Jump to content

Recommended Posts

I have been looking to remove this XP Defender and it has been very stubborn. I thought I had it removed on two occasions, but it was not to be. I did the fixes in the Malware bytes, but not the HiJack This. Both scans had to be run in Safe Mode becaus they would not work in regular. Here are the logs:

HiJack this

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:31:10 PM, on 7/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://downloads.yahoo.com/internetexplorer/welcome

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"

O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"

O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [P3000x_S2P] "C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe"

O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE"

O4 - HKLM\..\Run: [MimBoot] "C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe"

O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall

O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"

O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1171388352\ee\AOLSoftware.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [intuit SyncManager] "C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe" startup

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.att.net

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1226268006687

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mnscu.webex.com/client/T26L/nbr/ieatgpc.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.smugmug.com/photos/activex/XUpload.ocx

O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 9742 bytes

Malwarebytes

Malwarebytes' Anti-Malware 1.38

Database version: 2360

Windows 5.1.2600 Service Pack 3

7/1/2009 10:30:16 PM

mbam-log-2009-07-01 (22-30-16).txt

Scan type: Quick Scan

Objects scanned: 109991

Time elapsed: 9 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\saint hedwig\application data\xpdeluxe.exe (Rogue.XPDeluxe) -> Quarantined and deleted successfully.

c:\documents and settings\Saint Hedwig\Start Menu\XP Deluxe Protector.LNK (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.

c:\documents and settings\Saint Hedwig\Desktop\XP Deluxe Protector.LNK (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Some interesting things happened while it was scanning.

1. I was unable to stop the XP Deluxe Protector due to the computer freezing upon any attempt to stop the program. So the scan continued on.

2. The ComboFix changed my desktop and didnot change it back

3. There is what appears to be a couple of dead shortcuts on my desktop and pinned to the Start Menu the are labeled XP Deluxe Protector. Even though it appears the program is no longer running.

4. When the ComboFix restarted the computer my AV and Spyware programs restarted and tryed to block some changes. I think I was able to unblock them but i am not sure.

5. While the ComboFix was generating the report an error popped up and even though i tried to "Retry" it would only move forward when I clicked "continue" (Didn't write the error, it was a memory location)

Here is the log from the ComboFix.

ComboFix 09-07-01.04 - Saint Hedwig 07/02/2009 10:38.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.515 [GMT -5:00]

Running from: G:\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Saint Hedwig\XP Deluxe Protector

c:\documents and settings\Saint Hedwig\XP Deluxe Protector\xpdeluxe.exe

c:\windows\MailSwitch.ocx

c:\windows\system32\bszip.dll

c:\windows\system32\disk.dll

----- BITS: Possible infected sites -----

hxxp://gnbd1.cn

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.

((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))

.

2009-07-02 15:23 . 2009-07-02 15:23 29184 ----a-w- c:\windows\system32\gdi32lib.dll

2009-07-02 01:27 . 2009-07-02 01:27 57536 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-02 00:24 . 2009-07-02 00:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-02 00:08 . 2009-07-02 00:08 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Malwarebytes

2009-07-02 00:07 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-02 00:07 . 2009-07-02 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-02 00:07 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-02 00:06 . 2009-07-02 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-01 18:43 . 2009-07-01 18:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot

2009-07-01 16:32 . 2009-07-01 16:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot

2009-07-01 00:45 . 2009-07-01 00:45 -------- d-----w- c:\program files\7-Zip

2009-06-29 00:54 . 2009-07-01 14:34 -------- d-----w- c:\windows\system32\Service

2009-06-25 21:50 . 2009-06-25 21:50 129472 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-06-25 21:46 . 2009-06-25 21:46 -------- d-----w- c:\program files\iPod

2009-06-25 21:46 . 2009-06-25 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-25 21:46 . 2009-06-25 21:47 -------- d-----w- c:\program files\iTunes

2009-06-25 21:42 . 2009-06-25 21:42 -------- d-----w- c:\program files\Bonjour

2009-06-25 21:41 . 2009-06-25 21:42 -------- d-----w- c:\program files\QuickTime

2009-06-25 21:34 . 2009-06-05 16:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-06-23 17:07 . 2009-06-23 17:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-06-18 12:47 . 2009-06-18 12:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\Webroot

