Jump to content

Ramnit.B virus and google redirect


Recommended Posts

Hi - I am trying to get rid of this darn Ramnit.B virus but it also looks like I have a few other things. I tried following your posted directions but my GMER Rootkit scanner kept crashing. I was able to save some of it so it is attached. Many thanks for all your help!

DDS (Ver_10-03-17.01) - NTFSx86

Run by Roberta Keating at 13:26:11.71 on Sat 08/07/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2102 [GMT -4:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvraidservice.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

c:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe -k bthsvcs

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

c:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Roberta Keating\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Roberta Keating\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Roberta Keating\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Roberta Keating\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Roberta Keating\My Documents\Downloads\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www2.niddk.nih.gov/

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\documents and settings\roberta keating\start menu\programs\startup\wwwxbv32.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://mt202.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab

DPF: {03A89EFD-E023-A000-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\52jaeou1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.niddk.nih.gov

FF - plugin: c:\documents and settings\roberta keating\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPCltInstall.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-2 304464]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-9-1 3032360]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-2 20952]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-2 38224]

R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2008-11-29 53168]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]

S3 STVqx5;Digital Blue QX5 Microscope;c:\windows\system32\drivers\stvqx5.sys [2009-11-5 64512]

S3 STVqx5m;Digital Blue QX5 Microscopem;c:\windows\system32\drivers\stvqx5m.sys [2009-11-5 6144]

S3 ZD1211BU(Hawking);Hawking Hi-Gain Wireless-G USB Dish Adapter(Hawking);c:\windows\system32\drivers\zd1211bu.sys [2009-8-2 402432]

=============== Created Last 30 ================

2010-08-07 16:31:25 0 ----a-w- c:\documents and settings\roberta keating\defogger_reenable

2010-08-07 12:24:26 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-08-07 07:18:28 0 d-----w- C:\System32

2010-08-06 19:51:01 0 d-----w- c:\program files\Microsoft

2010-08-01 02:35:17 0 d-----w- c:\program files\Trend Micro

2010-08-01 02:34:16 6153352 ----a-w- C:\mbam-setup(2).exe

2010-08-01 02:34:16 1402880 ----a-w- C:\HiJackThis.msi

2010-07-24 16:16:37 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys

2010-07-24 16:16:37 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys

2010-07-24 16:16:36 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys

2010-07-24 16:16:36 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys

2010-07-24 16:16:36 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys

2010-07-24 16:16:36 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-07-24 16:16:31 100 --s-a-w- c:\windows\system32\3724999554.dat

2010-07-14 02:47:51 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-06-15 01:28:33 72080 ----a-w- c:\documents and settings\roberta keating\g2mdlhlpx.exe

2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2008-09-04 00:59:46 14290 ----a-w- c:\program files\settings.dat

2009-11-02 08:16:01 0 --sha-w- c:\windows\sminst\HPCD.sys

2008-03-27 06:06:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-09-14 12:20:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080908\index.dat

2008-09-14 12:20:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 13:28:39.39 ===============

Attach.zip

Link to post
Share on other sites

Thank you so much for your help. When you say disable my security programs do you mean things like the Windows Live OneCare and the Malware bytes? I downloaded the Rootkit unhooker program but it seems to be stalled... i was afraid to turn off either of the two beforementioned programs.

Thanks again!!!

Link to post
Share on other sites

That took a little longer than I expected :)

Here is the content of the report:

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xB9098000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6868992 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 163.91 )

0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 5787648 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 163.91 )

0xB6507000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4792320 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2150400 bytes

0x804D7000 RAW 2150400 bytes

0x804D7000 WMIxWDM 2150400 bytes

0xBF800000 Win32k 1851392 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xB9DDC000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xB62BA000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xB8FCE000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xB63EC000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xB5230000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xB40F9000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xB638C000 C:\WINDOWS\system32\DRIVERS\tcpip6.sys 229376 bytes (Microsoft Corporation, IPv6 driver)

0xB902C000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xB543F000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xB9DAF000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xB3BF0000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xB632A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xB973F000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xB63C4000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xB6294000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xB64E3000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xB978A000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xB9767000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xB9F00000 nvrd32.sys 143360 bytes (NVIDIA Corporation, NVIDIA

