Jump to content

Redirect issue


Recommended Posts

Hello and thank you.

I cannot post a Gmer log as it has frozen my computer and will not scan...

Attached are the DDS logs and I also have a defogger log in case you are interested...

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4450

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/20/2010 8:34:52 AM

mbam-log-2010-08-20 (08-34-52).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 251265

Time elapsed: 1 hour(s), 7 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000078.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Thanks again.

KB

DDS.zip

Attach.zip

Link to post
Share on other sites

krisblack:

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

ComboFix 10-08-24.0C - Brad Blackburn 08/26/2010 7:35.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.430 [GMT -4:00]

Running from: c:\documents and settings\Brad Blackburn\Desktop\ComboFix.exe

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\4ed6bfa

c:\documents and settings\All Users\Application Data\4ed6bfa\64.mof

c:\documents and settings\All Users\Application Data\4ed6bfa\BackUp\Digital Line Detect.lnk

c:\documents and settings\All Users\Application Data\4ed6bfa\BackUp\HP Digital Imaging Monitor.lnk

c:\documents and settings\All Users\Application Data\4ed6bfa\BackUp\Kodak EasyShare software.lnk

c:\documents and settings\All Users\Application Data\4ed6bfa\MSE.ico

c:\documents and settings\All Users\Application Data\4ed6bfa\MSESys\vd952342.bd

c:\documents and settings\Brad Blackburn\Local Settings\Application Data\Windows Server

c:\documents and settings\Brad Blackburn\Local Settings\Application Data\Windows Server\flags.ini

c:\documents and settings\Brad Blackburn\Local Settings\Application Data\Windows Server\server.dat

c:\documents and settings\Brad Blackburn\Local Settings\Application Data\Windows Server\uses32.dat

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

c:\windows\explorer.exe . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MYWEBSEARCHSERVICE

((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))

.

2010-08-20 19:55 . 2004-08-04 10:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll

2010-08-20 19:55 . 2004-08-04 10:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll

2010-08-20 19:55 . 2004-08-04 10:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll

2010-08-20 19:55 . 2004-08-04 10:00 10752 ----a-w- c:\windows\system32\c_iscii.dll

2010-08-20 19:55 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\kbdusa.dll

2010-08-20 19:55 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll

2010-08-20 19:54 . 2004-08-04 10:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll

2010-08-20 19:54 . 2004-08-04 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll

2010-08-19 22:15 . 2010-08-19 22:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData

2010-08-19 21:53 . 2010-08-19 21:53 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-08-18 21:13 . 2010-08-18 21:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-08-18 21:10 . 2010-08-18 21:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-08-15 19:22 . 2010-08-19 23:53 -------- d-----w- c:\documents and settings\Brad Blackburn\Local Settings\Application Data\nqbkexyya

2010-07-29 11:48 . 2010-07-29 11:48 -------- d-sh--w- c:\documents and settings\Brad Blackburn\IECompatCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-26 10:28 . 2010-03-14 13:02 -------- d-----w- c:\documents and settings\Brad Blackburn\Application Data\HPAppData

2010-08-20 20:32 . 2006-05-12 22:29 91576 ----a-w- c:\documents and settings\Brad Blackburn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-19 22:42 . 2009-08-27 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-15 15:27 . 2010-03-18 00:47 -------- d-----w- c:\documents and settings\Trey\Application Data\HPAppData

2010-07-27 12:37 . 2006-07-30 01:35 -------- d-----w- c:\documents and settings\Brad Blackburn\Application Data\Apple Computer

2010-07-22 19:45 . 2010-06-20 11:27 27630760 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\msgup1000_1270_us_u1.exe

2010-07-07 12:27 . 2010-07-07 12:26 -------- d-----w- c:\program files\iTunes

2010-07-07 12:27 . 2010-07-07 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-07-07 12:27 . 2006-07-30 01:33 -------- d-----w- c:\program files\iPod

2010-07-07 12:26 . 2007-10-17 22:49 -------- d-----w- c:\program files\Common Files\Apple

