Jump to content

Recommended Posts

Hi,

I'm stuck. Tried chaleleon and went through all tasks. Next, I tried the 12 self- help steps. I'm not sure what to do next. I would greatly appreciate your help.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by heather at 17:35:36 on 2012-02-14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1358 [GMT -5:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

h:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

H:\WINDOWS\System32\svchost.exe -k netsvcs

H:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

H:\WINDOWS\system32\spoolsv.exe

h:\program files\idt\intelxpv_v103\wdm\STacSV.exe

svchost.exe

H:\Program Files\Microsoft\BingBar\SeaPort.EXE

H:\WINDOWS\system32\IProsetMonitor.exe

H:\Program Files\Java\jre6\bin\jqs.exe

H:\WINDOWS\System32\svchost.exe -k HPZ12

H:\WINDOWS\System32\svchost.exe -k HPZ12

H:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

H:\WINDOWS\system32\svchost.exe -k imgsvc

H:\Program Files\Western Digital\WD SmartWare\WDDMService.exe

H:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe

H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

H:\WINDOWS\system32\SearchIndexer.exe

H:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

H:\Program Files\Western Digital\WD SmartWare\WDFME.exe

H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

H:\WINDOWS\system32\wscntfy.exe

H:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

H:\Program Files\IDT\WDM\sttray.exe

H:\Program Files\Microsoft Security Client\msseces.exe

H:\Program Files\Common Files\Java\Java Update\jusched.exe

H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

H:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Program Files\AIM\aim.exe

H:\Program Files\Windows Live\Messenger\msnmsgr.exe

H:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe

H:\Program Files\Windows Desktop Search\WindowsSearch.exe

H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

H:\WINDOWS\explorer.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\Program Files\HitmanPro\hmpsched.exe

H:\WINDOWS\system32\SearchProtocolHost.exe

H:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - h:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "h:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "h:\program files\microsoft\bingbar\BingExt.dll"

{555d4d79-4bd2-4094-a395-cfc534424a05}

uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe

uRun: [Google Update] "h:\documents and settings\heather\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [cdloader] "h:\documents and settings\heather\application data\mjusbsp\cdloader2.exe" MAGICJACK

uRun: [Aim] "h:\program files\aim\aim.exe" /d locale=en-US

uRun: [msnmsgr] "h:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [iAStorIcon] h:\program files\intel\intel® rapid storage technology\IAStorIcon.exe

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [MSC] "h:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "h:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [startCCC] "h:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [sunJavaUpdateSched] "h:\program files\common files\java\java update\jusched.exe"

mRun: [AcronisTimounterMonitor] h:\program files\seagate\discwizard\TimounterMonitor.exe

dRun: [DWQueuedReporting] "h:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: h:\docume~1\heather\startm~1\programs\startup\erunta~1.lnk - h:\program files\erunt\AUTOBACK.EXE

StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\wdquic~1.lnk - h:\program files\western digital\wd smartware\WDDMStatus.exe

StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - h:\program files\windows desktop search\WindowsSearch.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - h:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1297100224735

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{0B08274B-5606-4A9D-B2F1-D69115A9DCEF} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2EC42855-2F01-4781-B8FD-E8BA3DC75C91} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{49BC3978-233F-4910-BEBE-61038FEE13EF} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{554D0E4C-2E3D-4D87-8255-128E43023022} : DhcpNameServer = 192.168.1.1

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - h:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 relog_ap

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;h:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]

R2 BBUpdate;BBUpdate;h:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]

R2 fssfltr;FssFltr;h:\windows\system32\drivers\fssfltr_tdi.sys [2012-2-9 54760]

R2 HitmanProScheduler;HitmanPro Scheduler;h:\program files\hitmanpro\hmpsched.exe [2012-2-14 98120]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;h:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-2-7 13592]

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;h:\windows\system32\IPROSetMonitor.exe [2011-9-26 112800]

R2 SgtSch2Svc;Seagate Scheduler2 Service;h:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]

R2 WDDMService;WDDMService;h:\program files\western digital\wd smartware\WDDMService.exe [2011-8-1 263056]

