Jump to content

MBAM.EXE WOULD NOT RUN


Recommended Posts

I tried to change the name of the exe file but it still will not work.

Here are my posting logs. Please HELP!!

Here is the logs that I was asked to run and have someone look at....please help with me with getting this off my infected computer....THANK YOU so much!!

DDS (Ver_10-03-17.01) - NTFSx86

Run by HP_Administrator at 22:04:12.04 on Thu 07/22/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.501 [GMT -5:00]

AV: AV Security Suite *On-access scanning enabled* (Updated) {AE716D16-40FE-4cb9-8FD2-2975088F55B2}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\DISC\DISCover.exe

C:\Program Files\DISC\DiscUpdateMgr.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe

C:\Documents and Settings\HP_Administrator\Application Data\FDCE7A7D0972FE534A5EB0596586084D\070700Setup.exe

C:\Program Files\DISC\DiscGui.exe

C:\WINDOWS\system32\rundll32.exe

C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\y7gkls6u.exe

C:\WINDOWS\system32\rundll32.exe

C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Ocucom\PreCast\tmon.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe

C:\Program Files\TrueAssistant\TrueAssistant.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

G:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: c:\windows\system32\wr7a2ig92.dll: {c3ba40a2-75f1-52bd-f413-04b15a2c8953} - c:\windows\system32\wr7a2ig92.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe

uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0

uRun: [070700Setup.exe] c:\documents and settings\hp_administrator\application data\fdce7a7d0972fe534a5eb0596586084d\070700Setup.exe

uRun: [Oqanukuwupomuki] rundll32.exe "c:\windows\tholgt.dll",Startup

uRun: [JDK5SWFMZY] c:\docume~1\hp_adm~1\locals~1\temp\Vcl.exe

uRun: [lxpbrpee] c:\documents and settings\hp_administrator\local settings\application data\gagcpfptv\gofkwcmtssd.exe

uRun: [hsef87ehf3jishfs87fhuishfsgggfdgs4g] c:\docume~1\hp_adm~1\locals~1\temp\y7gkls6u.exe

uRun: [mcexecwin] rundll32.exe c:\docume~1\hp_adm~1\locals~1\temp\r7vptlut.dll, RestoreWindows

uRun: [hsehf98u34i9tjioaugy987iuegdsg] c:\docume~1\hp_adm~1\locals~1\temp\drweb.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE

mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [DISCover] c:\program files\disc\DISCover.exe

mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe

mRun: [<NO NAME>]

mRun: [PCDrProfiler]

mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [EPSON Stylus CX5400] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [net] "c:\windows\system32\net.net"

mRun: [lxpbrpee] c:\documents and settings\hp_administrator\local settings\application data\gagcpfptv\gofkwcmtssd.exe

mRun: [Pyunikazubija] rundll32.exe "c:\windows\equzuzeqijiw.dll",Startup

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\hp_administrator\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\trueas~1.lnk - c:\program files\trueassistant\TrueAssistant.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\precas~1.lnk - c:\program files\ocucom\precast\tmon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe

uPolicies-explorer: NoFolderOptions = 1 (0x1)

uPolicies-system: DisableRegistryTools = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

Trusted Zone: ncponline.com\www

Trusted Zone: trymedia.com

DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 93.188.162.224,93.188.166.204

TCP: {16233298-2793-4155-A3D0-5F3280E2075A} = 93.188.162.224,93.188.166.204

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: MDmXzsQF - {7425B19C-DE8F-1B36-1FB6-E9F883A8DBA0} - c:\windows\system32\nrsq.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: c:\windows\system32\wr7a2ig92.dll: {c3ba40a2-75f1-52bd-f413-04b15a2c8953} - c:\windows\system32\wr7a2ig92.dll

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S0 mvlkof;mvlkof;c:\windows\system32\drivers\mvlkof.sys [2010-7-9 0]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]

============== File Associations ===============

regfile=regedit.exe "%1" %*

scrfile="%1" %*

=============== Created Last 30 ================

2010-07-23 03:03:07 0 ----a-w- c:\documents and settings\hp_administrator\defogger_reenable

2010-07-23 02:57:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-23 02:57:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-23 01:27:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-14 01:37:26 1587 ----a-w- c:\windows\lsrslt.ini