2010-07-07 12:20 . 2009-12-27 21:13 -------- d-----w- c:\program files\QuickTime

2010-07-07 12:12 . 2010-07-07 12:12 -------- d-----w- c:\program files\Bonjour

2010-07-07 12:05 . 2010-07-07 12:05 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-30 12:31 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-11 22:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2006-05-09 04:58 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-11 22:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-15 00:23 . 2010-06-19 06:18 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\yupdater.exe

2010-06-14 14:31 . 2004-08-11 22:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-11 22:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-05-28 19:00 . 2010-05-28 19:00 503808 ----a-w- c:\documents and settings\Brad Blackburn\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-479a121e-n\msvcp71.dll

2010-05-28 19:00 . 2010-05-28 19:00 348160 ----a-w- c:\documents and settings\Brad Blackburn\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-479a121e-n\msvcr71.dll

2010-05-28 19:00 . 2010-05-28 19:00 499712 ----a-w- c:\documents and settings\Brad Blackburn\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-479a121e-n\jmc.dll

2009-08-27 19:02 . 2009-08-27 19:02 18291 ----a-w- c:\program files\Common Files\ipev.sys

2009-08-27 19:02 . 2009-08-27 19:02 10796 ----a-w- c:\program files\Common Files\umamunih.scr

2006-08-20 22:35 . 2006-05-12 22:28 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

------- Sigcheck -------

[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe

[-] 2008-04-14 . 1928C472AD4009C81BAD3198C3536AD6 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\winlogon.exe

[-] 2008-04-14 . 99143E239B6460360A668619805D9FEB . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\ERDNT\cache\explorer.exe

[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

c:\windows\System32\drivers\beep.sys ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-09 26112]

"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]

"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-08-06 647520]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-9 24576]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58156:TCP"= 58156:TCP:Pando Media Booster

"58156:UDP"= 58156:UDP:Pando Media Booster

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 5:36 PM 205328]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 5:36 PM 290889]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 5:36 PM 585792]

R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 5:36 PM 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 5:36 PM 262215]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/16/2008 1:35 PM 24652]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPService REG_MULTI_SZ HPSLPSVC

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-08-26 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: facebook.com\login

Trusted Zone: musicmatch.com\online

DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab

.

- - - - ORPHANS REMOVED - - - -

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-26 07:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3660)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe

c:\program files\Windows Live\Family Safety\fsssvc.exe

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\TRENDM~1\INTERN~1\PccGuide.exe

c:\windows\system32\MsiExec.exe

.

**************************************************************************

.

Completion time: 2010-08-26 07:55:09 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-26 11:55

Pre-Run: 60,316,389,376 bytes free

Post-Run: 60,929,929,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 925F0EF0EB9C3B47020165338B763794

Link to post
Share on other sites

krisblack:

icon11.gif Go to My Computer-> Tools-> Folder Options-> View tab:

  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)

Please go to one of the below sites to scan the following files:

virscan.org

Virus Total

Click on Browse, and upload the following file for analysis:

c:\program files\Common Files\ipev.sys

c:\program files\Common Files\umamunih.scr

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

Please include the following in your next post:

  • File analysis results

Link to post
Share on other sites

Hi RP,

I have more problems, looks like you were correct about Security Suite not being entirely gone. I cannot log in to my computer without logging in under safe mode. I ran Malwarebytes and it detected 32 corrupted files...

Here is the ipev.

VirSCAN.org Scanned Report :

Scanned time : 2010/08/28 05:05:15 (CST)

Scanner results: Scanners did not find malware!

