Jump to content

PLEASE HELP - In need of assistance in removing Rootkit infection


Recommended Posts

My computer was recently infected with a Rootkit.MBR virus. Malwarebytes successfully quarantined the virus, but my computer still freezes. Below are my MBAM, Hijackthis, Combofix, and DDS log files:

MBAM Log File:

Malwarebytes' Anti-Malware 1.42

Database version: 3442

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/28/2009 12:23:17 AM

mbam-log-2009-12-28 (00-23-17).txt

Scan type: Quick Scan

Objects scanned: 148479

Time elapsed: 15 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\David M. Shamberger\Local Settings\Temp\ifEI.dll (Rootkit.MBR) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant.DDQWF5G1\Local Settings\Temp\ifEI.dll (Rootkit.MBR) -> Quarantined and deleted successfully.

HIJACKTHIS LOG FILE:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 9:09:17 AM, on 12/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvraidservice.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Nike+ Utility\Nike+ Utility.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080428

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080428

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile

O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Nike+ Utility.lnk = C:\Program Files\Nike+ Utility\Nike+ Utility.exe

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1258146697828

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 10090 bytes

COMBOFIX LOG FILE:

ComboFix 09-12-27.03 - David M. Shamberger 12/28/2009 8:57.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2462 [GMT -5:00]

Running from: c:\documents and settings\David M. Shamberger\Desktop\ComboFix.exe

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\1.tmp

c:\windows\system32\2.tmp

c:\windows\system32\3.tmp

.

original MBR restored successfully !

.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))

.

2009-12-28 05:06 . 2009-12-28 13:50 -------- d-----w- c:\documents and settings\HelpAssistant.DDQWF5G1

2009-12-28 05:02 . 2009-12-28 05:02 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache

2009-12-28 05:02 . 2009-12-28 05:02 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache

2009-12-24 22:09 . 2009-12-24 22:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2009-12-06 16:26 . 2009-12-06 16:26 -------- d-sh--w- c:\documents and settings\David M. Shamberger\IECompatCache

2009-12-06 16:26 . 2009-12-06 16:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-11-28 17:29 . 2009-12-28 14:02 -------- d-----w- C:\MDT

2009-11-28 17:29 . 2009-11-28 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-28 09:13 . 2009-12-28 09:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-12-28 09:02 . 2009-12-28 09:02 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\GlarySoft

2009-12-28 08:57 . 2009-12-28 08:57 -------- d-----w- c:\program files\Glary Utilities

2009-12-28 08:33 . 2009-12-28 08:33 -------- d-----w- c:\program files\Sophos

2009-12-20 23:25 . 2009-11-21 21:47 51068 ---ha-w- c:\windows\system32\mlfcache.dat

2009-12-12 22:25 . 2009-11-18 08:08 -------- d-----w- c:\program files\Yahoo!

2009-12-12 22:06 . 2009-11-18 08:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-12-09 13:47 . 2009-11-13 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-12-06 16:30 . 2009-11-14 00:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-06 09:36 . 2009-12-06 09:36 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-03 21:14 . 2009-11-14 00:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 21:13 . 2009-11-14 00:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-29 22:54 . 2009-11-20 02:23 -------- d-----w- c:\program files\Nike+ Utility

2009-11-25 08:48 . 2008-04-28 04:16 60088 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-25 03:32 . 2009-11-25 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-11-25 03:32 . 2009-11-25 03:32 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\Office Genuine Advantage

2009-11-24 01:38 . 2009-11-24 01:38 -------- d-----w- c:\program files\PictureProject In Touch Downloader

2009-11-24 01:38 . 2009-11-24 01:36 -------- d-----w- c:\program files\Common Files\Nikon

2009-11-24 01:38 . 2008-04-28 04:03 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-11-24 01:38 . 2009-11-24 01:38 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\Nikon

2009-11-24 01:37 . 2009-11-24 01:37 -------- d-----w- c:\program files\Common Files\muvee Technologies

2009-11-24 01:37 . 2009-11-24 01:37 -------- d-----w- c:\program files\Nikon

2009-11-24 01:36 . 2009-11-24 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime

2009-11-24 01:34 . 2009-11-24 01:34 -------- d-----w- c:\program files\Microsoft IntelliPoint

2009-11-24 01:34 . 2009-11-24 01:33 -------- d-----w- c:\program files\Microsoft IntelliType Pro

2009-11-24 01:01 . 2009-11-24 01:01 -------- d-----w- c:\program files\Common Files\L&H

2009-11-24 01:01 . 2009-11-24 01:01 -------- d-----w- c:\program files\Microsoft ActiveSync

2009-11-22 03:28 . 2009-11-22 03:28 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\Red Alert 3

2009-11-22 03:28 . 2009-11-22 03:28 -------- d--h--r- c:\documents and settings\David M. Shamberger\Application Data\SecuROM

2009-11-21 14:41 . 2009-11-21 14:41 -------- d-----w- c:\program files\Electronic Arts

2009-11-18 08:11 . 2009-11-18 08:10 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\Yahoo!