2010-07-14 01:35:12 0 d--h--w- c:\windows\system32\GroupPolicy

2010-07-13 00:50:52 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cb222571b0831e.mof

2010-07-10 00:50:19 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-07-10 00:50:12 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-09 17:09:10 0 d-----w- c:\program files\AV Security Suite Basic

2010-07-09 16:35:09 2716 ----a-w- c:\windows\ucoceweweciqusol.dll

2010-07-09 16:27:26 2716 ----a-w- c:\windows\oyositefesuf.dll

2010-07-09 16:16:55 2716 ----a-w- c:\windows\icujuqumof.dll

2010-07-09 16:01:23 30000 ----a-w- c:\windows\system32\wr7a2ig92.dll

2010-07-09 16:01:02 0 ----a-w- c:\windows\Yjehu.dat

2010-07-09 15:59:16 206336 ----a-w- c:\windows\Vtixea.exe

2010-07-09 15:59:05 0 ----a-w- c:\windows\system32\drivers\mvlkof.sys

2010-07-09 15:57:13 0 d-----w- c:\docume~1\hp_adm~1\applic~1\FDCE7A7D0972FE534A5EB0596586084D

2010-07-09 15:57:04 36819 ----a-w- c:\windows\system32\net.net

==================== Find3M ====================

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

============= FINISH: 22:05:09.46 ===============

ark.zip

Attach.zip

Link to post
Share on other sites

Hello ,

And :( My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

OKAY HERE IS THE LOG....

ComboFix 10-08-12.02 - HP_Administrator 08/12/2010 20:43:45.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.656 [GMT -5:00]

Running from: G:\ComboFix1.exe

AV: AV Security Suite *On-access scanning enabled* (Updated) {AE716D16-40FE-4cb9-8FD2-2975088F55B2}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\csrss.exe

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\services.exe

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\svchost.exe

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\winlogon.exe

c:\documents and settings\HP_Administrator\Application Data\4fbab23a.exe

c:\documents and settings\HP_Administrator\Application Data\FDCE7A7D0972FE534A5EB0596586084D

c:\documents and settings\HP_Administrator\Application Data\FDCE7A7D0972FE534A5EB0596586084D\070700Setup.exe

c:\documents and settings\HP_Administrator\Application Data\FDCE7A7D0972FE534A5EB0596586084D\enemies-names.txt

c:\documents and settings\HP_Administrator\Application Data\FDCE7A7D0972FE534A5EB0596586084D\local.ini

c:\documents and settings\HP_Administrator\Application Data\FDCE7A7D0972FE534A5EB0596586084D\lsrslt.ini

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{DC013930-612F-47B4-BDC8-57F0505379DC}

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{DC013930-612F-47B4-BDC8-57F0505379DC}\chrome.manifest

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{DC013930-612F-47B4-BDC8-57F0505379DC}\chrome\content\_cfg.js

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{DC013930-612F-47B4-BDC8-57F0505379DC}\chrome\content\overlay.xul

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{DC013930-612F-47B4-BDC8-57F0505379DC}\install.rdf

c:\documents and settings\HP_Administrator\Local Settings\Application Data\gagcpfptv\gofkwcmtssd.exe

c:\documents and settings\LocalService\Application Data\1007491577.exe

c:\documents and settings\LocalService\Application Data\1057695219.exe

c:\documents and settings\LocalService\Application Data\1059006019.exe

c:\documents and settings\LocalService\Application Data\1059989118.exe

c:\documents and settings\LocalService\Application Data\1061889779.exe

c:\documents and settings\LocalService\Application Data\1072703876.exe

c:\documents and settings\LocalService\Application Data\1137457396.exe

c:\documents and settings\LocalService\Application Data\937953636.exe

c:\program files\AV Security Suite Basic

c:\program files\AV Security Suite Basic\avsuite.exe

c:\program files\Shared

c:\program files\Shared\lib.sig

c:\windows\equzuzeqijiw.dll

c:\windows\icujuqumof.dll

c:\windows\MailSwitch.ocx

c:\windows\oyositefesuf.dll

c:\windows\Readme.txt

c:\windows\system32\driVERs\mvlkof.sys

c:\windows\system32\ernel32.dll

c:\windows\system32\net.net

c:\windows\system32\wr7a2ig92.dll

c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

c:\windows\tholgt.dll

c:\windows\ucoceweweciqusol.dll

D:\Autorun.inf

c:\windows\system32\drivers\mvlkof.sys . . . is infected!! . . . Failed to find a valid replacement.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CBEVTSVC

-------\Legacy_mvlkof

-------\Service_mvlkof

((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 )))))))))))))))))))))))))))))))

.