File Name : ipev.sys

File Size : 18291 byte

File Type : data

MD5 : 373c9de8491dea9f2b8f7fc2bd519b71

SHA1 : b4d99d43b6215cedebfcffd06e0318193e9e8994

Online report : http://virscan.org/report/bb947a6bac2a9194...4c02c721d1.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 5.0.0.19 20100827080832 2010-08-27 5.03 -

AhnLab V3 2010.08.28.00 2010.08.28 2010-08-28 1.52 -

AntiVir 8.2.4.46 7.10.11.42 2010-08-27 0.26 -

Antiy 2.0.18 20100828.5002820 2010-08-28 0.12 -

Arcavir 2009 201006281601 2010-06-28 0.01 -

Authentium 5.1.1 201008270228 2010-08-27 1.25 -

AVAST! 4.7.4 100827-1 2010-08-27 0.01 -

AVG 8.5.793 271.1.1/3097 2010-08-27 0.27 -

BitDefender 7.90123.6277549 7.33593 2010-08-28 4.43 -

ClamAV 0.96.1 11722 2010-08-27 0.01 -

Comodo 4.0 5880 2010-08-27 1.15 -

CP Secure 1.3.0.5 2010.08.28 2010-08-28 0.01 -

Dr.Web 5.0.2.3300 2010.08.28 2010-08-28 8.93 -

F-Prot 4.4.4.56 20100826 2010-08-26 1.25 -

F-Secure 7.02.73807 2010.08.27.08 2010-08-27 5.31 -

Fortinet 4.1.143 12.285 2010-08-27 0.23 -

GData 21.735/21.287 20100827 2010-08-27 8.16 -

ViRobot 20100827 2010.08.27 2010-08-27 0.37 -

Ikarus T3. 2010.08.27.76617 2010-08-27 4.61 -

JiangMin 13.0.900 2010.08.27 2010-08-27 1.39 -

Kaspersky 5.5.10 2010.08.27 2010-08-27 0.03 -

KingSoft 2009.2.5.15 2010.8.27.18 2010-08-27 0.71 -

McAfee 5400.1158 6087 2010-08-27 17.99 -

Microsoft 1.6103 2010.08.27 2010-08-27 5.54 -

Norman 6.05.11 6.05.00 2010-08-27 8.01 -

Panda 9.05.01 2010.08.27 2010-08-27 2.55 -

Trend Micro 9.120-1004 7.416.08 2010-08-27 0.03 -

Quick Heal 11.00 2010.08.27 2010-08-27 2.18 -

Rising 20.0 22.62.04.04 2010-08-27 0.22 -

Sophos 3.10.0 4.56 2010-08-28 4.26 -

Sunbelt 3.9.2432.2 6802 2010-08-27 13.94 -

Symantec 1.3.0.24 20100827.003 2010-08-27 0.22 -

nProtect 20100825.02 8957401 2010-08-25 9.10 -

The Hacker 6.5.2.1 v00356 2010-08-25 0.36 -

VBA32 3.12.14.0 20100827.0614 2010-08-27 3.01 -

VirusBuster 4.5.11.10 10.127.68/2038242 2010-08-27 2.35 -

heres the umamunih

VirSCAN.org Scanned Report :

Scanned time : 2010/08/28 05:10:05 (CST)

Scanner results: Scanners did not find malware!

File Name : umamunih.scr

File Size : 10796 byte

File Type : MPEG sequence

MD5 : 6aa3183d335682835b23a0ac9d37f690

SHA1 : 83e94eedf76ad7c515c20a8c0e97606a0cbe7eed

Online report : http://virscan.org/report/7181b685142734bf...a4ca7bb032.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 5.0.0.19 20100827080832 2010-08-27 4.96 -

