Jump to content

IE redirecting


Recommended Posts

I am also having a redirect problem. I read another post on this topic and am following those instructions.

Here is the DDS.txt file:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 15:17:32.67 on Mon 08/23/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.261 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Acroprint\Attendance Rx\AttendanceRx.exe

C:\ADP\wftpd\WFTPD.EXE

C:\Program Files\Acroprint\Attendance Rx\arxterm.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\WordPerfect Office 11\Programs\QPW.exe

C:\Program Files\Reflection\r2win.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uStart Page = hxxp://yahoo.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uCustomizeSearch =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uWindows: load=U???

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

{6945633a-5bdd-4e44-87a2-5ef434282d52}

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: {6A048BB7-E017-4326-B207-AA996C77BBCB} - No File

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [D-Link AirPlus Xtreme G] c:\program files\d-link\airplus xtreme g\AirPlusCFG.exe

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\shortc~1.lnk - c:\adp\wftpd\WFTPD.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\attend~1.lnk - c:\program files\acroprint\attendance rx\AttendanceRx.exe

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: link = 00000000

mPolicies-explorer: NoResolveTrack = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: motive.com\pattta.att

Trusted Zone: motive.com\patttbc.att

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204

DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxps://www.gircheckmgt.nationalcity.com/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxps://www.ach.nationalcity.com/viewer/activeXViewer/activexviewer.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://24.236.235.173:8080/user/TSBnwCam.CAB

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\qb2003\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

Notify: PCANotify - PCANotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: {2e39be38-5e63-4b86-a550-8396f58c2df9}: ScriptGuard

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 relog_ap

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-8-5 304464]

R2 TSKNF501.SYS;TSKNF501.SYS;c:\windows\system32\drivers\Tsknf501.sys [2002-12-2 6464]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2003-10-22 344800]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-8-5 20952]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]

S2 DigicamA;DigicamA;c:\windows\system32\drivers\DigicamA.sys [2006-4-5 38400]

S2 DigicamV;DigicamV;c:\windows\system32\drivers\DigicamV.sys [2006-4-5 67072]

S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]

S3 PCDRDRV;Pcdr CPU Helper Driver; [x]

S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [2002-3-21 144860]

S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [2002-10-8 16925]

S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]

=============== Created Last 30 ================

2010-07-30 16:03:56 0 d-----w- C:\stamper manuals]

==================== Find3M ====================

2005-09-10 00:55:53 7155864 ----a-w- c:\program files\NGhost10.msi

2005-09-10 00:55:53 35 ----a-w- c:\program files\SCSSDist.ini

2005-09-10 00:55:52 37766164 ----a-w- c:\program files\Data1.cab

2009-08-17 15:13:20 109 --sha-w- c:\windows\system32\1075624259.dat

2009-12-01 14:03:32 16384 --sha-w- c:\windows\system32\config\systemprofile\history\history.ie5\index.dat

2009-08-18 14:13:41 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2009-08-04 17:56:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080420090805\index.dat

============= FINISH: 15:20:34.18 ===============

I have attached the attach.txt file.

Here is GMER file:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-23 15:48:40

Windows 5.1.2600 Service Pack 3

Running: uksnkun5.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fxldapog.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF3C04620]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\intelide.sys entry point in ".rsrc" section [0xF7CF5094]

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF7402340, 0xFFF3F, 0xF8000020]

.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012300, 0x234A20, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[352] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\system32\spoolsv.exe[352] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe[460] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe[460] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\system32\svchost.exe[704] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\system32\svchost.exe[704] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[792] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[792] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\system32\winlogon.exe[1020] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\system32\winlogon.exe[1020] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\system32\services.exe[1068] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\system32\services.exe[1068] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\system32\lsass.exe[1080] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\system32\lsass.exe[1080] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\system32\svchost.exe[1272] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\system32\svchost.exe[1272] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\system32\svchost.exe[1372] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\system32\svchost.exe[1372] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\System32\svchost.exe[1512] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\System32\svchost.exe[1512] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE[1556] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE[1556] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\System32\svchost.exe[1592] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\System32\svchost.exe[1592] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[1616] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[1616] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\System32\tcpsvcs.exe[1636] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\System32\tcpsvcs.exe[1636] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\System32\svchost.exe[1756] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A

.text C:\WINDOWS\System32\svchost.exe[1756] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A

.text C:\WINDOWS\System32\svchost.exe[1756] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C

.text C:\WINDOWS\System32\svchost.exe[1756] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00E4000A

.text C:\WINDOWS\System32\svchost.exe[1756] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D8000A