Link to post
Share on other sites

Great, thanks. Now we can get started:

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Here is the combofix log:

ComboFix 10-08-07.01 - Roberta Keating 08/07/2010 23:15:32.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1820 [GMT -4:00]

Running from: c:\documents and settings\Roberta Keating\My Documents\Downloads\ComboFix.exe

AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Roberta Keating\g2mdlhlpx.exe

c:\documents and settings\Roberta Keating\Start Menu\Programs\Startup\wwwxbv32.exe

C:\Thumbs.db

c:\windows\system32\3724999554.dat

c:\windows\system32\images

c:\windows\system32\images\toolbar\calendar.gif

c:\windows\system32\images\toolbar\crlogo.gif

c:\windows\system32\images\toolbar\export.gif

c:\windows\system32\images\toolbar\export_over.gif

c:\windows\system32\images\toolbar\exportd.gif

c:\windows\system32\images\toolbar\First.gif

c:\windows\system32\images\toolbar\first_over.gif

c:\windows\system32\images\toolbar\Firstd.gif

c:\windows\system32\images\toolbar\gotopage.gif

c:\windows\system32\images\toolbar\gotopage_over.gif

c:\windows\system32\images\toolbar\gotopaged.gif

c:\windows\system32\images\toolbar\grouptree.gif

c:\windows\system32\images\toolbar\grouptree_over.gif

c:\windows\system32\images\toolbar\grouptreed.gif

c:\windows\system32\images\toolbar\grouptreepressed.gif

c:\windows\system32\images\toolbar\Last.gif

c:\windows\system32\images\toolbar\last_over.gif

c:\windows\system32\images\toolbar\Lastd.gif

c:\windows\system32\images\toolbar\Next.gif

c:\windows\system32\images\toolbar\next_over.gif

c:\windows\system32\images\toolbar\Nextd.gif

c:\windows\system32\images\toolbar\Prev.gif

c:\windows\system32\images\toolbar\prev_over.gif

c:\windows\system32\images\toolbar\Prevd.gif

c:\windows\system32\images\toolbar\print.gif

c:\windows\system32\images\toolbar\print_over.gif

c:\windows\system32\images\toolbar\printd.gif

c:\windows\system32\images\toolbar\Refresh.gif

c:\windows\system32\images\toolbar\refresh_over.gif

c:\windows\system32\images\toolbar\refreshd.gif

c:\windows\system32\images\toolbar\Search.gif

c:\windows\system32\images\toolbar\search_over.gif

c:\windows\system32\images\toolbar\searchd.gif

c:\windows\system32\images\toolbar\up.gif

c:\windows\system32\images\toolbar\up_over.gif

c:\windows\system32\images\toolbar\upd.gif

c:\windows\system32\images\tree\begindots.gif

c:\windows\system32\images\tree\beginminus.gif

c:\windows\system32\images\tree\beginplus.gif

c:\windows\system32\images\tree\blank.gif

c:\windows\system32\images\tree\blankdots.gif

c:\windows\system32\images\tree\dots.gif

c:\windows\system32\images\tree\lastdots.gif

c:\windows\system32\images\tree\lastminus.gif

c:\windows\system32\images\tree\lastplus.gif

c:\windows\system32\images\tree\Magnify.gif

c:\windows\system32\images\tree\minus.gif

c:\windows\system32\images\tree\minusbox.gif

c:\windows\system32\images\tree\plus.gif

c:\windows\system32\images\tree\plusbox.gif

c:\windows\system32\images\tree\singleminus.gif

c:\windows\system32\images\tree\singleplus.gif

D:\Autorun.inf

K:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))

.