R2 WDFMEService;WDFMEService;h:\program files\western digital\wd smartware\WDFME.exe [2011-8-1 1592208]

R2 WDRulesService;WDRulesService;h:\program files\western digital\wd smartware\WDRulesEngine.exe [2011-8-1 1091984]

R3 MBAMSwissArmy;MBAMSwissArmy;h:\windows\system32\drivers\mbamswissarmy.sys [2012-2-13 40776]

R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;h:\windows\system32\drivers\rt2870.sys [2007-12-14 551680]

S2 BBSvc;Bing Bar Update Service;h:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 cpudrv;cpudrv;h:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 fsssvc;Windows Live Family Safety Service;h:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 mbamchameleon;mbamchameleon;h:\windows\system32\drivers\mbamchameleon.sys [2012-2-13 24064]

S3 WDC_SAM;WD SCSI Pass Thru driver;h:\windows\system32\drivers\wdcsam.sys [2012-1-18 11520]

S3 WinRM;Windows Remote Management (WS-Management);h:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-02-14 22:22:13 23624 ----a-w- h:\windows\system32\drivers\hitmanpro36.sys

2012-02-14 22:22:13 -------- d-----w- h:\program files\HitmanPro

2012-02-14 22:21:47 -------- d-----w- h:\documents and settings\all users\application data\HitmanPro

2012-02-14 21:35:25 6557240 ----a-w- h:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bf7a962c-9b60-45ca-88cc-743bc04e3fcd}\mpengine.dll

2012-02-13 22:40:30 40776 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys

2012-02-13 21:36:00 24064 ----a-w- h:\windows\system32\drivers\mbamchameleon.sys

2012-02-13 21:14:27 20464 ----a-w- h:\windows\system32\drivers\mbam.sys

2012-02-13 21:14:27 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware

2012-02-09 18:35:07 -------- d-sh--w- H:\found.000

2012-02-09 18:07:19 -------- d-----w- h:\documents and settings\heather\local settings\application data\SlimWare Utilities Inc

2012-02-09 18:06:00 -------- d-----w- h:\program files\SlimCleaner

2012-02-09 18:03:50 -------- d-----w- h:\documents and settings\heather\Tracing

2012-02-09 18:01:41 54760 ----a-w- h:\windows\system32\drivers\fssfltr_tdi.sys

2012-02-09 18:00:44 3426072 ----a-w- h:\windows\system32\d3dx9_32.dll

2012-02-09 18:00:40 -------- d-----w- h:\program files\Microsoft SQL Server Compact Edition

2012-02-09 17:59:31 -------- d-----w- h:\program files\Windows Live SkyDrive

2012-01-18 23:21:16 -------- d-----w- h:\documents and settings\all users\application data\Seagate

2012-01-18 23:21:14 44384 ----a-w- h:\windows\system32\drivers\tifsfilt.sys

2012-01-18 23:21:14 441760 ----a-w- h:\windows\system32\drivers\timntr.sys

2012-01-18 23:21:12 132224 ----a-w- h:\windows\system32\drivers\snapman.sys

2012-01-18 23:21:10 368480 ----a-w- h:\windows\system32\drivers\tdrpman.sys

2012-01-18 23:20:53 -------- d-----w- h:\program files\common files\Seagate

2012-01-18 21:00:05 -------- d-----w- h:\program files\Western Digital Corporation

2012-01-18 20:49:21 -------- d-----w- h:\documents and settings\heather\local settings\application data\Western_Digital

2012-01-18 20:44:46 11520 ----a-w- h:\windows\system32\drivers\wdcsam.sys

2012-01-18 20:44:30 -------- d-----w- h:\documents and settings\all users\application data\Western Digital

2012-01-18 20:41:30 -------- d-----w- h:\program files\Western Digital

2012-01-18 20:37:25 -------- d-----w- h:\documents and settings\heather\local settings\application data\Western Digital

.

==================== Find3M ====================

.

2012-02-13 21:30:07 414368 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl

2012-01-31 12:44:05 237072 ------w- h:\windows\system32\MpSigStub.exe

2011-11-25 21:57:19 293376 ----a-w- h:\windows\system32\winsrv.dll

2011-11-23 13:25:32 1859584 ----a-w- h:\windows\system32\win32k.sys

2011-11-18 12:35:08 60416 ----a-w- h:\windows\system32\packager.exe

.