2010-08-11 01:31 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-11 01:31 . 2010-08-11 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1

2010-08-11 01:31 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-23 01:27 . 2010-08-11 01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-13 02:05 . 2009-06-07 22:37 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Dropbox

2010-07-14 01:08 . 2010-07-10 00:50 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-10 00:50 . 2010-07-10 00:50 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-07-09 22:49 . 2010-07-09 16:01 0 ----a-w- c:\windows\Yjehu.dat

2010-07-09 15:57 . 2010-07-09 15:59 206336 ----a-w- c:\windows\Vtixea.exe

2010-07-09 04:00 . 2005-11-12 15:57 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-24 02:06 . 2010-06-24 02:06 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb57.tmp.exe

2010-06-23 01:16 . 2010-06-23 01:16 -------- d-----w- c:\program files\National Consumer Panel

2010-06-20 16:35 . 2005-11-12 16:21 -------- d-----w- c:\program files\Common Files\Adobe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-30 57344]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-30 40960]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-12 180269]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-27 99840]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

TrueAssistant.lnk - c:\program files\TrueAssistant\TrueAssistant.exe [2005-4-2 372224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2006-1-19 217088]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

PreCast Monitor.lnk - c:\program files\Ocucom\PreCast\tmon.exe [2008-2-12 1811120]

Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-12 36903]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundMaskRequest"= 1 (0x1)

"AllowInboundRouterRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

"AllowOutboundSourceQuench"= 1 (0x1)

"AllowOutboundParameterProblem"= 1 (0x1)

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:08 PM 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:08]

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:08]

2010-07-13 c:\windows\Tasks\Norton Security Online - Run Full System Scan - HP_Administrator.job

- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Trusted Zone: ncponline.com\www

Trusted Zone: trymedia.com

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

HKCU-Run-070700Setup.exe - c:\documents and settings\HP_Administrator\Application Data\FDCE7A7D0972FE534A5EB0596586084D\070700Setup.exe

HKCU-Run-Oqanukuwupomuki - c:\windows\tholgt.dll

HKCU-Run-lxpbrpee - c:\documents and settings\HP_Administrator\Local Settings\Application Data\gagcpfptv\gofkwcmtssd.exe

HKLM-Run-PCDrProfiler - (no file)

HKLM-Run-lxpbrpee - c:\documents and settings\HP_Administrator\Local Settings\Application Data\gagcpfptv\gofkwcmtssd.exe

HKLM-Run-Pyunikazubija - c:\windows\equzuzeqijiw.dll

SSODL-MDmXzsQF-{7425B19C-DE8F-1B36-1FB6-E9F883A8DBA0} - c:\windows\system32\nrsq.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-12 21:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x860D9EC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf74eff28

\Driver\ACPI -> ACPI.sys @ 0xf7362cb8

\Driver\atapi -> atapi.sys @ 0xf721f852

\Driver\iaStor -> iaStor.sys @ 0xf7243b10

IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a

\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a

NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf70e3bd4

PacketIndicateHandler -> NDIS.sys @ 0xf70d1a0d

SendHandler -> NDIS.sys @ 0xf70e5b40

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1928)

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\windows\arservice.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\Ati2evxx.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\ARPWRMSG.EXE

c:\windows\eHome\ehmsas.exe

c:\program files\SBC Self Support Tool\bin\mpbtn.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\windows\system32\HPZipm12.exe

.

**************************************************************************

.

Completion time: 2010-08-12 21:12:35 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-13 02:12

Pre-Run: 191,901,634,560 bytes free

Post-Run: 192,347,078,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - CE8DFC1877A9426B6A6B28FA2D45FE5F

Link to post
Share on other sites

That took already out a lot of stuff, but still some things left. Since it looks like you have also a flash drive infection, make sure to plug in all flashdrives you have.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Rootkit::
c:\windows\system32\drivers\mvlkof.sys

File::
c:\windows\Yjehu.dat
c:\windows\Vtixea.exe

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Ok so here is the next log on the CFScript. I have another question for you too. When we first started this (with someone else on here), they had me download defogger and turn it off. They said not to turn it back on until the system was cleaned. Do I need to turn this defogger back on and if so please let me know when?? Thank you again for ALL your help!