.text C:\WINDOWS\System32\svchost.exe[1756] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\System32\svchost.exe[1756] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\System32\snmp.exe[1864] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\System32\snmp.exe[1864] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\System32\svchost.exe[2024] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\System32\svchost.exe[2024] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2252] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Internet Explorer\iexplore.exe[2252] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2364] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Internet Explorer\iexplore.exe[2364] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\system32\taskmgr.exe[2456] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\system32\taskmgr.exe[2456] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\System32\alg.exe[2536] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\System32\alg.exe[2536] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Acroprint\Attendance Rx\AttendanceRx.exe[2676] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Acroprint\Attendance Rx\AttendanceRx.exe[2676] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\ADP\wftpd\WFTPD.EXE[2800] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\ADP\wftpd\WFTPD.EXE[2800] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Acroprint\Attendance Rx\arxterm.exe[3028] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Acroprint\Attendance Rx\arxterm.exe[3028] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3192] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Internet Explorer\iexplore.exe[3192] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3464] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3464] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Reflection\r2win.exe[3932] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Reflection\r2win.exe[3932] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[4008] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\Program Files\Internet Explorer\iexplore.exe[4008] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

.text C:\WINDOWS\explorer.exe[4020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\WINDOWS\explorer.exe[4020] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A

.text C:\WINDOWS\explorer.exe[4020] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

.text C:\WINDOWS\explorer.exe[4020] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]

.data C:\WINDOWS\explorer.exe[4020] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

Disk \Device\Harddisk0\DR0 sector 02: copy of MBR

Disk \Device\Harddisk0\DR0 sector 03: copy of MBR

Disk \Device\Harddisk0\DR0 sector 04: copy of MBR

Disk \Device\Harddisk0\DR0 sector 05: copy of MBR

Disk \Device\Harddisk0\DR0 sector 06: copy of MBR

Disk \Device\Harddisk0\DR0 sector 07: copy of MBR

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

Disk \Device\Harddisk0\DR0 sector 10: copy of MBR

Disk \Device\Harddisk0\DR0 sector 11: copy of MBR

Disk \Device\Harddisk0\DR0 sector 12: copy of MBR

Disk \Device\Harddisk0\DR0 sector 13: copy of MBR

Disk \Device\Harddisk0\DR0 sector 14: copy of MBR

Disk \Device\Harddisk0\DR0 sector 15: copy of MBR

Disk \Device\Harddisk0\DR0 sector 16: copy of MBR

Disk \Device\Harddisk0\DR0 sector 17: copy of MBR

Disk \Device\Harddisk0\DR0 sector 18: copy of MBR

Disk \Device\Harddisk0\DR0 sector 19: copy of MBR

Disk \Device\Harddisk0\DR0 sector 20: copy of MBR

Disk \Device\Harddisk0\DR0 sector 21: copy of MBR

Disk \Device\Harddisk0\DR0 sector 22: copy of MBR

Disk \Device\Harddisk0\DR0 sector 23: copy of MBR

Disk \Device\Harddisk0\DR0 sector 24: copy of MBR

Disk \Device\Harddisk0\DR0 sector 25: copy of MBR

Disk \Device\Harddisk0\DR0 sector 26: copy of MBR

Disk \Device\Harddisk0\DR0 sector 27: copy of MBR

Disk \Device\Harddisk0\DR0 sector 28: copy of MBR

Disk \Device\Harddisk0\DR0 sector 29: copy of MBR

Disk \Device\Harddisk0\DR0 sector 30: copy of MBR

Disk \Device\Harddisk0\DR0 sector 31: copy of MBR

Disk \Device\Harddisk0\DR0 sector 32: copy of MBR

Disk \Device\Harddisk0\DR0 sector 33: copy of MBR

Disk \Device\Harddisk0\DR0 sector 34: copy of MBR

Disk \Device\Harddisk0\DR0 sector 35: copy of MBR

Disk \Device\Harddisk0\DR0 sector 36: copy of MBR

Disk \Device\Harddisk0\DR0 sector 37: copy of MBR

Disk \Device\Harddisk0\DR0 sector 38: copy of MBR

Disk \Device\Harddisk0\DR0 sector 39: copy of MBR

Disk \Device\Harddisk0\DR0 sector 40: copy of MBR

Disk \Device\Harddisk0\DR0 sector 41: copy of MBR

Disk \Device\Harddisk0\DR0 sector 42: copy of MBR

Disk \Device\Harddisk0\DR0 sector 43: copy of MBR

Disk \Device\Harddisk0\DR0 sector 44: copy of MBR

Disk \Device\Harddisk0\DR0 sector 45: copy of MBR

Disk \Device\Harddisk0\DR0 sector 46: copy of MBR

Disk \Device\Harddisk0\DR0 sector 47: copy of MBR

Disk \Device\Harddisk0\DR0 sector 48: copy of MBR

Disk \Device\Harddisk0\DR0 sector 49: copy of MBR

Disk \Device\Harddisk0\DR0 sector 50: copy of MBR

Disk \Device\Harddisk0\DR0 sector 51: copy of MBR

Disk \Device\Harddisk0\DR0 sector 52: copy of MBR

Disk \Device\Harddisk0\DR0 sector 53: copy of MBR

Disk \Device\Harddisk0\DR0 sector 54: copy of MBR

Disk \Device\Harddisk0\DR0 sector 55: copy of MBR

Disk \Device\Harddisk0\DR0 sector 56: copy of MBR

Disk \Device\Harddisk0\DR0 sector 57: copy of MBR

Disk \Device\Harddisk0\DR0 sector 58: copy of MBR

Disk \Device\Harddisk0\DR0 sector 59: copy of MBR

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\intelide.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Let me know what to do.