2009-06-18 12:44 . 2009-06-18 12:44 -------- d-----w- c:\program files\Webroot

2009-06-18 12:44 . 2009-06-18 12:44 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Webroot

2009-06-18 12:44 . 2009-06-18 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

2009-06-18 12:44 . 2008-08-09 21:04 1538928 ----a-w- c:\windows\WRSetup.dll

2009-06-18 11:06 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys

2009-06-18 11:06 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

2009-06-18 11:06 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-06-18 11:05 . 2009-06-18 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro

2009-06-18 11:04 . 2009-07-02 03:30 -------- d-----w- c:\program files\Trend Micro

2009-06-16 14:46 . 2009-06-16 14:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-06-16 14:39 . 2009-06-17 18:49 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-16 14:39 . 2009-06-17 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-15 03:42 . 2009-06-17 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-06-15 03:41 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-06-15 03:41 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-06-15 03:33 . 2009-06-15 03:33 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Lavasoft

2009-06-15 03:20 . 2009-06-15 03:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Grisoft

2009-06-15 03:20 . 2009-06-15 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft

2009-06-15 03:10 . 2009-06-15 03:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-06-14 19:29 . 2009-06-15 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft

2009-06-14 19:29 . 2009-06-17 18:58 -------- d-----w- c:\program files\Lavasoft

2009-06-14 19:22 . 2009-06-14 19:22 -------- d-----w- c:\program files\CCleaner

2009-06-14 18:46 . 2009-06-14 18:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-06-12 03:22 . 2002-08-14 20:03 4672 ----a-w- c:\windows\system\WOWPOST.EXE

2009-06-12 03:22 . 2002-08-14 20:03 5600 ----a-w- c:\windows\system\WINASPI.DLL

2009-06-12 03:22 . 2002-08-14 20:03 45056 ----a-w- c:\windows\system32\WNASPI32.DLL

2009-06-12 03:22 . 2002-08-14 20:03 17005 ----a-w- c:\windows\system32\drivers\ASPI32.SYS

2009-06-12 01:14 . 2006-03-04 04:52 636568 ------r- c:\windows\system32\NSRSte.dll

2009-06-12 01:14 . 2009-06-13 20:28 -------- d-----w- c:\program files\Norton Save and Restore

2009-06-12 01:04 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2009-06-12 01:04 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll

2009-06-08 17:36 . 2009-06-08 17:40 -------- d-----w- C:\6de2e506145bbec873f1b3a31b1c

2009-06-08 17:05 . 2009-06-08 17:06 -------- d-----w- C:\5493a3016cc6196776b4092b00

2009-06-08 17:05 . 2009-06-08 17:05 -------- d-----w- C:\a09a75ff8d84a291c7

2009-06-06 04:37 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe

2009-06-05 18:57 . 2009-06-05 18:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-25 21:46 . 2008-06-07 22:02 -------- d-----w- c:\program files\Common Files\Apple

2009-06-25 21:35 . 2008-06-07 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-06-25 21:15 . 2008-06-07 22:05 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Apple Computer

2009-06-19 17:52 . 2009-02-13 03:28 865544 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe

2009-06-19 17:52 . 2009-02-13 03:28 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe

2009-06-18 11:01 . 2006-04-08 15:00 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-06-18 10:53 . 2006-04-08 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-06-18 10:52 . 2006-04-14 17:40 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Symantec

2009-06-17 14:17 . 2006-04-08 15:07 -------- d-----w- c:\program files\Google

2009-06-16 14:31 . 2007-02-21 18:32 -------- d-----w- c:\program files\TrueAssistant

2009-06-08 19:53 . 2006-04-14 17:48 57536 ----a-w- c:\documents and settings\Saint Hedwig\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-06 04:53 . 2009-06-06 04:53 0 ----a-w- c:\documents and settings\Saint Hedwig\Application Data\~ygw.tmp

2009-06-05 16:42 . 2008-06-07 22:02 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-05-31 20:37 . 2008-10-22 11:48 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\LimeWire

2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-12 20:02 . 2009-02-12 18:44 2426 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2009-05-12 14:37 . 2009-05-10 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\10902814

2009-05-12 14:25 . 2009-05-10 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\60922809

