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Sun Jul 25 16:13:38 2010 Found and removed: Software\JavaSoft\Java2D\1.5.0_06Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410205Found and removed: Software\Classes\JavaPlugin.160_01Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}------------------------------------Finished reporting. And, I checked for the folders in the places you indicated and removed them when present. I updated and ran Malwarebytes quick scan. Here's the log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4347 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 7/25/2010 4:28:58 PM mbam-log-2010-07-25 (16-28-58).txt Scan type: Quick scan Objects scanned: 151884 Time elapsed: 12 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) And, then I ran DDS again. Here's that log: DDS (Ver_10-03-17.01) - NTFSx86 Run by sg at 17:38:44.64 on Sun 07/25/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.428 [GMT -4:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} ============== Running Processes =============== C:\Program Files\Common Files\Virtual Token\vtserver.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\QCONSVC.EXE C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\TPHDEXLG.EXE C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\TpShocks.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\VMware\VMware Workstation\vmware-tray.exe C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Documents and Settings\sg\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\wscntfy.exe D:\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.unc.edu/ uInternet Settings,ProxyOverride = *.local BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [Google Update] "c:\documents and settings\sg\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [iUWORK] c:\iuwork\LAUNCH.LNK mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE mRun: [bMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor mRun: [bMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE mRun: [bMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor mRun: [TpShocks] TpShocks.exe mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper mRun: [uC_Start] c:\program files\ibm\updater\\ucstartup.exe mRun: [uC_SMB] mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [sprintModemUpdate] javaw.exe -cp "c:\program files\motive\firmwareupdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate mRun: [bJCFD] c:\program files\broadjump\client foundation\CFD.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] "c:\progra~1\symant~1\VPTray.exe" mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [iSW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN mRun: [vmware-tray] c:\program files\vmware\vmware workstation\vmware-tray.exe mRun: [QCTray] c:\progra~1\thinkpad\connec~1\QCTray.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\sg\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL LSP: c:\program files\vmware\vmware workstation\vsocklib.dll DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212852869875 TCP: {7F349D82-1BCD-4899-8E70-DE675ADA27AB} = 156.154.70.22,156.154.71.22 Notify: AtiExtEvent - Ati2evxx.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll Notify: QConGina - QConGina.dll Notify: tphotkey - tphklock.dll AppInit_DLLs: c:\windows\system32\guard32.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Notification Packages = scecli pwdmon Hosts: 192.168.2.3 irls675.localdomain Hosts: 192.168.2.3 practice.localdomain Hosts: 192.168.2.3 oai.localdomain ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\sg\applic~1\mozilla\firefox\profiles\w1abt06l.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\documents and settings\sg\application data\mozilla\firefox\profiles\w1abt06l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} \components\frozen.dll FF - plugin: c:\documents and settings\sg\application data\move networks\plugins\npqmp071505000011.dll FF - plugin: c:\documents and settings\sg\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2004-12-17 6912] R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-6-5 14208] R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 229312] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 25240] R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968] R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-6-5 16384] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576] R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1778480] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-6 304464] R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-6-6 116928] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-6-6 1821376] R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-28 54960] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-6 20952] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100725.003\naveng.sys [2010-7-25 85424] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100725.003\navex15.sys [2010-7-25 1362608] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-6-5 6016] S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?] S2 gupdate1ca542a25fe1a90;Google Update Service (gupdate1ca542a25fe1a90);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104] S2 gupdate1cab68245a9797e;Google Update Service (gupdate1cab68245a9797e);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104] S3 G200;G200;c:\windows\system32\drivers\G200m.sys [2005-3-10 320384] S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-6-5 12288] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?] =============== Created Last 30 ================ 2010-07-25 18:28:55 0 d-----w- c:\program files\iPod 2010-07-25 13:39:45 0 ----a-w- c:\documents and settings\sg\defogger_reenable 2010-07-18 12:06:14 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO 2010-07-18 00:11:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader 2010-07-14 16:54:39 0 d-----w- c:\program files\Citrix 2010-07-14 16:53:10 72080 ----a-w- c:\documents and settings\sg\g2mdlhlpx.exe 2010-07-14 12:01:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe ==================== Find3M ==================== 2010-06-04 15:55:58 229312 ----a-w- c:\windows\system32\drivers\cmdGuard.sys 2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr 2010-06-01 23:00:52 278288 ----a-w- c:\windows\system32\guard32.dll 2010-06-01 23:00:22 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2010-06-01 23:00:20 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys 2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys 2008-08-24 13:10:29 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat 2009-10-23 21:58:58 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\temp\cookies\index.dat 2009-10-23 21:58:58 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\temp\history\history.ie5\index.dat 2009-10-23 21:58:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temp\temporary internet files\content.ie5\index.dat ============= FINISH: 17:40:11.96 ===============
-