Larry

Attach.txt

Link to post
Share on other sites

Here is the ComboFix log:

ComboFix 10-08-23.02 - Owner 08/24/2010 7:42.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.701 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix1.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe

c:\documents and settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe

c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server

c:\program files\CyberDefender

c:\program files\CyberDefender\Registry Cleaner\CDregclean.exe

C:\Thumbs.db

c:\windows\command

c:\windows\command\EXTRACT.PIF

c:\windows\patch.exe

c:\windows\system32\1075624259.dat

c:\windows\system32\bszip.dll

c:\windows\system32\CBUTTON.OCX

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\winhelp.ini

Infected copy of c:\windows\system32\drivers\intelide.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

c:\windows\system32\ws2_32.dll . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))

.

2010-08-23 17:35 . 2010-08-23 17:36 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

2010-08-23 17:34 . 2010-08-23 17:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment

2010-08-23 15:28 . 2010-08-23 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2010-08-23 15:28 . 2010-08-23 15:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!

2010-07-30 16:03 . 2010-07-30 16:04 -------- d-----w- C:\stamper manuals]

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-23 17:34 . 2002-08-19 12:34 152400 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-23 15:34 . 2004-04-28 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-23 15:28 . 2005-10-11 12:48 -------- d-----w- c:\program files\Yahoo!

2010-08-23 15:28 . 2007-11-28 13:42 -------- d-----w- c:\program files\CCleaner

2010-08-23 15:22 . 2009-03-30 16:28 3963 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2010-08-23 05:10 . 2010-07-22 19:08 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-08-23 05:10 . 2010-07-22 19:08 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-08-17 10:54 . 2010-07-22 19:07 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-08-10 18:46 . 2004-12-06 19:55 -------- d-----w- c:\program files\Auction Sentry

2010-07-22 19:08 . 2010-07-22 19:08 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-07-22 19:07 . 2010-07-22 19:07 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2010-07-22 19:07 . 2010-07-22 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-07-21 20:03 . 2003-08-26 21:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Alyfof

2010-07-15 13:17 . 2004-04-28 17:11 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-12 14:36 . 2009-08-05 12:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-09 19:31 . 2010-07-09 19:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2010-07-02 04:11 . 2010-07-02 04:12 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll

2010-07-02 04:11 . 2010-07-02 04:12 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll

2010-07-02 04:11 . 2010-07-02 04:12 267568 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll

2010-07-02 04:11 . 2010-07-02 04:12 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe

2010-07-02 04:11 . 2010-07-02 04:12 791856 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll

2010-07-02 04:11 . 2010-07-02 04:12 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll

2010-07-02 04:11 . 2010-07-02 04:12 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll

2010-07-02 04:11 . 2010-07-02 04:12 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll

2010-07-02 04:11 . 2010-07-02 04:12 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll

2010-07-02 04:11 . 2010-07-02 04:12 2184496 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll

2010-07-02 04:11 . 2010-07-02 04:12 856880 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll

2010-07-02 04:11 . 2010-07-02 04:12 1372424 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe

2005-09-10 00:55 . 2005-12-28 15:49 7155864 ----a-w- c:\program files\NGhost10.msi

2005-09-10 00:55 . 2005-12-28 15:49 35 ----a-w- c:\program files\SCSSDist.ini

2005-09-10 00:55 . 2005-12-28 15:49 37766164 ----a-w- c:\program files\Data1.cab

.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys

[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2008-04-14 . E30E185EBA3646BAA4819870BED42174 . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll

[-] 2008-04-14 . E30E185EBA3646BAA4819870BED42174 . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

[-] 2004-08-04 . F1BB7934459CC40B57ABA6C8DD82F308 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"D-Link AirPlus Xtreme G"="c:\program files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 2502656]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2010-06-28 900240]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Shortcut to WFTPD.lnk - c:\adp\wftpd\WFTPD.EXE [2003-2-3 326144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Attendance Rx.lnk - c:\program files\Acroprint\Attendance Rx\AttendanceRx.exe [2008-2-25 5750784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoThumbnailCache"= 1 (0x1)

"link"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2002-02-15 14:51 24638 ----a-w- c:\windows\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]

LTMSG.exe 7 [X]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\ADP\\wftpd\\WFTPD.EXE"=

"c:\\Program Files\\Ositis Software\\WinProxy 5.0\\WinProxy.exe"=

"c:\\DacEasy\\pvsw\\W3DBSMGR.EXE"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\DacEasy13\\pvsw\\W3DBSMGR.EXE"=

"c:\\qb2003\\QBDBMgrN.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\WINDOWS\\system32\\mmlssearch.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/5/2009 8:08 AM 304464]

R2 TSKNF501.SYS;TSKNF501.SYS;c:\windows\system32\drivers\Tsknf501.sys [12/2/2002 11:57 PM 6464]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/22/2003 4:27 PM 344800]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/5/2009 8:08 AM 20952]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]