2009-11-18 00:52 . 2008-04-28 04:12 -------- d-----w- c:\program files\Common Files\Adobe

2009-11-14 22:01 . 2009-11-14 22:01 -------- d-----w- c:\program files\Seagate

2009-11-14 22:01 . 2009-11-14 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate

2009-11-14 21:46 . 2009-11-14 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2009-11-14 21:42 . 2009-11-14 21:42 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\Windows Search

2009-11-14 21:36 . 2009-11-14 21:34 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\HpUpdate

2009-11-14 21:34 . 2009-11-13 19:51 -------- d-----w- c:\program files\HP

2009-11-14 08:52 . 2009-11-14 00:11 -------- d-----w- c:\program files\Windows Desktop Search

2009-11-14 00:39 . 2009-11-14 00:39 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\Malwarebytes

2009-11-14 00:39 . 2009-11-14 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-14 00:38 . 2009-11-13 10:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\esClient

2009-11-14 00:29 . 2009-11-14 00:29 0 ----a-w- c:\documents and settings\David M. Shamberger\Local Settings\Application Data\esPD5.tmp

2009-11-14 00:11 . 2009-11-14 00:11 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\Windows Desktop Search

2009-11-13 23:58 . 2009-11-13 23:58 0 ----a-w- c:\documents and settings\David M. Shamberger\Local Settings\Application Data\esP30.tmp

2009-11-13 22:54 . 2009-11-13 22:54 -------- d-----w- c:\program files\Citrix

2009-11-13 21:45 . 2008-04-28 04:12 -------- d-----w- c:\program files\Microsoft Works

2009-11-13 21:20 . 2009-11-13 21:20 -------- d-----w- c:\program files\MSBuild

2009-11-13 21:20 . 2009-11-13 21:20 -------- d-----w- c:\program files\Reference Assemblies

2009-11-13 21:10 . 2009-11-13 21:10 -------- d-----w- c:\program files\Microsoft.NET

2009-11-13 21:05 . 2009-11-13 20:28 117151 ----a-w- c:\windows\hpoins11.dat

2009-11-13 21:05 . 2009-11-13 21:05 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\HP

2009-11-13 21:04 . 2009-11-13 21:04 142 ----a-w- c:\documents and settings\David M. Shamberger\Local Settings\Application Data\fusioncache.dat

2009-11-13 21:02 . 2009-11-13 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2009-11-13 21:01 . 2008-04-28 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2009-11-13 21:01 . 2009-11-13 21:01 -------- d-----w- c:\program files\Common Files\HP

2009-11-13 21:00 . 2009-11-13 21:00 -------- d-----w- c:\program files\Hewlett-Packard

2009-11-13 21:00 . 2009-11-13 21:00 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2009-11-13 14:47 . 2009-11-13 14:47 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\CyberLink

2009-11-13 10:01 . 2009-11-13 10:01 0 ----a-w- c:\documents and settings\David M. Shamberger\Local Settings\Application Data\esP15E.tmp

2009-11-13 10:00 . 2009-11-13 10:00 15172 ----a-w- c:\windows\system32\drivers\PzWDM.sys

2009-11-13 09:57 . 2009-11-13 09:57 -------- d-----w- c:\program files\Music Rescue

2009-11-13 09:42 . 2009-11-13 09:32 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\Apple Computer

2009-11-13 09:32 . 2009-11-13 09:32 -------- d-----w- c:\program files\iTunes

2009-11-13 09:32 . 2009-11-13 09:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-11-13 09:32 . 2009-11-13 09:32 -------- d-----w- c:\program files\iPod

2009-11-13 09:32 . 2009-11-13 09:31 -------- d-----w- c:\program files\Common Files\Apple

2009-11-13 09:32 . 2009-11-13 09:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-11-13 09:32 . 2009-11-13 09:32 -------- d-----w- c:\program files\Bonjour