2009-05-10 19:35 . 2009-05-10 19:35 482 ----a-w- c:\documents and settings\All Users\Application Data\60922809\20723592.exe

2009-05-10 19:27 . 2009-05-10 19:27 505 ----a-w- c:\documents and settings\All Users\Application Data\60922809\10723591.exe

2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-24 05:42 . 2009-04-24 05:42 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll

2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2006-04-14 19:29 . 2006-04-14 19:29 88 --sh--r- c:\windows\system32\77310286E8.sys

2006-04-14 19:29 . 2006-04-14 19:07 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"P3000x_S2P"="c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-28 57344]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-17 57393]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-17 40960]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-08 26112]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"HostManager"="c:\program files\Common Files\AOL\1171388352\ee\AOLSoftware.exe" [2006-09-26 50736]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-09 5418864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-5-7 221295]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-8 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\1171388352\\ee\\aolsoftware.exe"=

"c:\\esp\\WINDOWS\\Espnetup.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/21/2009 9:26 PM 36368]

S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [6/18/2009 6:06 AM 50192]

S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [6/18/2009 6:07 AM 677128]

S3 OSIUSB2;USB Cable Service B;c:\windows\system32\drivers\slabser.sys [7/11/2007 9:28 PM 100400]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2006-04-14 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2009-06-26 c:\windows\Tasks\wrSpySweeperFullSweep.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-06-18 21:04]

2009-06-26 c:\windows\Tasks\wrSpySweeperFullSweep.job

- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-06-18 21:04]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-xpprotect - c:\documents and settings\Saint Hedwig\XP Deluxe Protector\xpdeluxe.exe

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; AT&T CSM6.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: turbotax.com

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-02 11:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5140)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe

c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

c:\windows\wanmpsvc.exe

c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

c:\windows\system32\wscntfy.exe

c:\program files\Java\jre1.6.0_07\bin\jucheck.exe

c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\QBMsgMgr.exe

.

**************************************************************************

.

Completion time: 2009-07-02 11:25 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-02 16:25

Pre-Run: 82,670,481,408 bytes free

Post-Run: 83,036,180,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

283 --- E O F --- 2009-06-16 14:48

Link to post
Share on other sites

  • Staff

Hi,

It appears that your Trendmicro was interfering here, or your Spysweeper. I know both can cause a lot of problems when running Combofix.

In case you didn't purchase Spysweeper, I suggest you uninstall it, because it's an extra resource hog, running in the background while it won't protect you because it's a trial.

Then,

Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Folder::

c:\documents and settings\All Users\Application Data\10902814

c:\documents and settings\All Users\Application Data\60922809

Dirlook::

c:\windows\system32\Service

c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

Registry::

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

Filelook::

c:\windows\system32\gdi32lib.dll

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

I uninstalled both the TrendMicro and Spy Sweeper (both of which were purchased and should not be trial versions) I then rebooted and ran the ComboFix again. the ComboFix did not reboot the machine I did it as a function of the uninstall. The scan ran significantly quicker this time, so if there were any errors I did not see them. The last errors required me to click a button to cintinue so I am guessing there were none. The "dead" shortcuts are still on my Desktop and pinned to my Start menu. I am assuming they are dead, but I have not clicked on them for fear of accidently reinstalling the XP Protector.

Thank You for All of your help,

Brian

ComboFix 09-07-01.04 - Saint Hedwig 07/02/2009 14:53.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.624 [GMT -5:00]

Running from: c:\documents and settings\Saint Hedwig\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Saint Hedwig\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\10902814

c:\documents and settings\All Users\Application Data\10902814\pc10902814ins

c:\documents and settings\All Users\Application Data\10902814\pc10902814reg

c:\documents and settings\All Users\Application Data\60922809

c:\documents and settings\All Users\Application Data\60922809\10723591.exe

c:\documents and settings\All Users\Application Data\60922809\20723592.exe

.

((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))

.