============= FINISH: 17:35:43.32 ===============

Link to post
Share on other sites

Hello and :welcome:

Lets first also run a rootkit scan.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Thats good news, lets continue with a regular scan to rule out any malware problem.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

finished

ComboFix 12-02-15.01 - heather 02/15/2012 9:43.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1383 [GMT -5:00]

Running from: h:\documents and settings\heather\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))

.

.

2012-02-15 13:51 . 2012-02-15 13:51 40776 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys

2012-02-15 13:51 . 2012-02-15 13:51 -------- d-----w- h:\documents and settings\heather\Application Data\Malwarebytes

2012-02-15 13:50 . 2012-02-15 13:50 -------- d-----w- h:\documents and settings\All Users\Application Data\Malwarebytes

2012-02-15 13:50 . 2012-02-15 13:51 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware

2012-02-15 13:50 . 2011-12-10 20:24 20464 ----a-w- h:\windows\system32\drivers\mbam.sys

2012-02-15 13:46 . 2011-07-13 00:39 6881616 ----a-w- h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BE9FA21-73B6-4CAD-8D6E-78BE7ADF03F7}\mpengine.dll

2012-02-15 13:44 . 2012-02-15 13:44 -------- d-----w- h:\windows\system32\wbem\Repository

2012-02-15 00:29 . 2012-02-15 00:29 -------- d-----w- h:\program files\Common Files\Java

2012-02-15 00:28 . 2012-02-15 00:28 73728 ----a-w- h:\windows\system32\javacpl.cpl

2012-02-15 00:28 . 2012-02-15 00:28 -------- d-----w- h:\program files\Java

2012-02-15 00:20 . 2012-02-15 00:20 -------- d-----w- H:\found.001

2012-02-14 23:59 . 2008-04-14 00:12 221184 ----a-w- h:\windows\system32\wmpns.dll

2012-02-14 23:58 . 2012-02-15 00:00 -------- d-----w- h:\documents and settings\john

2012-02-14 22:22 . 2012-02-15 00:27 23624 ----a-w- h:\windows\system32\drivers\hitmanpro36.sys

2012-02-14 22:21 . 2012-02-14 22:22 -------- d-----w- h:\documents and settings\All Users\Application Data\HitmanPro

2012-02-09 18:35 . 2012-02-09 18:35 -------- d-----w- H:\found.000

2012-02-09 18:07 . 2012-02-09 18:07 -------- d-----w- h:\documents and settings\heather\Local Settings\Application Data\SlimWare Utilities Inc

2012-02-09 18:06 . 2012-02-09 18:07 -------- d-----w- h:\program files\SlimCleaner

2012-02-09 18:03 . 2012-02-15 00:54 -------- d-----w- h:\documents and settings\heather\Tracing

2012-02-09 18:01 . 2010-04-28 12:44 54760 ----a-w- h:\windows\system32\drivers\fssfltr_tdi.sys

2012-02-09 18:01 . 2012-02-09 18:01 -------- d-----w- h:\program files\Microsoft Sync Framework

2012-02-09 18:00 . 2006-11-29 18:06 3426072 ----a-w- h:\windows\system32\d3dx9_32.dll

2012-02-09 18:00 . 2012-02-09 18:00 -------- d-----w- h:\program files\Microsoft SQL Server Compact Edition

2012-02-09 17:59 . 2012-02-09 17:59 -------- d-----w- h:\program files\Windows Live SkyDrive

2012-02-09 17:59 . 2012-02-10 08:09 -------- d-----w- h:\program files\Windows Live

2012-01-18 23:21 . 2012-01-18 23:21 -------- d-----w- h:\documents and settings\All Users\Application Data\Seagate

2012-01-18 23:21 . 2012-01-18 23:21 44384 ----a-w- h:\windows\system32\drivers\tifsfilt.sys

2012-01-18 23:21 . 2012-01-18 23:21 441760 ----a-w- h:\windows\system32\drivers\timntr.sys