I ran DDS and GMER. During the scans, I received the following errors: dwwin.exe application error (this came up at least 25 times until I rebooted) The exception Breakpoint A breakpoint has been reached. Verify Class ID has enounted a problem and needs to close verclsid.exe The exception Illegal Instruction An attempt was made to execute an illegal instruction. cidaemon.exe application error (this came up 2 times) The exception unknown software exception occurred in the application. Here are the contents of dds.txt: DDS (Ver_10-03-17.01) - NTFSx86 Run by sg at 9:51:20.31 on Sun 07/25/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.247 [GMT -4:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} ============== Running Processes =============== C:\Program Files\Common Files\Virtual Token\vtserver.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\QCONSVC.EXE C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\TPHDEXLG.EXE C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\TpShocks.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\system32\javaw.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\VMware\VMware Workstation\vmware-tray.exe C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Documents and Settings\sg\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe D:\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.unc.edu/ uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [Google Update] "c:\documents and settings\sg\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [iUWORK] c:\iuwork\LAUNCH.LNK mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE mRun: [bMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor mRun: [bMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE mRun: [bMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor mRun: [TpShocks] TpShocks.exe mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper mRun: [uC_Start] c:\program files\ibm\updater\\ucstartup.exe mRun: [uC_SMB] mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [sprintModemUpdate] javaw.exe -cp "c:\program files\motive\firmwareupdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate mRun: [bJCFD] c:\program files\broadjump\client foundation\CFD.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] "c:\progra~1\symant~1\VPTray.exe" mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [iSW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN mRun: [vmware-tray] c:\program files\vmware\vmware workstation\vmware-tray.exe mRun: [QCTray] c:\progra~1\thinkpad\connec~1\QCTray.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\sg\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL LSP: c:\program files\vmware\vmware workstation\vsocklib.dll DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212852869875 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab TCP: {7F349D82-1BCD-4899-8E70-DE675ADA27AB} = 156.154.70.22,156.154.71.22 Notify: AtiExtEvent - Ati2evxx.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll Notify: QConGina - QConGina.dll Notify: tphotkey - tphklock.dll AppInit_DLLs: c:\windows\system32\guard32.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Notification Packages = scecli pwdmon Hosts: 192.168.2.3 irls675.localdomain Hosts: 192.168.2.3 practice.localdomain Hosts: 192.168.2.3 oai.localdomain ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\sg\applic~1\mozilla\firefox\profiles\w1abt06l.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\documents and settings\sg\application data\mozilla\firefox\profiles\w1abt06l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - plugin: c:\documents and settings\sg\application data\move networks\plugins\npqmp071505000011.dll FF - plugin: c:\documents and settings\sg\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2004-12-17 6912] R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-6-5 14208] R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 229312] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 25240] R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968] R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-6-5 16384] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576] R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1778480] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-6 304464] R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-6-6 116928] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-6-6 1821376] R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-28 54960] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-6 20952] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100724.002\naveng.sys [2010-7-24 85424] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100724.002\navex15.sys [2010-7-24 1362608] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-6-5 6016] S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?] S2 gupdate1ca542a25fe1a90;Google Update Service (gupdate1ca542a25fe1a90);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104] S2 gupdate1cab68245a9797e;Google Update Service (gupdate1cab68245a9797e);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104] S3 G200;G200;c:\windows\system32\drivers\G200m.sys [2005-3-10 320384] S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-6-5 12288] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?] =============== Created Last 30 ================ 2010-07-25 13:39:45 0 ----a-w- c:\documents and settings\sg\defogger_reenable 2010-07-18 12:06:14 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO 2010-07-18 00:11:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader 2010-07-14 16:54:39 0 d-----w- c:\program files\Citrix 2010-07-14 16:53:10 72080 ----a-w- c:\documents and settings\sg\g2mdlhlpx.exe 2010-07-14 12:01:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe ==================== Find3M ==================== 2010-06-04 15:55:58 229312 ----a-w- c:\windows\system32\drivers\cmdGuard.sys 2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr 2010-06-01 23:00:52 278288 ----a-w- c:\windows\system32\guard32.dll 2010-06-01 23:00:22 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2010-06-01 23:00:20 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys 2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys 2008-08-24 13:10:29 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat 2009-10-23 21:58:58 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\temp\cookies\index.dat 2009-10-23 21:58:58 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\temp\history\history.ie5\index.dat 2009-10-23 21:58:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temp\temporary internet files\content.ie5\index.dat ============= FINISH: 9:56:28.17 =============== THANK YOU! attach.zip
-
Here's my defogger_disable log file: defogger_disable by jpshortstuff (23.02.10.1) Log created at 09:46 on 25/07/2010 Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=-
-