2009-07-02 15:23 . 2009-07-02 15:23 29184 ----a-w- c:\windows\system32\gdi32lib.dll

2009-07-02 01:27 . 2009-07-02 01:27 57536 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-02 00:24 . 2009-07-02 00:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-02 00:08 . 2009-07-02 00:08 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Malwarebytes

2009-07-02 00:07 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-02 00:07 . 2009-07-02 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-02 00:07 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-02 00:06 . 2009-07-02 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-01 00:45 . 2009-07-01 00:45 -------- d-----w- c:\program files\7-Zip

2009-06-29 00:54 . 2009-07-01 14:34 -------- d-----w- c:\windows\system32\Service

2009-06-25 21:50 . 2009-06-25 21:50 129472 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-06-25 21:46 . 2009-06-25 21:46 -------- d-----w- c:\program files\iPod

2009-06-25 21:46 . 2009-06-25 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-25 21:46 . 2009-06-25 21:47 -------- d-----w- c:\program files\iTunes

2009-06-25 21:42 . 2009-06-25 21:42 -------- d-----w- c:\program files\Bonjour

2009-06-25 21:41 . 2009-06-25 21:42 -------- d-----w- c:\program files\QuickTime

2009-06-25 21:34 . 2009-06-05 16:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-06-23 17:07 . 2009-06-23 17:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-06-18 11:04 . 2009-07-02 19:43 -------- d-----w- c:\program files\Trend Micro

2009-06-16 14:46 . 2009-06-16 14:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-06-16 14:39 . 2009-06-17 18:49 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-16 14:39 . 2009-06-17 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-15 03:42 . 2009-06-17 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-06-15 03:41 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-06-15 03:41 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-06-15 03:33 . 2009-06-15 03:33 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Lavasoft

2009-06-15 03:20 . 2009-06-15 03:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Grisoft

2009-06-15 03:20 . 2009-06-15 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft

2009-06-15 03:10 . 2009-06-15 03:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-06-14 19:29 . 2009-06-15 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft

2009-06-14 19:29 . 2009-06-17 18:58 -------- d-----w- c:\program files\Lavasoft

2009-06-14 19:22 . 2009-06-14 19:22 -------- d-----w- c:\program files\CCleaner

2009-06-14 18:46 . 2009-06-14 18:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-06-12 03:22 . 2002-08-14 20:03 4672 ----a-w- c:\windows\system\WOWPOST.EXE

2009-06-12 03:22 . 2002-08-14 20:03 5600 ----a-w- c:\windows\system\WINASPI.DLL

2009-06-12 03:22 . 2002-08-14 20:03 45056 ----a-w- c:\windows\system32\WNASPI32.DLL

2009-06-12 03:22 . 2002-08-14 20:03 17005 ----a-w- c:\windows\system32\drivers\ASPI32.SYS

2009-06-12 01:14 . 2006-03-04 04:52 636568 ------r- c:\windows\system32\NSRSte.dll

2009-06-12 01:14 . 2009-06-13 20:28 -------- d-----w- c:\program files\Norton Save and Restore

2009-06-12 01:04 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2009-06-12 01:04 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll

2009-06-08 17:36 . 2009-06-08 17:40 -------- d-----w- C:\6de2e506145bbec873f1b3a31b1c

2009-06-08 17:05 . 2009-06-08 17:06 -------- d-----w- C:\5493a3016cc6196776b4092b00

2009-06-08 17:05 . 2009-06-08 17:05 -------- d-----w- C:\a09a75ff8d84a291c7

2009-06-06 04:37 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe

2009-06-05 18:57 . 2009-06-05 18:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-25 21:46 . 2008-06-07 22:02 -------- d-----w- c:\program files\Common Files\Apple

2009-06-25 21:35 . 2008-06-07 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-06-25 21:15 . 2008-06-07 22:05 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Apple Computer

2009-06-19 17:52 . 2009-02-13 03:28 865544 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe

2009-06-19 17:52 . 2009-02-13 03:28 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe

2009-06-18 11:01 . 2006-04-08 15:00 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-06-18 10:53 . 2006-04-08 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-06-18 10:52 . 2006-04-14 17:40 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\Symantec

2009-06-17 14:17 . 2006-04-08 15:07 -------- d-----w- c:\program files\Google

2009-06-16 14:31 . 2007-02-21 18:32 -------- d-----w- c:\program files\TrueAssistant

2009-06-08 19:53 . 2006-04-14 17:48 57536 ----a-w- c:\documents and settings\Saint Hedwig\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-06 04:53 . 2009-06-06 04:53 0 ----a-w- c:\documents and settings\Saint Hedwig\Application Data\~ygw.tmp