AhnLab V3 2010.08.28.00 2010.08.28 2010-08-28 1.52 -

AntiVir 8.2.4.46 7.10.11.42 2010-08-27 0.26 -

Antiy 2.0.18 20100828.5002820 2010-08-28 0.12 -

Arcavir 2009 201006281601 2010-06-28 0.00 -

Authentium 5.1.1 201008270228 2010-08-27 1.26 -

AVAST! 4.7.4 100827-1 2010-08-27 0.00 -

AVG 8.5.793 271.1.1/3097 2010-08-27 0.22 -

BitDefender 7.90123.6277549 7.33593 2010-08-28 4.50 -

ClamAV 0.96.1 11722 2010-08-27 0.01 -

Comodo 4.0 5880 2010-08-27 1.15 -

CP Secure 1.3.0.5 2010.08.28 2010-08-28 0.01 -

Dr.Web 5.0.2.3300 2010.08.28 2010-08-28 8.93 -

F-Prot 4.4.4.56 20100826 2010-08-26 1.27 -

F-Secure 7.02.73807 2010.08.27.08 2010-08-27 0.06 -

Fortinet 4.1.143 12.285 2010-08-27 0.14 -

GData 21.736/21.287 20100827 2010-08-27 7.28 -

ViRobot 20100827 2010.08.27 2010-08-27 0.38 -

Ikarus T3. 2010.08.27.76617 2010-08-27 4.62 -

JiangMin 13.0.900 2010.08.27 2010-08-27 1.49 -

Kaspersky 5.5.10 2010.08.27 2010-08-27 0.03 -

KingSoft 2009.2.5.15 2010.8.27.18 2010-08-27 0.77 -

McAfee 5400.1158 6087 2010-08-27 17.91 -

Microsoft 1.6103 2010.08.27 2010-08-27 5.48 -

Norman 6.05.11 6.05.00 2010-08-27 8.01 -

Panda 9.05.01 2010.08.27 2010-08-27 2.27 -

Trend Micro 9.120-1004 7.416.08 2010-08-27 0.02 -

Quick Heal 11.00 2010.08.27 2010-08-27 2.29 -

Rising 20.0 22.62.04.04 2010-08-27 0.23 -

Sophos 3.10.0 4.56 2010-08-28 4.20 -

Sunbelt 3.9.2432.2 6802 2010-08-27 10.52 -

Symantec 1.3.0.24 20100827.003 2010-08-27 0.04 -

nProtect 20100825.02 8957401 2010-08-25 9.00 -

The Hacker 6.5.2.1 v00356 2010-08-25 0.34 -

VBA32 3.12.14.0 20100827.0614 2010-08-27 2.97 -

VirusBuster 4.5.11.10 10.127.68/2038242 2010-08-27 2.34 -

I will complete a malwarebytes scan and post log as well....

Thanks for all of your help.

Kris

Link to post
Share on other sites

Hi kris,

Please don't run anymore scans that I don't ask for - I know you are trying to be helpful, but it makes my work more difficult. Look these instructions over carefully and ask any questions you have before you get started:

icon11.gif We need to rename a file, then use the Recovery Console to replace an infected file:

1. Open Notepad

2. Copy and paste the content of the following codebox into Notepad:

@echo off
copy /y c:\windows\ServicePackFiles\i386\explorer.exe c:\
del %0

3. Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes.

4. Double click fix.bat. to run it. A small black box should open and close - this is normal.

Print out these instructions to use while in the Recovery Console:

1. Restart your computer.

2. Before Windows loads, you will be prompted to choose which Operating System to start.

3. Use the up and down arrow key to select Microsoft Windows Recovery Console

4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.

5. At the C:\Windows prompt, type the following bolded entries, one at a time and press 'Enter' after each line. (refer to the quote box under the commands for the location of the spaces which are very important):

ren explorer.exe explorer.old

copy c:\explorer.exe

exit

ren<space>explorer.exe<space>explorer.old

copy<space>c:\explorer.exe

You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.

If you do not see 1 file copied on the screen, even after ensuring the commands are correct, rename the file back to it's original name by typing the following command then hitting Enter.

ren explorer.old explorer.sys

ren<space>explorer.old<space>explorer.exe

You should NOT be prompted to overwrite an existing file, but if you are, select No then type exit to restart and notify me of your results.

6. Type exit and press 'Enter'. Your computer should reboot.

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Folder::
c:\documents and settings\Brad Blackburn\Local Settings\Application Data\nqbkexyya
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Dear RP,

I ran the CFScript, combofix ran and rebooted. Just before it was going to give me my log I got the blue screen. The one that shuts down everything. Then I tried to log back on. I have no internet, my connection with verizon fios has completely disappeared on that computer. I am using my work laptop to communicate, and it is wireless so the router is working, but not on my desktop computer. I tried to use verizon in home manager and all it did was reboot my computer 5 times in a row. I tried to start in safe mode with networking and still could not connect to the internet.