S2 DigicamA;DigicamA;c:\windows\system32\drivers\DigicamA.sys [4/5/2006 12:29 PM 38400]

S2 DigicamV;DigicamV;c:\windows\system32\drivers\DigicamV.sys [4/5/2006 12:29 PM 67072]

S3 PCDRDRV;Pcdr CPU Helper Driver; [x]

S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [3/21/2002 1:35 AM 144860]

S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [10/8/2002 12:22 PM 16925]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uCustomizeSearch =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: motive.com\pattta.att

Trusted Zone: motive.com\patttbc.att

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\qb2003\HelpAsyncPluggableProtocol.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxps://www.gircheckmgt.nationalcity.com/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab

DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://24.236.235.173:8080/user/TSBnwCam.CAB

.

- - - - ORPHANS REMOVED - - - -

BHO-{6945633A-5BDD-4E44-87A2-5EF434282D52} - (no file)

WebBrowser-{6A048BB7-E017-4326-B207-AA996C77BBCB} - (no file)

ShellExecuteHooks-{2E39BE38-5E63-4B86-A550-8396F58C2DF9} - (no file)

AddRemove-Convert Image_is1 - c:\program files\Softinterface

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-24 07:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1990122784-375612493-359561344-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1076)

c:\windows\system32\relog_ap.dll

.

Completion time: 2010-08-24 08:14:21

ComboFix-quarantined-files.txt 2010-08-24 12:14

Pre-Run: 38,499,794,944 bytes free

Post-Run: 38,317,289,472 bytes free

- - End Of File - - C398B875B883A8C460DAF3821E052CF7

Hello and welcome. Please follow these guidelines while we work on your PC:

[*]Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I

Link to post
Share on other sites

Hi,

icon11.gif Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ws2_32.*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please include the following in your next post:

  • SystemLook log

Link to post
Share on other sites

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 14:01 on 24/08/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "ws2_32.*"

C:\I386\WS2_32.DL_ --a--- 37025 bytes [14:47 30/04/2002] [12:00 18/08/2001] 1B50E101567C3A8289DC2F16C80D717B

C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll -----c 82944 bytes [16:26 04/08/2009] [07:56 04/08/2004] F1BB7934459CC40B57ABA6C8DD82F308

C:\WINDOWS\I386\WS2_32.DL_ --a--- 37025 bytes [04:02 20/04/2002] [19:00 18/08/2001] 1B50E101567C3A8289DC2F16C80D717B

C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll --a--- 82432 bytes [07:56 04/08/2004] [00:12 14/04/2008] E30E185EBA3646BAA4819870BED42174

C:\WINDOWS\system32\ws2_32.dll --a--- 82432 bytes [16:19 10/07/2003] [00:12 14/04/2008] E30E185EBA3646BAA4819870BED42174

-=End Of File=-

Hi,

icon11.gif Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ws2_32.*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please include the following in your next post:

  • SystemLook log

Link to post
Share on other sites

Michigan Larry:

1. ClickStart > Run or press the Windows Key + R Then type cmd in the run box and press "OK" to open the command prompt window

2. Enter the following command at the prompt and press "Enter" after each one. Refer to the quote box under the commands for the location of the spaces which are very important. After pressing "Enter" you should see a message that says, "one file(s) expanded successfully"

expand C:\I386\WS2_32.DL_ -r c:\windows\system32

expand<space>C:\I386\WS2_32.DL_<space>-r<space>c:\windows\system32

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Got this after typing in cmd window:

Expanding c:\i386\ws2_32.dl_ to c:\windows\system32\ws2_32.dll.

Can't open output file: c:\windows\system32\ws2_32.dll.

Michigan Larry:

1. ClickStart > Run or press the Windows Key + R Then type cmd in the run box and press "OK" to open the command prompt window

2. Enter the following command at the prompt and press "Enter" after each one. Refer to the quote box under the commands for the location of the spaces which are very important. After pressing "Enter" you should see a message that says, "one file(s) expanded successfully"

expand C:\I386\WS2_32.DL_ -r c:\windows\system32

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Michigan Larry:

Let's try again from the Recovery console:

1. Restart your computer.

2. Before Windows loads, you will be prompted to choose which Operating System to start.

3. Use the up and down arrow key to select Microsoft Windows Recovery Console

4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.

5. At the C:\Windows prompt, type the following bolded commands, one at a time, and press 'Enter' (refer to the quote box under the commands for the location of the spaces which are very important):

expand C:\I386\WS2_32.DL_ -r c:\windows\system32

exiit

expand<space>C:\I386\WS2_32.DL_<space>-r<space>c:\windows\system32

exit

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Rebooted and chose recovery console and nothing happened. Had a blinking curser. Let the system sit for 15 minutes in case of a slow load. Nothing. Rebooted and made this post.

Also links embedded in your email notices wont load now.

I get "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

What would you like me to do now?

Larry

Michigan Larry:

Let's try again from the Recovery console:

1. Restart your computer.

2. Before Windows loads, you will be prompted to choose which Operating System to start.

3. Use the up and down arrow key to select Microsoft Windows Recovery Console

4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.