2010-08-07 12:24 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-08-07 07:18 . 2010-08-07 07:18 -------- d-----w- C:\System32

2010-08-06 19:51 . 2010-08-08 01:50 -------- d-----w- c:\program files\Microsoft

2010-08-01 02:35 . 2010-08-01 02:35 -------- d-----w- c:\program files\Trend Micro

2010-08-01 02:34 . 2010-08-01 02:31 6153352 ----a-w- C:\mbam-setup(2).exe

2010-08-01 02:34 . 2010-07-21 03:22 1402880 ----a-w- C:\HiJackThis.msi

2010-07-24 16:16 . 2008-04-13 18:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys

2010-07-24 16:16 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys

2010-07-24 16:16 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys

2010-07-24 16:16 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys

2010-07-24 16:16 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys

2010-07-24 16:16 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-07-17 18:33 . 2010-08-07 13:51 -------- d-----w- c:\program files\Notepad++

2010-07-17 18:33 . 2010-07-17 18:35 -------- d-----w- c:\documents and settings\Roberta Keating\Application Data\Notepad++

2010-07-14 02:47 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-08 03:23 . 2008-09-01 22:57 -------- d-----w- c:\documents and settings\Roberta Keating\Application Data\WTablet

2010-08-08 03:21 . 2008-09-02 07:08 12 ----a-w- c:\windows\bthservsdp.dat

2010-08-08 01:19 . 2008-11-30 00:03 -------- d-----w- c:\program files\Microsoft Windows OneCare Live

2010-08-07 22:52 . 2008-03-27 07:52 -------- d-----w- c:\program files\Common Files\Adobe

2010-08-07 20:10 . 2010-05-01 11:45 -------- d-----w- c:\program files\QuickTime

2010-08-07 15:12 . 2008-03-27 07:59 -------- d-----w- c:\program files\Common Files\LightScribe

2010-08-07 15:12 . 2009-07-02 01:33 -------- d-----w- c:\program files\gs

2010-08-07 15:12 . 2008-03-27 05:45 -------- d-----w- c:\program files\Windows Journal Viewer

2010-08-07 11:44 . 2009-11-02 07:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-07 02:42 . 2008-09-01 22:19 -------- d-----w- c:\program files\Common Files\Macromedia

2010-08-07 02:42 . 2008-09-22 13:21 -------- d-----w- c:\program files\Trillian

2010-08-07 00:28 . 2009-06-13 06:25 -------- d-----w- c:\program files\Crayon Physics Deluxe

2010-08-06 21:52 . 2008-11-30 21:05 -------- d-----w- c:\program files\Macromedia2

2010-08-06 21:38 . 2008-09-01 22:19 -------- d-----w- c:\program files\Macromedia

2010-08-06 21:38 . 2008-12-16 15:34 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0

2010-08-06 21:37 . 2008-09-01 22:51 -------- d-----w- c:\program files\OpenOffice.org 2.4

2010-08-06 21:37 . 2008-12-16 15:43 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2

2010-08-01 00:59 . 2008-09-01 23:05 -------- d-----w- c:\documents and settings\Roberta Keating\Application Data\OpenOffice.org2

2010-07-25 15:04 . 2008-07-09 02:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Ycset

2010-07-24 16:17 . 2009-10-03 05:07 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Kauq

2010-07-24 16:16 . 2010-07-24 16:16 20 ----a-w- c:\documents and settings\NetworkService\Application Data\vdnxlf.dat

2010-07-14 07:01 . 2008-03-27 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-27 10:23 . 2010-06-27 10:21 -------- d-----w- c:\program files\iTunes

2010-06-27 10:21 . 2010-06-27 10:21 -------- d-----w- c:\program files\iPod

2010-06-27 10:21 . 2008-09-01 23:16 -------- d-----w- c:\program files\Common Files\Apple

2010-06-27 10:17 . 2010-06-27 10:17 -------- d-----w- c:\program files\Bonjour

2010-06-27 10:15 . 2008-09-14 14:39 -------- d-----w- c:\program files\Safari

2010-06-15 01:29 . 2008-09-08 11:41 -------- d-----w- c:\program files\Citrix

2010-06-14 14:31 . 2008-04-29 17:29 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-11 07:27 . 2008-12-18 08:07 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WTablet

2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2008-09-04 00:59 . 2008-09-04 00:59 14290 ----a-w- c:\program files\settings.dat

2009-09-13 04:05 . 2009-09-13 04:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll

2009-09-13 04:06 . 2009-09-13 04:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2009-09-13 04:06 . 2009-09-13 04:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2009-09-13 04:06 . 2009-09-13 04:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2009-09-13 04:06 . 2009-09-13 04:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2009-09-13 04:07 . 2009-09-13 04:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2009-09-13 04:06 . 2009-09-13 04:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2009-09-13 04:06 . 2009-09-13 04:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2009-08-14 18:33 . 2009-08-14 18:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2009-09-13 04:06 . 2009-09-13 04:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2009-11-02 08:16 . 2009-11-02 08:16 0 --sha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-05 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-12-01 188448]

"nwiz"="nwiz.exe" [2007-11-28 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-28 81920]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]

"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-28 8491008]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-07 421888]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2010-08-07 856064]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Tablet\\DevInst.exe"=

"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 7:13 PM 65584]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/2/2009 3:51 AM 304464]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2/5/2010 5:19 PM 26120]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [9/1/2008 6:56 PM 3032360]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/2/2009 3:51 AM 20952]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 9:31 AM 135664]

S3 STVqx5;Digital Blue QX5 Microscope;c:\windows\system32\drivers\stvqx5.sys [11/5/2009 3:45 PM 64512]

S3 STVqx5m;Digital Blue QX5 Microscopem;c:\windows\system32\drivers\stvqx5m.sys [11/5/2009 3:45 PM 6144]

S3 ZD1211BU(Hawking);Hawking Hi-Gain Wireless-G USB Dish Adapter(Hawking);c:\windows\system32\drivers\zd1211bu.sys [8/2/2009 2:39 PM 402432]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-05-16 07:08 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 13:31]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 13:31]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3848956415-1319698344-2513304466-1004Core.job

- c:\documents and settings\Roberta Keating\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-10 22:05]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3848956415-1319698344-2513304466-1004UA.job

- c:\documents and settings\Roberta Keating\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-10 22:05]

2010-08-08 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-08-07 c:\windows\Tasks\User_Feed_Synchronization-{A6C465BB-1231-4018-A8B3-409EDCCED387}.job

- c:\windows\system32\msfeedssync.exe [2006-10-18 02:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www2.niddk.nih.gov/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: google.com\mail

Trusted Zone: mbamupdates.com\data-cdn

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://mt202.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab

DPF: {03A89EFD-E023-A000-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll

FF - ProfilePath - c:\documents and settings\Roberta Keating\Application Data\Mozilla\Firefox\Profiles\52jaeou1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.niddk.nih.gov

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\documents and settings\Roberta Keating\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCltInstall.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-07 23:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(236)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\WTablet\TabUserW.exe

c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

c:\windows\system32\Tablet.exe

c:\program files\Microsoft Windows OneCare Live\winss.exe

c:\windows\system32\WTablet\Pen_TabletUser.exe

c:\windows\system32\RUNDLL32.EXE

c:\windows\system32\rundll32.exe

c:\program files\Citrix\ICA Client\wfcrun32.exe

c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-08-07 23:33:39 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-08 03:33

Pre-Run: 161,122,123,776 bytes free

Post-Run: 161,605,464,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F23A623C09835C8D5716151E850F79F5

Link to post
Share on other sites

robbliss,

That's fine. Please run these for me next (there is no need to disable your security apps this time):

icon11.gif Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    c:\windows\system32\config\systemprofile\Application Data\Ycset
    c:\windows\system32\config\systemprofile\Application Data\Kauq


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please include the following in your next post:

  • SystemLook log
  • MBAM log

Link to post
Share on other sites

Hi,

See the Systemlook log file below. Unfortunately one of my problems is that I cannot update the current db for malwarebytes. I get an MBAM_ERROR_UPDATEING (12007,0,winhttpsendrequest) error. I followed some instructions on the forum for placing exceptions in my firewall for this db file but it is still not working. any suggestion?

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 10:07 on 08/08/2010 by Roberta Keating (Administrator - Elevation successful)

========== dir ==========

c:\windows\system32\config\systemprofile\Application Data\Ycset - Parameters: "(none)"

---Files---

None found.

Link to post
Share on other sites

robbliss,

I'll come back to MBAM; please move on to these instructions for now:

icon11.gif Double-click SystemLook.exe to run it.