Thanks,

Kris

Link to post
Share on other sites

Kris,

icon11.gif If your network icon appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair.

tray-repair.jpg

If you have no task bar icon do this:

  • Click on the Start button.
  • Click on the Settings menu option.
  • Click on the Control Panel option.
  • When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
  • You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
  • click on the Repair menu option.

repair.jpg

Let the repair process perform its tasks and when it has finished, your Internet connection should be working again.

If that doesn't work - try the following:

  • Go to Start > Control Panel, and choose Network Connections.
  • Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and choose Properties.
  • Click the Networking tab
  • Double-click on the Internet Protocol (TCP/IP) item.
  • Write down the settings in case you should need to change them back.
  • Select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice to get out of the properties screen and restart your computer.
  • If not prompted to reboot go ahead and reboot manually.

In I.E.

  • Check internet options settings.
  • Tools > Internet Options > Connections
  • LAN settings
  • Choose "automatically detect settings"
  • uncheck both proxy settings boxes

In FireFox

[*]Click on Advanced -> Network -> Setttings

Link to post
Share on other sites

Try this, Kristen:

icon11.gif Follow these steps to use the reset command to reset your winsock:

  • To open a command prompt, click Start and then click Run. Copy and paste (or type) the following command in the Open box and then press ENTER:
    cmd
  • At the command prompt, copy and paste (or type) the following command and then press ENTER:
    netsh winsock reset
  • Reboot the computer.

Link to post
Share on other sites

Actually, I left for work this morning and when I got back, I got on the computer and tried the internet and google (my homepage) popped right up? Verizon has this In-home Agent, I think it automatically runs if it detects something wrong. Anyhow, my internet is working and from what I can see, I don't have security suite on my computer. However, I am still being redirected from the google links... Awaiting further instructions maestro :)

Link to post
Share on other sites

Finally! :) Here's the combo log...

ComboFix 10-09-01.02 - Brad Blackburn 09/01/2010 17:13:31.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.493 [GMT -4:00]

Running from: c:\documents and settings\Brad Blackburn\Desktop\ComboFix.exe

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\Brad Blackburn\Application Data\82D4E59D3A386D290951C552DB7710B2\enemies-names.txt

c:\documents and settings\Brad Blackburn\Application Data\82D4E59D3A386D290951C552DB7710B2\local.ini

c:\documents and settings\Brad Blackburn\Application Data\82D4E59D3A386D290951C552DB7710B2\lsrslt.ini

c:\documents and settings\Brad Blackburn\Application Data\vbdueoyvf\htjpuhkshdw.exe

c:\documents and settings\Brad Blackburn\Local Settings\Application Data\{D111DF8B-9B51-4F4C-9194-7716C4FE72D8}\chrome.manifest

c:\documents and settings\Brad Blackburn\Local Settings\Application Data\{D111DF8B-9B51-4F4C-9194-7716C4FE72D8}\chrome\content\_cfg.js

c:\documents and settings\Brad Blackburn\Local Settings\Application Data\{D111DF8B-9B51-4F4C-9194-7716C4FE72D8}\chrome\content\overlay.xul

c:\documents and settings\Brad Blackburn\Local Settings\Application Data\{D111DF8B-9B51-4F4C-9194-7716C4FE72D8}\install.rdf

c:\documents and settings\Brad Blackburn\Local Settings\Application Data\vbdueoyvf\htjpuhkshdw.exe

c:\documents and settings\Brad Blackburn\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk

c:\documents and settings\Brad Blackburn\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk

c:\documents and settings\NetworkService\Local Settings\Application Data\lqvpukaku\jymwuhyshdw.exe

C:\explorer.exe

c:\program files\Mozilla Firefox\searchplugins\google_search.xml

c:\windows\htjpuhkshdw.exe

-- Previous Run --

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected

Restored copy from - Kitty had a snack :)

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

--------

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_IAS

-------\Service_ndisrd

-------\Service_Ndisrd

((((((((((((((((((((((((( Files Created from 2010-08-01 to 2010-09-01 )))))))))))))))))))))))))))))))

.