Here are the results from yesterday's Malwarebytes scan... I will run DDS and GMER now and post the logs shortly. Thanks! Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4343 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 7/24/2010 9:39:40 AM mbam-log-2010-07-24 (09-39-40).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 237911 Time elapsed: 1 hour(s), 20 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 93 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\minint\system32\kbda2.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdes.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdic.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdno.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdtuf.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbda1.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbda3.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\KBDAL.DLL (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdarme.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdarmw.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdaze.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdazel.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdbe.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdblr.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdbr.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdbu.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdca.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdcr.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdcz.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdcz1.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdcz2.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdda.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbddiv1.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbddiv2.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbddv.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdfa.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdfc.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdfi.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdfr.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdgae.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdgeo.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdgkl.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdgr.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdgr1.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdhe.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdhe220.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdhe319.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdheb.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdhela2.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdhela3.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdhept.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdhu.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdhu1.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdindev.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdinguj.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdinhin.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdinkan.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdinmar.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdinpun.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdintam.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdintel.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdir.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdit.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdit142.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdkaz.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdkyr.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdla.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdmac.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdmon.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdne.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdnec.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdpl.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdpl1.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdpo.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdro.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdru.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdru1.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdsf.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdsg.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdsl.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdsl1.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdsp.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdsw.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdsyr1.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdsyr2.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdtat.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdth0.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdth1.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdth2.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdth3.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdtuq.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbduk.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdur.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdurdu.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdus.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdusa.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdusl.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdusr.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdusx.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbduzb.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdvntc.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdycc.dll (Trojan.Dropper) -> Delete on reboot. C:\minint\system32\kbdycl.dll (Trojan.Dropper) -> Delete on reboot.
-
Hi Borislav, Thank you for your help! I have been following the instructions that you recommended. Every day this week, I updated MalwareBytes and ran a full system scan. I also updated my antivirus software and ran full scans with that each day. I did not notice any new symptoms until today. When I updated and ran MalwareBytes, I found 93 infected files (all .dll's) that were labeled Trojan.Dropper. Last night I used my wireless network for the first time since the initial problem. Do you think there is something wrong with my wireless network? Or, is this just a coincidence? After finding and removing the 93 files, I updated MalwareBytes again and re-ran a full scan. No errors this time. And, I also updated my antivirus software and ran a full scan with no errors. Should I proceed to the next step (Disable CD-ROM Emulation Software) in the instructions or wait to see if I run into any more problems? Thanks again for your help! I really appreciate it!
-
My symantec scan crashed, so I ran Malwarebytes and found one infected file: local settings\temp\~DFB33E.tmp (Spyware.Passwords) - Delete on Reboot. I rebooted my computer to remove the file and ran both Symantec and Malwarebytes full scans a couple of times. All scans completed without a problem and I am not finding anymore infected files. But, when I read other posts about spyware.passwords it sounded like this might be a pretty serious virus. I can't find directions on how to proceed and how else to look for infected files. Any suggestions? Thanks!