5. At the C:\Windows prompt, type the following bolded commands, one at a time, and press 'Enter' (refer to the quote box under the commands for the location of the spaces which are very important):

expand C:\I386\WS2_32.DL_ -r c:\windows\system32

exiit

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

I do not have a an xp install disk.

Here is the combofix log. Thanks for all your help.

Will wait for instructions.

ComboFix 10-09-01.02 - Owner 09/01/2010 13:32:05.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.395 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix1.exe

Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\ws2_32.dll . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2010-08-01 to 2010-09-01 )))))))))))))))))))))))))))))))

.

2010-08-24 12:54 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-08-23 17:35 . 2010-08-23 17:36 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

2010-08-23 17:34 . 2010-08-23 17:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment

2010-08-23 15:28 . 2010-08-23 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2010-08-23 15:28 . 2010-08-23 15:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-01 17:26 . 2009-03-30 16:28 3963 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2010-08-27 13:26 . 2010-07-22 19:07 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-08-24 19:42 . 2004-12-06 19:55 -------- d-----w- c:\program files\Auction Sentry

2010-08-23 17:34 . 2002-08-19 12:34 152400 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-23 15:34 . 2004-04-28 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-23 15:28 . 2005-10-11 12:48 -------- d-----w- c:\program files\Yahoo!

2010-08-23 15:28 . 2007-11-28 13:42 -------- d-----w- c:\program files\CCleaner

2010-08-23 05:10 . 2010-07-22 19:08 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-08-23 05:10 . 2010-07-22 19:08 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-07-22 19:08 . 2010-07-22 19:08 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-07-22 19:07 . 2010-07-22 19:07 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2010-07-22 19:07 . 2010-07-22 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-07-21 20:03 . 2003-08-26 21:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Alyfof

2010-07-15 13:17 . 2004-04-28 17:11 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-12 14:36 . 2009-08-05 12:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-09 19:31 . 2010-07-09 19:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2010-07-02 04:11 . 2010-07-02 04:12 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll

2010-07-02 04:11 . 2010-07-02 04:12 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll

2010-07-02 04:11 . 2010-07-02 04:12 267568 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll

2010-07-02 04:11 . 2010-07-02 04:12 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe

2010-07-02 04:11 . 2010-07-02 04:12 791856 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll

2010-07-02 04:11 . 2010-07-02 04:12 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll

2010-07-02 04:11 . 2010-07-02 04:12 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll

2010-07-02 04:11 . 2010-07-02 04:12 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll

2010-07-02 04:11 . 2010-07-02 04:12 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll

2010-07-02 04:11 . 2010-07-02 04:12 2184496 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll

2010-07-02 04:11 . 2010-07-02 04:12 856880 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll

2010-07-02 04:11 . 2010-07-02 04:12 1372424 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe

2010-06-30 12:31 . 2002-04-30 13:38 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2002-04-30 13:40 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2002-04-30 13:38 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2002-04-30 13:36 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2003-08-27 13:59 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

2010-06-14 07:41 . 2003-08-27 15:08 1172480 ----a-w- c:\windows\system32\msxml3.dll

2005-09-10 00:55 . 2005-12-28 15:49 7155864 ----a-w- c:\program files\NGhost10.msi

2005-09-10 00:55 . 2005-12-28 15:49 35 ----a-w- c:\program files\SCSSDist.ini

2005-09-10 00:55 . 2005-12-28 15:49 37766164 ----a-w- c:\program files\Data1.cab

.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys

[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2008-04-14 . E30E185EBA3646BAA4819870BED42174 . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll

[-] 2008-04-14 . E30E185EBA3646BAA4819870BED42174 . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

[-] 2004-08-04 . F1BB7934459CC40B57ABA6C8DD82F308 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll

.

((((((((((((((((((((((((((((( SnapShot_2010-08-26_12.31.24 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-08-27 11:43 . 2010-08-27 11:43 16384 c:\windows\Temp\Perflib_Perfdata_1b8.dat

+ 2010-08-27 11:42 . 2010-08-27 11:42 16384 c:\windows\Temp\Perflib_Perfdata_18c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"D-Link AirPlus Xtreme G"="c:\program files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 2502656]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2010-06-28 900240]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Shortcut to WFTPD.lnk - c:\adp\wftpd\WFTPD.EXE [2003-2-3 326144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Attendance Rx.lnk - c:\program files\Acroprint\Attendance Rx\AttendanceRx.exe [2008-2-25 5750784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoThumbnailCache"= 1 (0x1)

"link"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2002-02-15 14:51 24638 ----a-w- c:\windows\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]

LTMSG.exe 7 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\ADP\\wftpd\\WFTPD.EXE"=

"c:\\Program Files\\Ositis Software\\WinProxy 5.0\\WinProxy.exe"=

"c:\\DacEasy\\pvsw\\W3DBSMGR.EXE"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\DacEasy13\\pvsw\\W3DBSMGR.EXE"=