2010-08-31 12:01 . 2010-08-31 12:01 -------- d-----w- c:\windows\7BDD664276D649F791576100E5C75B97.TMP

2010-08-27 22:20 . 2010-08-27 22:20 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-27 19:22 . 2010-08-27 19:22 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys

2010-08-26 23:38 . 2010-08-26 23:38 120 ----a-w- c:\windows\Inutecilu.dat

2010-08-26 23:38 . 2010-08-26 23:38 0 ----a-w- c:\windows\Qnepodoruvo.bin

2010-08-26 23:37 . 2010-08-26 23:36 194048 ----a-w- c:\windows\Xnuwib.exe

2010-08-26 23:36 . 2010-09-01 22:23 785408 ----a-w- c:\windows\system32\drivers\newxl.sys

2010-08-26 23:36 . 2010-08-26 23:36 194048 ----a-w- c:\windows\Xnuwia.exe

2010-08-26 23:36 . 2010-08-28 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-08-26 23:36 . 2010-08-26 23:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-08-20 19:55 . 2004-08-04 10:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll

2010-08-20 19:55 . 2004-08-04 10:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll

2010-08-20 19:55 . 2004-08-04 10:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll

2010-08-20 19:55 . 2004-08-04 10:00 10752 ----a-w- c:\windows\system32\c_iscii.dll

2010-08-20 19:55 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\kbdusa.dll

2010-08-20 19:55 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll

2010-08-20 19:54 . 2004-08-04 10:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll

2010-08-20 19:54 . 2004-08-04 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll

2010-08-19 22:15 . 2010-08-19 22:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData

2010-08-19 21:53 . 2010-08-19 21:53 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-08-18 21:13 . 2010-08-18 21:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-08-18 21:10 . 2010-08-18 21:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-01 21:09 . 2010-03-14 13:02 -------- d-----w- c:\documents and settings\Brad Blackburn\Application Data\HPAppData

2010-08-20 20:32 . 2006-05-12 22:29 91576 ----a-w- c:\documents and settings\Brad Blackburn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-19 22:42 . 2009-08-27 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-15 15:27 . 2010-03-18 00:47 -------- d-----w- c:\documents and settings\Trey\Application Data\HPAppData

2010-07-27 12:37 . 2006-07-30 01:35 -------- d-----w- c:\documents and settings\Brad Blackburn\Application Data\Apple Computer

2010-07-22 19:45 . 2010-06-20 11:27 27630760 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\msgup1000_1270_us_u1.exe

2010-07-07 12:27 . 2010-07-07 12:26 -------- d-----w- c:\program files\iTunes

2010-07-07 12:27 . 2010-07-07 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-07-07 12:27 . 2006-07-30 01:33 -------- d-----w- c:\program files\iPod

2010-07-07 12:26 . 2007-10-17 22:49 -------- d-----w- c:\program files\Common Files\Apple

2010-07-07 12:20 . 2009-12-27 21:13 -------- d-----w- c:\program files\QuickTime

2010-07-07 12:12 . 2010-07-07 12:12 -------- d-----w- c:\program files\Bonjour

2010-07-07 12:05 . 2010-07-07 12:05 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-30 12:31 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-11 22:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2006-05-09 04:58 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-11 22:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-15 00:23 . 2010-06-19 06:18 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\yupdater.exe

2010-06-14 14:31 . 2004-08-11 22:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-11 22:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2009-08-27 19:02 . 2009-08-27 19:02 18291 ----a-w- c:\program files\Common Files\ipev.sys

2009-08-27 19:02 . 2009-08-27 19:02 10796 ----a-w- c:\program files\Common Files\umamunih.scr

2006-08-20 22:35 . 2006-05-12 22:28 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-09 26112]

"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]