  • Copy the content of the following codebox into the main textfield:
    :dir
    c:\windows\system32\config\systemprofile\Application Data\Kauq


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

icon11.gifYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 21. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • SystemLook log
  • Kaspersky log

Link to post
Share on other sites

wow, that took a long time. Are you still hanging in there with me :)

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 14:00 on 08/08/2010 by Roberta Keating (Administrator - Elevation successful)

========== dir ==========

c:\windows\system32\config\systemprofile\Application Data\Kauq - Parameters: "(none)"

---Files---

elag.aka --a--- 230536 bytes [05:07 03/10/2009] [06:33 25/07/2010]

elag.tmp --a--- 0 bytes [05:07 03/10/2009] [05:07 03/10/2009]

---Folders---

None found.

-=End Of File=-

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, August 8, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Sunday, August 08, 2010 14:07:13

Records in database: 4131422

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

K:\

Scan statistics:

Objects scanned: 420734

Threats found: 2

Infected objects found: 1

Suspicious objects found: 61

Scan duration: 02:23:14

File name / Threat / Threats count

C:\138d4ea21742696ecdb98a9c\i386\filterpipelineprintproc.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\adobeisf.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\Adobelmsvc Installer.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\AdobeUpdater.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\asn.er.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\asneu.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\epic_eula.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\epic_pers.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\epic_regs.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\eularesen_US.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\msvcr71.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\persresen_US.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\regsresen_US.dll Suspicious: Type_Win32 1

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\upgradecomponent.dll Suspicious: Type_Win32 1

C:\Documents and Settings\Administrator\Local Settings\Application Data\Seven Zip\Codecs\7zAes.dll Suspicious: Type_Win32 1

C:\Documents and Settings\Administrator\Local Settings\Application Data\Seven Zip\Formats\7z.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{3BD5B505-0B5F-4E4F-AEE2-DA38957AA539}-11.exe Infected: Trojan-Spy.Win32.Zbot.aluf 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\adobeisf.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\Adobelmsvc Installer.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\AdobeUpdater.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\asn.er.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\asneu.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\epic_eula.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\epic_pers.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\epic_regs.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\eularesen_US.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\msvcr71.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\persresen_US.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\regsresen_US.dll Suspicious: Type_Win32 1

C:\Documents and Settings\All Users\Documents\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\upgradecomponent.dll Suspicious: Type_Win32 1

C:\Documents and Settings\Default User\Local Settings\Application Data\Seven Zip\Codecs\7zAes.dll Suspicious: Type_Win32 1

C:\Documents and Settings\Default User\Local Settings\Application Data\Seven Zip\Formats\7z.dll Suspicious: Type_Win32 1

C:\Documents and Settings\Roberta Keating\Application Data\Macromedia\Flash MX\Configuration\Importers\AIImport.dll Suspicious: Type_Win32 1

C:\Documents and Settings\Roberta Keating\My Documents\My Pictures\Desktop\RA_software\putty.exe Suspicious: Type_Win32 1

C:\Documents and Settings\Roberta Keating\My Documents\My Pictures\My Documents\umbc\IS668\putty.exe Suspicious: Type_Win32 1

C:\EPSON\epson12204_twain_driver_and_epson_scan_utility_304a\escanex.dll Suspicious: Type_Win32 1

C:\EPSON\epson12204_twain_driver_and_epson_scan_utility_304a\LIB\0407\sures.dll Suspicious: Type_Win32 1

C:\EPSON\epson12204_twain_driver_and_epson_scan_utility_304a\LIB\0409\sures.dll Suspicious: Type_Win32 1

C:\EPSON\epson12204_twain_driver_and_epson_scan_utility_304a\LIB\040c\sures.dll Suspicious: Type_Win32 1

C:\EPSON\epson12204_twain_driver_and_epson_scan_utility_304a\LIB\0410\sures.dll Suspicious: Type_Win32 1

C:\EPSON\epson12204_twain_driver_and_epson_scan_utility_304a\LIB\0413\sures.dll Suspicious: Type_Win32 1

C:\EPSON\epson12204_twain_driver_and_epson_scan_utility_304a\LIB\0419\sures.dll Suspicious: Type_Win32 1