"c:\\qb2003\\QBDBMgrN.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\WINDOWS\\system32\\mmlssearch.exe"=

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/5/2009 8:08 AM 304464]

R2 TSKNF501.SYS;TSKNF501.SYS;c:\windows\system32\drivers\Tsknf501.sys [12/2/2002 11:57 PM 6464]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/22/2003 4:27 PM 344800]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/5/2009 8:08 AM 20952]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

S2 DigicamA;DigicamA;c:\windows\system32\drivers\DigicamA.sys [4/5/2006 12:29 PM 38400]

S2 DigicamV;DigicamV;c:\windows\system32\drivers\DigicamV.sys [4/5/2006 12:29 PM 67072]

S3 PCDRDRV;Pcdr CPU Helper Driver; [x]

S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [3/21/2002 1:35 AM 144860]

S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [10/8/2002 12:22 PM 16925]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uSearchAssistant = hxxp://www.google.com/ie

uCustomizeSearch =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: motive.com\pattta.att

Trusted Zone: motive.com\patttbc.att

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\qb2003\HelpAsyncPluggableProtocol.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxps://www.gircheckmgt.nationalcity.com/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab

DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://24.236.235.173:8080/user/TSBnwCam.CAB

.

- - - - ORPHANS REMOVED - - - -

BHO-{6945633A-5BDD-4E44-87A2-5EF434282D52} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-01 13:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1990122784-375612493-359561344-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1076)

c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2028)

c:\windows\system32\WININET.dll

c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-01 13:56:52

ComboFix-quarantined-files.txt 2010-09-01 17:56

ComboFix2.txt 2010-08-26 12:38

ComboFix3.txt 2010-08-24 12:14

Pre-Run: 37,055,221,760 bytes free

Post-Run: 37,038,608,384 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=3 Sets=1,2,3,4

- - End Of File - - B2016F43A5B881DD2967B5AD5D435EC1

Post reopened at user request.
Link to post
Share on other sites

You have an infected system file with no suitable replacement on your PC. Since you don't have access to a Windows XP SP3 CD let's try to uninstall and reinstall SP3:

Here are the instrucitons:

Use the hidden $NtServicePackUninstall$ folder

1. Click Start, click Run, (or Windows Key +R) and copy the following command into the run box that opens and then click OK:

c:\windows\$NtServicePackUninstall$\spuninst\spuninst.exe

2. When the Windows XP Service Pack 3 Removal Wizard starts, click Next.

3. Follow the instructions on the screen to remove Windows XP SP3.

Then go to MS to download and reinstall the service pack:

Download the latest Windows XP service pack from the Microsoft Download Center

You can download the stand-alone update package from the Download Center.

This page will say that this installation package is intended for IT professionals and developers. However, you can safely download this file.

http://www.microsoft.com/downloads/details...;displaylang=en

Let me know once you have this completed and we can finish cleaning your PC up.

Link to post
Share on other sites

Ran the program. It said is couldn't find service pack 3. Then service pack 3 was not uninstalled.

Larry

You have an infected system file with no suitable replacement on your PC. Since you don't have access to a Windows XP SP3 CD let's try to uninstall and reinstall SP3:

Here are the instrucitons:

Use the hidden $NtServicePackUninstall$ folder

1. Click Start, click Run, (or Windows Key +R) and copy the following command into the run box that opens and then click OK:

c:\windows\$NtServicePackUninstall$\spuninst\spuninst.exe

2. When the Windows XP Service Pack 3 Removal Wizard starts, click Next.

3. Follow the instructions on the screen to remove Windows XP SP3.

Then go to MS to download and reinstall the service pack:

Download the latest Windows XP service pack from the Microsoft Download Center

You can download the stand-alone update package from the Download Center.

This page will say that this installation package is intended for IT professionals and developers. However, you can safely download this file.

http://www.microsoft.com/downloads/details...;displaylang=en

Let me know once you have this completed and we can finish cleaning your PC up.

Link to post
Share on other sites

That will work as long as it is a Windows XP Home Edition, Service Pack 3 disk. Here are the instructions:

icon11.gif Insert the Windows XP installation disk.

1. Click Start > Run or press the Windows Key + R Then type cmd in the run box and press "OK" to open the command prompt window

2. Enter the following command at the prompt and press Enter. Refer to the quote box under the command for the location of the spaces which are very important. After pressing "Enter" you should see a message that says, "one file(s) expanded successfully"

Note: x = the drive letter designation for your CD/DVD drive - replace x with the appropriate letter for your PC.

expand x:\i386\ws2_32.dl_ -r c:\windows\system32

expand<space>x:\i386\ws2_32.dl_<space>-r<space>c:\windows\system32

Please include the following in your next post:

  • Let me know how this went

Link to post
Share on other sites

No good. Here is what I got.

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>expand e:\i386\ws2_32.dl_ -r c:\windows\system32

Microsoft ® File Expansion Utility Version 5.1.2600.0

Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding e:\i386\ws2_32.dl_ to c:\windows\system32\ws2_32.dll.