"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-08-06 647520]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-9 24576]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58156:TCP"= 58156:TCP:Pando Media Booster

"58156:UDP"= 58156:UDP:Pando Media Booster

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 5:36 PM 205328]

R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 5:36 PM 36368]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/16/2008 1:35 PM 24652]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 5:36 PM 290889]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 5:36 PM 585792]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 5:36 PM 262215]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]

--- Other Services/Drivers In Memory ---

*Deregistered* - newxl

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPService REG_MULTI_SZ HPSLPSVC

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-09-01 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: facebook.com\login

Trusted Zone: musicmatch.com\online

DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-igqxkhgh - c:\windows\htjpuhkshdw.exe

HKLM-Run-igqxkhgh - c:\windows\htjpuhkshdw.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-01 18:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\newxl]

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(924)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe

c:\program files\Windows Live\Family Safety\fsssvc.exe

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wdfmgr.exe

c:\windows\stsystra.exe

c:\program files\Lexmark 4200 Series\lxbmbmon.exe

c:\progra~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE

c:\windows\system32\msiexec.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\MsiExec.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2010-09-01 18:30:03 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-01 22:30

ComboFix2.txt 2010-08-26 11:55

Pre-Run: 60,555,952,128 bytes free

Post-Run: 60,580,208,640 bytes free

- - End Of File - - 25E88F28DA13650FC7F9C8526B823639

Link to post
Share on other sites

Kris,

That was good progress! Please do this now:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\windows\system32\drivers\ndisrd.sys
c:\windows\Inutecilu.dat
c:\windows\Qnepodoruvo.bin
c:\windows\Xnuwib.exe
c:\windows\system32\drivers\newxl.sys
c:\windows\Xnuwia.exe
Driver::
newxl

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please include the following in your next post:

  • ComboFix log
  • MBAM log

Link to post
Share on other sites

Combofix log:

ComboFix 10-09-01.04 - Brad Blackburn 09/02/2010 18:27:22.6.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.439 [GMT -4:00]

Running from: c:\documents and settings\Brad Blackburn\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Brad Blackburn\Desktop\CFScript.txt

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::

"c:\windows\Inutecilu.dat"

"c:\windows\Qnepodoruvo.bin"

"c:\windows\system32\drivers\ndisrd.sys"

"c:\windows\system32\drivers\newxl.sys"

"c:\windows\Xnuwia.exe"

"c:\windows\Xnuwib.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Inutecilu.dat

c:\windows\Qnepodoruvo.bin

c:\windows\system32\drivers\ndisrd.sys

c:\windows\system32\drivers\newxl.sys

c:\windows\Xnuwia.exe

c:\windows\Xnuwib.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NEWXL

-------\Service_newxl

((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))

.

2010-08-31 12:01 . 2010-08-31 12:01 -------- d-----w- c:\windows\7BDD664276D649F791576100E5C75B97.TMP

2010-08-27 22:20 . 2010-08-27 22:20 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-26 23:36 . 2010-08-28 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-08-26 23:36 . 2010-08-26 23:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-08-20 19:55 . 2004-08-04 10:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll

2010-08-20 19:55 . 2004-08-04 10:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll

2010-08-20 19:55 . 2004-08-04 10:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll

2010-08-20 19:55 . 2004-08-04 10:00 10752 ----a-w- c:\windows\system32\c_iscii.dll

2010-08-20 19:55 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\kbdusa.dll

2010-08-20 19:55 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll

2010-08-20 19:54 . 2004-08-04 10:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll

2010-08-20 19:54 . 2004-08-04 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll

2010-08-19 22:15 . 2010-08-19 22:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData

2010-08-19 21:53 . 2010-08-19 21:53 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-08-18 21:13 . 2010-08-18 21:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-08-18 21:10 . 2010-08-18 21:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-02 12:47 . 2010-03-14 13:02 -------- d-----w- c:\documents and settings\Brad Blackburn\Application Data\HPAppData