ComboFix 10-08-12.02 - HP_Administrator 08/15/2010 10:56:02.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.553 [GMT -5:00]

Running from: G:\ComboFix1.exe

Command switches used :: G:\CFScript.txt

AV: AV Security Suite *On-access scanning enabled* (Updated) {AE716D16-40FE-4cb9-8FD2-2975088F55B2}

FILE ::

"c:\windows\Vtixea.eve"

"c:\windows\Yjehu.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll

c:\windows\Yjehu.dat

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))

.

2010-08-14 13:20 . 2010-08-14 13:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2010-08-11 01:31 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-11 01:31 . 2010-08-11 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1

2010-08-11 01:31 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-23 01:27 . 2010-08-11 01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-15 16:06 . 2009-06-07 22:37 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Dropbox

2010-07-14 01:08 . 2010-07-10 00:50 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-10 00:50 . 2010-07-10 00:50 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-07-09 15:57 . 2010-07-09 15:59 206336 ----a-w- c:\windows\Vtixea.exe

2010-07-09 04:00 . 2005-11-12 15:57 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-24 02:06 . 2010-06-24 02:06 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb57.tmp.exe

2010-06-23 01:16 . 2010-06-23 01:16 -------- d-----w- c:\program files\National Consumer Panel

2010-06-20 16:35 . 2005-11-12 16:21 -------- d-----w- c:\program files\Common Files\Adobe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-30 57344]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-30 40960]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-12 180269]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-27 99840]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

TrueAssistant.lnk - c:\program files\TrueAssistant\TrueAssistant.exe [2005-4-2 372224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2006-1-19 217088]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

PreCast Monitor.lnk - c:\program files\Ocucom\PreCast\tmon.exe [2008-2-12 1811120]

Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-12 36903]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundMaskRequest"= 1 (0x1)

"AllowInboundRouterRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

"AllowOutboundSourceQuench"= 1 (0x1)

"AllowOutboundParameterProblem"= 1 (0x1)

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:08 PM 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:08]

2010-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:08]

2010-07-13 c:\windows\Tasks\Norton Security Online - Run Full System Scan - HP_Administrator.job

- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Trusted Zone: ncponline.com\www

Trusted Zone: trymedia.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-15 11:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2372)

c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\windows\arservice.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\ehome\mcrdsvc.exe

c:\windows\ARPWRMSG.EXE

c:\program files\SBC Self Support Tool\bin\mpbtn.exe

c:\windows\system32\dllhost.exe

c:\windows\eHome\ehmsas.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\windows\system32\HPZipm12.exe

c:\program files\DISC\DiscStreamHub.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-08-15 11:13:13 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-15 16:13

ComboFix2.txt 2010-08-13 02:12

Pre-Run: 192,297,684,992 bytes free

Post-Run: 192,313,307,136 bytes free

- - End Of File - - 4A66962D52FB52B41F1809D3ED41C129

Link to post
Share on other sites

Hello, unfortunately you had a nasty rootkit on board. Its gone now, but please consider the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Do I need to turn this defogger back on and if so please let me know when??
Yes, you can turn your cd emulators back on.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Before I finish cleaning the rest of this up, I just wanted to ask a question. So you are telling me even though we have this quaratined that there could still be a possibility that this "backdoor trojan" could still be accessed by a "hacker"? Could they access through the internet or would they need to "physically" need to be at my computer to hack in???? I only use my computer for home use, sometimes getting on line to check and pay bills. I'm just not sure what I want to do at this point. I don't really have all the disks I need to reinstall so I'm trying to make a choice on what to do. I think I'm okay since this has been on here for like 2 months and nothing has shown up on my bank account or my cc statements, so I would think by now that those would have been "taken" over..... I know you can't really tell me what to do, I'm just looking for advice. I would like your advice first before I proceed with any more cleaning.....Thank you so much again for ALL your help!!

Link to post
Share on other sites

So you are telling me even though we have this quaratined that there could still be a possibility that this "backdoor trojan" could still be accessed by a "hacker"?
No, this particular infection is gone and absolutely inactive.