2009-11-13 09:31 . 2009-11-13 09:31 -------- d-----w- c:\program files\QuickTime

2009-11-13 09:31 . 2009-11-13 09:31 -------- d-----w- c:\program files\Apple Software Update

2009-11-13 09:31 . 2009-11-13 09:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-11-13 09:24 . 2009-11-13 09:24 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\ICAClient

2009-11-13 09:24 . 2009-11-13 09:23 -------- d-----w- c:\documents and settings\David M. Shamberger\Application Data\Download Manager

2009-11-13 09:22 . 2009-11-13 09:22 0 ----a-w- c:\windows\nsreg.dat

2009-11-13 09:12 . 2009-11-13 09:12 -------- d-----w- c:\program files\MSXML 4.0

2009-11-13 09:07 . 2009-11-13 09:07 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-11-13 09:07 . 2009-11-13 09:07 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-11-13 09:00 . 2008-04-28 04:12 -------- d-----w- c:\program files\Google

2009-11-13 08:58 . 2004-08-11 22:14 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-10-29 07:45 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-29 01:58 . 2009-10-29 01:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-10-21 05:38 . 2004-08-11 22:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-11 22:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2004-08-11 22:00 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-11 22:00 79872 ----a-w- c:\windows\system32\raschap.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496]

"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-15 8523776]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-10-26 184352]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-15 16855552]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]

c:\documents and settings\David M. Shamberger\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

Nike+ Utility.lnk - c:\program files\Nike+ Utility\Nike+ Utility.exe [2008-4-30 1228800]

NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2009-11-23 118784]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

"3246:TCP"= 3246:TCP:Services

"2479:TCP"= 2479:TCP:Services

"3389:TCP"= 3389:TCP:Remote Desktop

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [11/13/2009 5:00 AM 15172]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [11/8/2007 7:19 PM 345696]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/8/2007 7:19 PM 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/8/2007 7:20 PM 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/8/2007 7:19 PM 566872]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/8/2007 7:20 PM 280392]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\8.tmp --> c:\windows\system32\8.tmp [?]

.

------- Supplementary Scan -------

.

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080428

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\David M. Shamberger\Application Data\Mozilla\Firefox\Profiles\3wfwt1cn.default\

FF - plugin: c:\program files\echospin\npesProxy.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.

- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-28 09:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\8.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2349904030-236101273-493904997-1005\Software\SecuROM\License information*]

"datasecu"=hex:3e,c0,a3,ef,13,4e,4e,ec,58,22,68,fd,61,b3,a5,99,74,40,ee,5a,4d,

ad,72,55,3e,3d,ca,41,c1,25,a3,b9,ad,d0,26,dd,f7,7d,cd,db,91,3f,8f,e1,e4,6a,\

"rkeysecu"=hex:21,88,c3,b1,34,34,4f,9d,01,5a,70,bc,63,3b,f8,e5

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2336)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\RTHDCPL.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\windows\system32\nvsvc32.exe

c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

.

**************************************************************************

.

Completion time: 2009-12-28 09:06:26 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-28 14:06

Pre-Run: 448,799,899,648 bytes free

Post-Run: 449,318,260,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3C4CC2C4EAAF5C22EF031D8002EA2D16

DDS Log File 1:

DDS (Ver_09-12-01.01) - NTFSx86

Run by David M. Shamberger at 1:45:45.20 on Mon 12/28/2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2121 [GMT -5:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe

C:\WINDOWS\system32\nvraidservice.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Nike+ Utility\Nike+ Utility.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe

C:\Documents and Settings\David M. Shamberger\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080428

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080428

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile

uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

StartupFolder: c:\docume~1\davidm~1.sha\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nike_u~1.lnk - c:\program files\nike+ utility\Nike+ Utility.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258146697828

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidm~1.sha\applic~1\mozilla\firefox\profiles\3wfwt1cn.default\

FF - plugin: c:\program files\echospin\npesProxy.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2009-11-13 15172]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2007-11-8 345696]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2007-11-8 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-11-8 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2007-11-8 566872]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-13 38224]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-11-8 280392]

=============== Created Last 30 ================

2009-12-06 16:26:57 0 d-sh--w- c:\documents and settings\david m. shamberger\IECompatCache

2009-11-28 17:29:54 0 d-----w- C:\MDT

==================== Find3M ====================

2009-12-20 23:25:30 51068 ---ha-w- c:\windows\system32\mlfcache.dat

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-13 21:05:11 117151 ----a-w- c:\windows\hpoins11.dat