Can't open output file: c:\windows\system32\ws2_32.dll.

C:\Documents and Settings\Owner>

C:\Documents and Settings\Owner>

Not sure if it is SP3 though.
Link to post
Share on other sites

1. ClickStart > Run or press the Windows Key + R Then type cmd in the run box and press "OK" to open the command prompt window

2. Enter the following command at the prompt and press Enter. Refer to the quote box under the command for the location of the spaces which are very important.

attrib -R c:\windows\system32\ws2_32.dll

attrib<space>-r<space>c:\windows\system32\ws2_32.dll

Once you've done that, repeat the instructions from Post 17

Link to post
Share on other sites

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>attrib -R c:\windows\system32\ws2_32.dll

C:\Documents and Settings\Owner>expand E:\i386\ws2_32.dl_ -r c:\windows\system32

Microsoft ® File Expansion Utility Version 5.1.2600.0

Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding e:\i386\ws2_32.dl_ to c:\windows\system32\ws2_32.dll.

Can't open output file: c:\windows\system32\ws2_32.dll.

C:\Documents and Settings\Owner>

1. ClickStart > Run or press the Windows Key + R Then type cmd in the run box and press "OK" to open the command prompt window

2. Enter the following command at the prompt and press Enter. Refer to the quote box under the command for the location of the spaces which are very important.

attrib -R c:\windows\system32\ws2_32.dll

Once you've done that, repeat the instructions from Post 17

Link to post
Share on other sites

Please do this (be sure to look carefully - the instructions are slightly different):

icon11.gif Insert the Windows XP installation disk.

1. Click Start > Run or press the Windows Key + R Then type cmd in the run box and press "OK" to open the command prompt window

2. Enter the following command at the prompt and press Enter. Refer to the quote box under the command for the location of the spaces which are very important. After pressing "Enter" you should see a message that says, "one file(s) expanded successfully"

Note: x = the drive letter designation for your CD/DVD drive - replace x with the appropriate letter for your PC.

expand x:\i386\ws2_32.dl_ -r c:\

expand<space>x:\i386\ws2_32.dl_<space>-r<space>c:\

Please include the following in your next post:

  • Let me know how this went

Link to post
Share on other sites

Seems to have expanded the file.

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>expand e:\i386\ws2_32.dl_ -r c:\

Microsoft ® File Expansion Utility Version 5.1.2600.0

Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding e:\i386\ws2_32.dl_ to c:\ws2_32.dll.

e:\i386\ws2_32.dl_: 39099 bytes expanded to 82944 bytes, 112% increase

C:\Documents and Settings\Owner>

Waiting for instructions.

Please do this (be sure to look carefully - the instructions are slightly different):

icon11.gif Insert the Windows XP installation disk.

1. Click Start > Run or press the Windows Key + R Then type cmd in the run box and press "OK" to open the command prompt window

2. Enter the following command at the prompt and press Enter. Refer to the quote box under the command for the location of the spaces which are very important. After pressing "Enter" you should see a message that says, "one file(s) expanded successfully"

Note: x = the drive letter designation for your CD/DVD drive - replace x with the appropriate letter for your PC.

expand x:\i386\ws2_32.dl_ -r c:\

Please include the following in your next post:

  • Let me know how this went

Link to post
Share on other sites

MichiganLarry:

icon11.gif Delete your curren copy of ComboFix from your desktop and download a new copy from either of the links below, saving it to your desktop.

Link 1

Link 2

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

FCopy::
c:\ws2_32.dll | c:\windows\system32\ws2_32.dll

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Done - here is the log.

ComboFix 10-09-13.02 - Owner 09/14/2010 9:30.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.501 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\ws2_32.dll --> c:\windows\system32\ws2_32.dll

.

((((((((((((((((((((((((( Files Created from 2010-08-14 to 2010-09-14 )))))))))))))))))))))))))))))))

.

2010-08-23 15:28 . 2010-08-23 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2010-08-23 15:28 . 2010-08-23 15:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-14 13:49 . 2010-02-26 20:42 -------- d-----w- c:\program files\Microsoft Silverlight

2010-09-13 19:45 . 2009-03-30 16:28 3963 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2010-09-10 18:45 . 2010-07-22 19:07 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-09-02 05:01 . 2010-07-02 04:12 1394440 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe

2010-09-02 05:01 . 2009-03-30 17:34 24328 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll

2010-09-02 05:01 . 2009-03-30 17:34 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe

2010-08-24 19:42 . 2004-12-06 19:55 -------- d-----w- c:\program files\Auction Sentry

2010-08-23 17:34 . 2002-08-19 12:34 152400 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-23 15:34 . 2004-04-28 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-23 15:28 . 2005-10-11 12:48 -------- d-----w- c:\program files\Yahoo!