2010-08-20 20:32 . 2006-05-12 22:29 91576 ----a-w- c:\documents and settings\Brad Blackburn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-19 22:42 . 2009-08-27 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-15 15:27 . 2010-03-18 00:47 -------- d-----w- c:\documents and settings\Trey\Application Data\HPAppData

2010-07-27 12:37 . 2006-07-30 01:35 -------- d-----w- c:\documents and settings\Brad Blackburn\Application Data\Apple Computer

2010-07-22 19:45 . 2010-06-20 11:27 27630760 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\msgup1000_1270_us_u1.exe

2010-07-07 12:27 . 2010-07-07 12:26 -------- d-----w- c:\program files\iTunes

2010-07-07 12:27 . 2010-07-07 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-07-07 12:27 . 2006-07-30 01:33 -------- d-----w- c:\program files\iPod

2010-07-07 12:26 . 2007-10-17 22:49 -------- d-----w- c:\program files\Common Files\Apple

2010-07-07 12:20 . 2009-12-27 21:13 -------- d-----w- c:\program files\QuickTime

2010-07-07 12:12 . 2010-07-07 12:12 -------- d-----w- c:\program files\Bonjour

2010-07-07 12:05 . 2010-07-07 12:05 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-30 12:31 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-11 22:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2006-05-09 04:58 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-11 22:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-15 00:23 . 2010-06-19 06:18 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\yupdater.exe

2010-06-14 14:31 . 2004-08-11 22:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-11 22:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2009-08-27 19:02 . 2009-08-27 19:02 18291 ----a-w- c:\program files\Common Files\ipev.sys

2009-08-27 19:02 . 2009-08-27 19:02 10796 ----a-w- c:\program files\Common Files\umamunih.scr

2006-08-20 22:35 . 2006-05-12 22:28 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-08-26_11.48.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-09-03 00:43 . 2010-09-03 00:43 16384 c:\windows\temp\Perflib_Perfdata_684.dat

+ 2009-11-21 19:38 . 2010-08-26 23:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-11-21 19:38 . 2009-11-21 19:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2006-05-12 22:07 . 2010-08-26 23:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2006-05-12 22:07 . 2009-11-21 19:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2005-08-23 00:00 . 2005-08-23 00:00 127488 c:\windows\system32\spool\prtprocs\w32x86\o7931a.dll

+ 2006-05-09 05:22 . 2008-04-13 16:39 142592 c:\windows\system32\dllcache\aec.sys

+ 2010-08-26 23:36 . 2010-08-28 13:34 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-09 26112]

"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]

"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-08-06 647520]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-9 24576]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58156:TCP"= 58156:TCP:Pando Media Booster

"58156:UDP"= 58156:UDP:Pando Media Booster

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 5:36 PM 205328]

R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 5:36 PM 36368]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/16/2008 1:35 PM 24652]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 5:36 PM 290889]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 5:36 PM 585792]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 5:36 PM 262215]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPService REG_MULTI_SZ HPSLPSVC

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-09-02 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: facebook.com\login

Trusted Zone: musicmatch.com\online

DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-02 20:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2000)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe

c:\program files\Windows Live\Family Safety\fsssvc.exe

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wdfmgr.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\MsiExec.exe

c:\windows\stsystra.exe

c:\program files\Lexmark 4200 Series\lxbmbmon.exe

c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2010-09-02 20:51:23 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-03 00:51

ComboFix2.txt 2010-09-01 22:30

ComboFix3.txt 2010-08-26 11:55

Pre-Run: 60,444,114,944 bytes free

Post-Run: 60,500,766,720 bytes free

- - End Of File - - E62155F0AA3CC781AC8C0809759F77DB

mbam coming right up!

Link to post
Share on other sites

mbam:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4450

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/3/2010 5:45:24 PM

mbam-log-2010-09-03 (17-45-24).txt

Scan type: Full scan (C:\|)

Objects scanned: 244383

Time elapsed: 40 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0006544.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0006545.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0006546.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0006770.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Kris,

Looking better! Please do this now:

icon11.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java 6 Update 17 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • Kaspersky log

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.