2009-11-13 10:00:31 15172 ----a-w- c:\windows\system32\drivers\PzWDM.sys

2009-11-13 09:07:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-11-13 09:07:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll

2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll

2009-10-02 04:44:07 92160 ------w- c:\windows\system32\dllcache\iecompat.dll

============= FINISH: 1:46:20.03 ===============

DDS Log File 2:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 11/13/2009 3:27:54 AM

System Uptime: 12/28/2009 1:38:52 AM (0 hours ago)

Motherboard: Dell Inc | | 0PP150

Processor: Intel Pentium III Xeon processor | Socket 775 | 3166/1333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 462 GiB total, 415.689 GiB free.

D: is FIXED (NTFS) - 466 GiB total, 391.606 GiB free.

E: is CDROM ()

F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/13/2009 3:27:56 AM - System Checkpoint

RP2: 11/13/2009 3:29:20 AM - Removed Google Toolbar for Internet Explorer

RP3: 11/13/2009 3:41:21 AM - Software Distribution Service 3.0

RP4: 11/13/2009 3:42:12 AM - Software Distribution Service 3.0

RP5: 11/13/2009 3:50:45 AM - Software Distribution Service 3.0

RP6: 11/13/2009 4:05:12 AM - Software Distribution Service 3.0

RP7: 11/13/2009 4:15:31 AM - Installed Windows XP WgaNotify.

RP8: 11/13/2009 4:17:24 AM - Software Distribution Service 3.0

RP9: 11/13/2009 4:21:02 AM - Post SP 3 Installation

RP10: 11/13/2009 4:32:06 AM - Installed iTunes

RP11: 11/13/2009 4:35:22 AM - Installed Music Rescue.

RP12: 11/13/2009 4:56:55 AM - Removed Music Rescue.

RP13: 11/13/2009 4:57:17 AM - Installed Music Rescue.

RP14: 11/13/2009 3:27:00 PM - Post iTunes Recovery

RP15: 11/13/2009 4:00:45 PM - Installed HPSU306Stub

RP16: 11/13/2009 4:08:10 PM - Installed Microsoft Office Home and Student 2007

RP17: 11/13/2009 4:10:41 PM - Printer Driver Send To Microsoft OneNote Driver Installed

RP18: 11/13/2009 4:18:13 PM - Software Distribution Service 3.0

RP19: 11/13/2009 4:24:09 PM - Printer Driver Microsoft XPS Document Writer Installed

RP20: 11/13/2009 4:41:22 PM - Software Distribution Service 3.0

RP21: 11/13/2009 6:10:18 PM - Software Distribution Service 3.0

RP22: 11/13/2009 7:11:17 PM - Installed Windows XP KB915800-v4.

RP23: 11/13/2009 7:11:28 PM - Installed Windows XP Windows Search 4.0.

RP24: 11/14/2009 3:00:13 AM - Software Distribution Service 3.0

RP25: 11/14/2009 4:34:25 PM - Removed HPSU306Stub

RP26: 11/14/2009 4:46:20 PM - Installed WinZip 14.0

RP27: 11/14/2009 5:01:46 PM - Installed Seagate Manager Installer

RP28: 11/14/2009 5:03:59 PM - Installed Seagate Manager Installer

RP29: 11/15/2009 3:00:12 AM - Software Distribution Service 3.0

RP30: 11/16/2009 5:35:16 AM - System Checkpoint

RP31: 11/17/2009 5:43:22 AM - System Checkpoint

RP32: 11/18/2009 11:03:22 PM - System Checkpoint

RP33: 11/19/2009 9:23:05 PM - Installed Nike+ Utility.

RP34: 11/20/2009 11:12:54 PM - System Checkpoint

RP35: 11/21/2009 9:41:30 AM - Installed Command & Conquer

Link to post
Share on other sites

Hello Shammy5150 and welcome to MalwareBytes' forums.

STOP self-medicating and running utilities on your own, most especially tools like Combofix, which require expert guidance.

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

=

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

=

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

=

javaicon.gif See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=42611

=

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

    =

    Download Security Check by screen317 and save it to your Desktop: here or here

    • Run Security Check
    • Follow the onscreen instructions inside of the command window.
    • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

    eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

    Reply with copy of the Gmer log

    the ESET online scan log

    Checkup.txt

    and tell me, How is your system now?

    There will be more to do later.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.