2010-08-23 15:28 . 2007-11-28 13:42 -------- d-----w- c:\program files\CCleaner

2010-08-23 05:10 . 2010-07-22 19:08 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-08-23 05:10 . 2010-07-22 19:08 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-07-22 19:08 . 2010-07-22 19:08 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-07-22 19:07 . 2010-07-22 19:07 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2010-07-22 19:07 . 2010-07-22 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-07-21 20:03 . 2003-08-26 21:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Alyfof

2010-07-02 04:11 . 2010-07-02 04:12 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll

2010-07-02 04:11 . 2010-07-02 04:12 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll

2010-07-02 04:11 . 2010-07-02 04:12 267568 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll

2010-07-02 04:11 . 2010-07-02 04:12 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe

2010-07-02 04:11 . 2010-07-02 04:12 791856 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll

2010-07-02 04:11 . 2010-07-02 04:12 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll

2010-07-02 04:11 . 2010-07-02 04:12 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll

2010-07-02 04:11 . 2010-07-02 04:12 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll

2010-07-02 04:11 . 2010-07-02 04:12 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll

2010-07-02 04:11 . 2010-07-02 04:12 2184496 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll

2010-07-02 04:11 . 2010-07-02 04:12 856880 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll

2010-06-30 12:31 . 2002-04-30 13:38 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2002-04-30 13:40 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2002-04-30 13:38 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2002-04-30 13:36 80384 ----a-w- c:\windows\system32\iccvid.dll

2005-09-10 00:55 . 2005-12-28 15:49 7155864 ----a-w- c:\program files\NGhost10.msi

2005-09-10 00:55 . 2005-12-28 15:49 35 ----a-w- c:\program files\SCSSDist.ini

2005-09-10 00:55 . 2005-12-28 15:49 37766164 ----a-w- c:\program files\Data1.cab

.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys

[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys

[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-08 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"D-Link AirPlus Xtreme G"="c:\program files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 2502656]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2010-06-28 900240]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Shortcut to WFTPD.lnk - c:\adp\wftpd\WFTPD.EXE [2003-2-3 326144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Attendance Rx.lnk - c:\program files\Acroprint\Attendance Rx\AttendanceRx.exe [2008-2-25 5750784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoThumbnailCache"= 1 (0x1)

"link"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2002-02-15 14:51 24638 ----a-w- c:\windows\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]

LTMSG.exe 7 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\ADP\\wftpd\\WFTPD.EXE"=

"c:\\Program Files\\Ositis Software\\WinProxy 5.0\\WinProxy.exe"=

"c:\\DacEasy\\pvsw\\W3DBSMGR.EXE"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\DacEasy13\\pvsw\\W3DBSMGR.EXE"=

"c:\\qb2003\\QBDBMgrN.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\WINDOWS\\system32\\mmlssearch.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/5/2009 8:08 AM 304464]

R2 TSKNF501.SYS;TSKNF501.SYS;c:\windows\system32\drivers\Tsknf501.sys [12/2/2002 11:57 PM 6464]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/22/2003 4:27 PM 344800]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/5/2009 8:08 AM 20952]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]

S2 DigicamA;DigicamA;c:\windows\system32\drivers\DigicamA.sys [4/5/2006 12:29 PM 38400]

S2 DigicamV;DigicamV;c:\windows\system32\drivers\DigicamV.sys [4/5/2006 12:29 PM 67072]

S3 PCDRDRV;Pcdr CPU Helper Driver; [x]

S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [3/21/2002 1:35 AM 144860]

S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [10/8/2002 12:22 PM 16925]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1990122784-375612493-359561344-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-08 16:00]

2010-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1990122784-375612493-359561344-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-08 16:00]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uSearchAssistant = hxxp://www.google.com/ie

uCustomizeSearch =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: motive.com\pattta.att

Trusted Zone: motive.com\patttbc.att

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\qb2003\HelpAsyncPluggableProtocol.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxps://www.gircheckmgt.nationalcity.com/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab

DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://24.236.235.173:8080/user/TSBnwCam.CAB

.

- - - - ORPHANS REMOVED - - - -

BHO-{6945633A-5BDD-4E44-87A2-5EF434282D52} - (no file)

Toolbar-Locked - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-14 09:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1990122784-375612493-359561344-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

"Policy"=hex:00,00,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1084)

c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(568)

c:\windows\system32\WININET.dll

c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\nvsvc32.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\windows\System32\tcpsvcs.exe

c:\windows\System32\snmp.exe

c:\windows\system32\fxssvc.exe

c:\program files\Acroprint\Attendance Rx\arxterm.exe

.

**************************************************************************

.

Completion time: 2010-09-14 10:03:18 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-14 14:03

ComboFix2.txt 2010-09-01 17:56

ComboFix3.txt 2010-08-26 12:38

ComboFix4.txt 2010-08-24 12:14

Pre-Run: 36,284,878,848 bytes free

Post-Run: 36,177,850,368 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=3 Sets=1,2,3,4

- - End Of File - - 65DD00CEE41834E25763580FF9A2C61C

MichiganLarry:

icon11.gif Delete your curren copy of ComboFix from your desktop and download a new copy from either of the links below, saving it to your desktop.

Link 1

Link 2

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

FCopy::
c:\ws2_32.dll | c:\windows\system32\ws2_32.dll

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.