However, since this infection used a backdoor (which is a security vulnerability), that backdoor may or may not be exploited by future infections.

You can see it like this: this rootkit made a hole in your windows security. Since we don't know where the hole was made, we can't plug it.

Since you mention you don't have all the disks, I think it would be best to go through with the cleanup so you will at least have a working computer. You can always decide later to reformat.

Link to post
Share on other sites

That makes a lot more sense the way you put it....thank you!

Here is the next log that you requested....I did not put on the defogger yet until we are done with all this...

ComboFix 10-08-12.02 - HP_Administrator 08/17/2010 19:58:57.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.560 [GMT -5:00]

Running from: G:\ComboFix1.exe

Command switches used :: G:\CFScript2.txt

AV: AV Security Suite *On-access scanning enabled* (Updated) {AE716D16-40FE-4cb9-8FD2-2975088F55B2}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll

.

((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))

.

2010-08-15 20:26 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-08-14 13:20 . 2010-08-14 13:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2010-08-11 01:31 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-11 01:31 . 2010-08-11 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1

2010-08-11 01:31 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-23 01:27 . 2010-08-11 01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-18 01:08 . 2009-06-07 22:37 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Dropbox

2010-07-14 01:08 . 2010-07-10 00:50 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-10 00:50 . 2010-07-10 00:50 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-07-09 15:57 . 2010-07-09 15:59 206336 ----a-w- c:\windows\Vtixea.exe

2010-07-09 04:00 . 2005-11-12 15:57 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-30 12:31 . 2004-08-10 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:10 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-06-24 12:10 . 2004-08-10 12:00 667136 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 02:06 . 2010-06-24 02:06 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb57.tmp.exe

2010-06-23 13:44 . 2004-08-10 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-23 01:16 . 2010-06-23 01:16 -------- d-----w- c:\program files\National Consumer Panel

2010-06-21 15:27 . 2004-08-10 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-20 16:35 . 2005-11-12 16:21 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-17 14:03 . 2004-08-10 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2004-08-10 12:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-10 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-30 57344]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-30 40960]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-12 180269]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-27 99840]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

TrueAssistant.lnk - c:\program files\TrueAssistant\TrueAssistant.exe [2005-4-2 372224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2006-1-19 217088]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

PreCast Monitor.lnk - c:\program files\Ocucom\PreCast\tmon.exe [2008-2-12 1811120]

Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-12 36903]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundMaskRequest"= 1 (0x1)

"AllowInboundRouterRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

"AllowOutboundSourceQuench"= 1 (0x1)

"AllowOutboundParameterProblem"= 1 (0x1)

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:08 PM 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:08]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:08]

2010-08-17 c:\windows\Tasks\Norton Security Online - Run Full System Scan - HP_Administrator.job

- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Trusted Zone: ncponline.com\www

Trusted Zone: trymedia.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-17 20:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3408)

c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\windows\arservice.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\ARPWRMSG.EXE

c:\windows\eHome\ehmsas.exe

c:\program files\SBC Self Support Tool\bin\mpbtn.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\DISC\DiscStreamHub.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-08-17 20:17:08 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-18 01:17

ComboFix2.txt 2010-08-15 16:13

ComboFix3.txt 2010-08-13 02:12

Pre-Run: 191,511,265,280 bytes free

Post-Run: 191,511,158,784 bytes free

- - End Of File - - B5BD1C0FC87F64506B67090C051E003E

Link to post
Share on other sites

oops sorry didn't know that mattered....well this might or might not matter either. This time I moved the notepad text over to combofix and it then it popped up that combofix expired and to continue to run under reduce functionality click yes or no to exit. I clicked yes and it came up like normal but it started on completed stage 49 and then finished like it has always done. I'm not sure if we need to download another combofix or if this was correct. Let me know. I'm attaching the log anyway that still ran.....

ComboFix 10-08-12.02 - HP_Administrator 08/18/2010 18:08:50.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.536 [GMT -5:00]

Running from: G:\ComboFix1.exe

Command switches used :: G:\CFScript.txt

AV: AV Security Suite *On-access scanning enabled* (Updated) {AE716D16-40FE-4cb9-8FD2-2975088F55B2}

.