2012-01-18 23:21 . 2012-01-18 23:21 132224 ----a-w- h:\windows\system32\drivers\snapman.sys

2012-01-18 23:21 . 2012-01-18 23:21 368480 ----a-w- h:\windows\system32\drivers\tdrpman.sys

2012-01-18 23:20 . 2012-01-18 23:21 -------- d-----w- h:\program files\Common Files\Seagate

2012-01-18 21:00 . 2012-01-18 21:00 -------- d-----w- h:\program files\Western Digital Corporation

2012-01-18 20:49 . 2012-01-18 20:49 -------- d-----w- h:\documents and settings\heather\Local Settings\Application Data\Western_Digital

2012-01-18 20:44 . 2011-02-16 22:52 11520 ----a-w- h:\windows\system32\drivers\wdcsam.sys

2012-01-18 20:44 . 2012-01-18 20:44 -------- d-----w- h:\documents and settings\All Users\Application Data\Western Digital

2012-01-18 20:41 . 2012-01-18 20:44 -------- d-----w- h:\program files\Western Digital

2012-01-18 20:37 . 2012-01-18 20:37 -------- d-----w- h:\documents and settings\heather\Local Settings\Application Data\Western Digital

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-02-15 00:28 . 2011-02-07 23:13 472808 ----a-w- h:\windows\system32\deployJava1.dll

2012-02-13 21:30 . 2011-09-26 23:41 414368 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl

2012-01-31 12:44 . 2011-06-20 00:32 237072 ------w- h:\windows\system32\MpSigStub.exe

2012-01-06 04:19 . 2011-08-02 16:46 6557240 ----a-w- h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-11-25 21:57 . 2006-02-28 12:00 293376 ----a-w- h:\windows\system32\winsrv.dll

2011-11-23 13:25 . 2006-02-28 12:00 1859584 ----a-w- h:\windows\system32\win32k.sys

2011-11-18 12:35 . 2006-02-28 12:00 60416 ----a-w- h:\windows\system32\packager.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAStorIcon"="h:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]

"SysTrayApp"="h:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]

"SunJavaUpdateSched"="h:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"MSC"="h:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"Adobe ARM"="h:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="h:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

h:\documents and settings\All Users\Start Menu\Programs\Startup\

WD Quick View.lnk - h:\program files\Western Digital\WD SmartWare\WDDMStatus.exe [2011-8-1 3983760]

Windows Search.lnk - h:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "h:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=h:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=h:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Network Monitor.lnk]

path=h:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Network Monitor.lnk

backup=h:\windows\pss\Wireless Network Monitor.lnkCommon Startup

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"h:\\Documents and Settings\\heather\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;h:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2/7/2011 6:29 PM 13592]

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;h:\windows\system32\IPROSetMonitor.exe [9/26/2011 8:04 PM 112800]

S1 MpKsl0d6c8dac;MpKsl0d6c8dac;\??\h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0AAB12F0-3688-4222-A1E8-3A7005D99717}\MpKsl0d6c8dac.sys --> h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0AAB12F0-3688-4222-A1E8-3A7005D99717}\MpKsl0d6c8dac.sys [?]

S1 MpKsl215a45b2;MpKsl215a45b2;\??\h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2E3EFC42-5C35-4938-BDED-085074567583}\MpKsl215a45b2.sys --> h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2E3EFC42-5C35-4938-BDED-085074567583}\MpKsl215a45b2.sys [?]

S1 MpKslc02cd892;MpKslc02cd892;\??\h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8A80DB96-9FC2-46FB-A86A-DC7722425270}\MpKslc02cd892.sys --> h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8A80DB96-9FC2-46FB-A86A-DC7722425270}\MpKslc02cd892.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 cpudrv;cpudrv;h:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

S3 MBAMSwissArmy;MBAMSwissArmy;h:\windows\system32\drivers\mbamswissarmy.sys [2/15/2012 8:51 AM 40776]

S3 WinRM;Windows Remote Management (WS-Management);h:\windows\system32\svchost.exe -k WINRM [2/28/2006 7:00 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-14 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-688789844-839522115-1003Core.job

- h:\documents and settings\heather\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-07 22:23]

.