2009-06-05 16:42 . 2008-06-07 22:02 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-05-31 20:37 . 2008-10-22 11:48 -------- d-----w- c:\documents and settings\Saint Hedwig\Application Data\LimeWire

2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-12 20:02 . 2009-02-12 18:44 2426 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-24 05:42 . 2009-04-24 05:42 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll

2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2006-04-14 19:29 . 2006-04-14 19:29 88 --sh--r- c:\windows\system32\77310286E8.sys

2006-04-14 19:29 . 2006-04-14 19:07 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

--- c:\windows\system32\gdi32lib.dll ---

Company:

File Description: VMware Module

File Version: 1, 0, 0, 1

Product Name: VMware Module

Copyright: Copyright 2005

Original Filename: VMware.dll

File size: 29184

Created time: 2009-07-02 15:23

Modified time: 2009-07-02 15:23

MD5: E25C426C4381CA5371927AF1D7DB3DB9

SHA1: DB9D18D257DF0BB2EF894E3C25DBE42FB787ED34

---- Directory of c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} ----

2009-06-25 21:47 . 2009-06-25 21:47 3654 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DIFxInstallLog.txt

2009-03-25 06:19 . 2009-03-25 06:19 7919 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\gearaspiwdmx86.cat

2009-03-19 21:38 . 2009-03-19 21:38 2763 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\GEARAspiWDM.inf

2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys

2009-02-04 18:56 . 2009-02-04 18:56 75112 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DifXInstall32.exe

2008-04-17 17:12 . 2008-04-17 17:12 107368 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspi.dll

2006-11-02 11:21 . 2006-11-02 11:21 319456 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DIFxAPI.dll

---- Directory of c:\windows\system32\Service ----

2009-07-01 14:34 . 2009-07-01 14:34 928 ----a-w- c:\windows\system32\Service\01072009_TIS17_SfFniAU.log

2009-06-29 00:54 . 2009-06-29 01:11 1856 ----a-w- c:\windows\system32\Service\28062009_TIS17_SfFniAU.log

((((((((((((((((((((((((((((( SnapShot@2009-07-02_16.10.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-02 19:43 . 2009-07-02 19:43 16384 c:\windows\Temp\Perflib_Perfdata_a8c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"P3000x_S2P"="c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-28 57344]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-17 57393]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-17 40960]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-08 26112]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"HostManager"="c:\program files\Common Files\AOL\1171388352\ee\AOLSoftware.exe" [2006-09-26 50736]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-5-7 221295]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-8 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\1171388352\\ee\\aolsoftware.exe"=

"c:\\esp\\WINDOWS\\Espnetup.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 OSIUSB2;USB Cable Service B;c:\windows\system32\drivers\slabser.sys [7/11/2007 9:28 PM 100400]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2006-04-14 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: turbotax.com

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-02 14:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-07-02 15:01

ComboFix-quarantined-files.txt 2009-07-02 20:01

ComboFix2.txt 2009-07-02 16:25

Pre-Run: 83,708,407,808 bytes free

Post-Run: 83,693,498,368 bytes free

232 --- E O F --- 2009-06-16 14:48

Link to post
Share on other sites

  • Staff

Hi,

The "dead" shortcuts are still on my Desktop and pinned to my Start menu. I am assuming they are dead, but I have not clicked on them for fear of accidently reinstalling the XP Protector.
You can delete them manually (rightclick and select delete)

Please change your passwords as they may be known/collected.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

I ran Malwarebytes last evening and if came up with 5 issues which it fixed, I then ran HiJack this and cleaned up the issues that I could tell needed cleaning.

Then two subsequant scans with Malwarebytes and one scan with ComboFix (just for fun) and everything seems clean. I shut the computer down for 10 minutess (that was when I would see the XP Deluxe return) and it did not return, and I left it on all night and It came up clean. There were 3 issues in my TrendMicro log after it's scan last night, but I am going to remove ComboFix and Malwarebytes and see if that is what is showing up.

I think that worked.

Thank You for your help

Brian

Link to post
Share on other sites

  • Staff

Glad I could help. :unsure:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.