C:\EPSON\epson12204_twain_driver_and_epson_scan_utility_304a\LIB\0809\sures.dll Suspicious: Type_Win32 1

C:\EPSON\epson12204_twain_driver_and_epson_scan_utility_304a\LIB\0816\sures.dll Suspicious: Type_Win32 1

C:\EPSON\epson12204_twain_driver_and_epson_scan_utility_304a\LIB\0c0a\sures.dll Suspicious: Type_Win32 1

C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\msvcr80.dll Suspicious: Type_Win32 1

C:\NETTraining\6x0_files.exe Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Audio\ChCfg.exe Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Audio\RtlExUpd.dll Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Audio\SetCDfmt.exe Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Audio\WDM\Alcmtr.exe Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Audio\WDM\RTCOMDLL.dll Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Audio\WDM\RtlCPAPI.dll Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Audio\WDM\SoundMan.exe Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Chipset\Ethernet\fdco1.dll Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Chipset\Ethernet\nvconrm.dll Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Chipset\IDE\WinXP\sataraid\idecoi.dll Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Chipset\IDE\WinXP\sataraid\nvraidco.dll Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Chipset\IDE\WinXP\sata_ide\idecoi.dll Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Chipset\SMU\nvcosmu.dll Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Wireless\CoInstaller.dll Suspicious: Type_Win32 1

C:\Powerspec\Drivers\Wireless\RaInst.exe Suspicious: Type_Win32 1

Selected area has been scanned.

Link to post
Share on other sites

robbliss,

I suspect that those "suspicous" detections are false positives based on behavior, but let's check a few just to be sure:

icon11.gif Go to My Computer-> Tools-> Folder Options-> View tab:

  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)

Please go to one of the below sites to scan the following files:

virscan.org

Virus Total

Click on Browse, and upload the following files, one at a time for analysis:

C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\adobeisf.dll

C:\138d4ea21742696ecdb98a9c\i386\filterpipelineprintproc.dll

C:\Documents and Settings\Administrator\Local Settings\Application Data\Seven Zip\Codecs\7zAes.dll

C:\Powerspec\Drivers\Audio\WDM\RtlCPAPI.dll

C:\Documents and Settings\Roberta Keating\My Documents\My Pictures\My Documents\umbc\IS668\putty.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

Please include the following in your next post:

  • File analysis results

Link to post
Share on other sites

Do this for me:

icon11.gif Double-click SystemLook.exe to run it.

  • Copy the content of the following codebox into the main textfield:
    :filefind
    C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\adobeisf.dll
    C:\138d4ea21742696ecdb98a9c\i386\filterpipelineprintproc.dll
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Seven Zip\Codecs\7zAes.dll
    C:\Powerspec\Drivers\Audio\WDM\RtlCPAPI.dll
    C:\Documents and Settings\Roberta Keating\My Documents\My Pictures\My Documents\umbc\IS668\putty.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

weird...

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 15:19 on 08/08/2010 by Roberta Keating (Administrator - Elevation successful)

========== filefind ==========

Searching for "C:\ADOBE_CREATIVE_SUITE_CS2\Adobe Creative Suite 2.0\adobeisf.dll"

No files found.

Searching for "C:\138d4ea21742696ecdb98a9c\i386\filterpipelineprintproc.dll"

No files found.

Searching for "C:\Documents and Settings\Administrator\Local Settings\Application Data\Seven Zip\Codecs\7zAes.dll"

No files found.

Searching for "C:\Powerspec\Drivers\Audio\WDM\RtlCPAPI.dll"

No files found.

Searching for "C:\Documents and Settings\Roberta Keating\My Documents\My Pictures\My Documents\umbc\IS668\putty.exe"

No files found.

-=End Of File=-

Link to post
Share on other sites

Strange indeed. How is your computer running? Let's revisit your MBAM trouble right now (I'm operating under the assumption that it worked properly at one time):

icon11.gif Uninstall Malwarebytes via Control Panel > Add/Remove Programs

  • Reboot
  • Download the Malwarebytes Removal Tool
  • Double click on the utility to run it
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here

Then try to update and run a Quick Scan for me.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.