2012-02-15 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-688789844-839522115-1003UA.job

- h:\documents and settings\heather\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-07 22:23]

.

2012-02-15 h:\windows\Tasks\MP Scheduled Scan.job

- h:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-cdloader - h:\documents and settings\heather\Application Data\mjusbsp\cdloader2.exe

HKLM-Run-Microsoft Default Manager - h:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

HKLM-Run-mxomssmenu - h:\program files\Maxtor\OneTouch Status\maxmenumgr.exe

MSConfigStartUp-HP Software Update - h:\program files\HP\HP Software Update\HPWuSchd2.exe

AddRemove-Adobe Flash Player ActiveX - h:\windows\system32\Macromed\Flash\FlashUtil10x_ActiveX.exe

AddRemove-InstallShield_{4D36E953-4456-4F8F-BC44-90BC4AA59889} - h:\program files\InstallShield Installation Information\{4D36E953-4456-4F8F-BC44-90BC4AA59889}\setup.exe

AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - h:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\bm_installer.exe

AddRemove-magicJack - h:\documents and settings\heather\Application Data\mjusbsp\magicJackLoader.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-15 09:51

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(912)

h:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3072)

h:\windows\system32\WININET.dll

h:\program files\Windows Desktop Search\deskbar.dll

h:\program files\Windows Desktop Search\en-us\dbres.dll.mui

h:\program files\Windows Desktop Search\dbres.dll

h:\program files\Windows Desktop Search\wordwheel.dll

h:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

h:\program files\Windows Desktop Search\msnlExtRes.dll

h:\windows\system32\ieframe.dll

h:\windows\system32\webcheck.dll

h:\windows\system32\WPDShServiceObj.dll

h:\windows\system32\PortableDeviceTypes.dll

h:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

h:\windows\system32\Ati2evxx.exe

h:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

h:\windows\system32\Ati2evxx.exe

h:\program files\idt\intelxpv_v103\wdm\STacSV.exe

h:\program files\Java\jre6\bin\jqs.exe

h:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

h:\windows\system32\SearchIndexer.exe

h:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

h:\windows\system32\wscntfy.exe

h:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

h:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2012-02-15 09:53:04 - machine was rebooted

ComboFix-quarantined-files.txt 2012-02-15 14:53

.

Pre-Run: 229,505,142,784 bytes free

Post-Run: 229,651,570,688 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 83934E4DAB4C7BA274ACBB9A1CAB13DF

Link to post
Share on other sites

Please do not underline the log, that makes it very hard to read it, thank you! :)

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

Link to post
Share on other sites

okay

Farbar Service Scanner Version: 14-02-2012

Ran by heather (administrator) on 15-02-2012 at 11:17:14

Running from "H:\Documents and Settings\heather\Desktop"

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

File Check:

========

H:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

H:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

H:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

H:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

H:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

H:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

H:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

H:\WINDOWS\system32\netman.dll => MD5 is legit

H:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

H:\WINDOWS\system32\srsvc.dll => MD5 is legit

H:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

H:\WINDOWS\system32\wscsvc.dll => MD5 is legit

H:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

H:\WINDOWS\system32\wuauserv.dll => MD5 is legit

H:\WINDOWS\system32\qmgr.dll => MD5 is legit

H:\WINDOWS\system32\es.dll => MD5 is legit

H:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

H:\WINDOWS\system32\svchost.exe => MD5 is legit

H:\WINDOWS\system32\rpcss.dll => MD5 is legit

H:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

AegisP(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x09000000040000000100000002000000030000000500000006000000070000000800000009000000

IpSec Tag value is correct.

**** End of log ****

Link to post
Share on other sites

sorry about the underlining

So, when I try to run it. it gives me the option to update.

if I press yes; the program shuts down

if I press no; I get to the program screen

But when I click "quick scan" the program shuts down

Also, used MBAM-Clean

and restalled a fresh copy

still crashes

Link to post
Share on other sites

I am sorry to hear that, but I hope your computer will be working fine now. :)

If you need any additional help with this, just let me know.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.