- REDUCED FUNCTIONALITY MODE -

.

((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))

.

2010-08-15 20:26 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-08-14 13:20 . 2010-08-14 13:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2010-08-11 01:31 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-11 01:31 . 2010-08-11 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1

2010-08-11 01:31 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-23 01:27 . 2010-08-11 01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-18 01:08 . 2009-06-07 22:37 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Dropbox

2010-07-14 01:08 . 2010-07-10 00:50 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-10 00:50 . 2010-07-10 00:50 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-07-09 15:57 . 2010-07-09 15:59 206336 ----a-w- c:\windows\Vtixea.exe

2010-07-09 04:00 . 2005-11-12 15:57 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-30 12:31 . 2004-08-10 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:10 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-06-24 12:10 . 2004-08-10 12:00 667136 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 02:06 . 2010-06-24 02:06 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb57.tmp.exe

2010-06-23 13:44 . 2004-08-10 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-23 01:16 . 2010-06-23 01:16 -------- d-----w- c:\program files\National Consumer Panel

2010-06-21 15:27 . 2004-08-10 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-20 16:35 . 2005-11-12 16:21 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-17 14:03 . 2004-08-10 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2004-08-10 12:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-10 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-30 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-30 40960]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-12 180269]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-27 99840]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

TrueAssistant.lnk - c:\program files\TrueAssistant\TrueAssistant.exe [2005-4-2 372224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2006-1-19 217088]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

PreCast Monitor.lnk - c:\program files\Ocucom\PreCast\tmon.exe [2008-2-12 1811120]

Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-12 36903]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundMaskRequest"= 1 (0x1)

"AllowInboundRouterRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

"AllowOutboundSourceQuench"= 1 (0x1)

"AllowOutboundParameterProblem"= 1 (0x1)

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:08 PM 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:08]

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:08]

2010-08-17 c:\windows\Tasks\Norton Security Online - Run Full System Scan - HP_Administrator.job

- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Trusted Zone: ncponline.com\www

Trusted Zone: trymedia.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-18 18:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3352)

c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-08-18 18:14:37

ComboFix-quarantined-files.txt 2010-08-18 23:14

ComboFix2.txt 2010-08-18 01:17

ComboFix3.txt 2010-08-15 16:13

ComboFix4.txt 2010-08-13 02:12

Pre-Run: 191,653,642,240 bytes free

Post-Run: 191,639,404,544 bytes free

- - End Of File - - 87643A5731C9E315DFEC4BBD166273B5

Link to post
Share on other sites

Hello, first lets use another rootkit tool here, since it seems something was detected and then mysteriously disappeared. :)

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

I also want to have a closer look at some of the files Combofix quarantined.

Open notepad and copy/paste the text in the codebox below into it:

@echo off
for %%g in (
C:\Qoobox\Quarantine\C
) do zip Files_for_submission %%g
del %0

Save this as grab.bat

Choose to "Save type as - All Files"

Save it on your desktop.

Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload that file.

Please see here for instructions on how to upload the zip file. Let me know if you run into any problems.

Link to post
Share on other sites

Ok well I ran the TDSSKiller.exe program and I ran it and it showed nothing so I closed it. I've also attached the second request of the files for submission.zip.

I will be gone for the weekend starting tomorrow and won't be back until Monday afternoon, so please do not close this thread, I want to continue this with you. When I get back on Monday I will continue with whatever request you ask for next.

Thank you again!

Files_for_submission.zip

Link to post
Share on other sites

I'm sorry, I made a mistake in the script for the upload and it doesn't seem to work.

Could you please try to zip the folder manually?

To do so, navigate to c:\qoobox\quarantine and right-click on the C folder. See if you have an option to create zip archive, add to archive or something like that.

If you are able to create a .zip file, please start a new topic as instructed in my last post and attach that file. Do not upload it to this topic, since it will contain malware. We do not want it to be free for download here so other possibly may inadvertently

infect their computers.

Link to post
Share on other sites

Hi, how are things running now? Please run the following scan.

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

Things seem to be running just fine...not really been on too much...

Here is the report that you asked for:

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #1

==============================================

>Drivers

==============================================

0xF6577000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 3645440 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))

0xBF0BF000 C:\WINDOWS\System32\ati3duag.dll 2412544 bytes (ATI Technologies Inc. , ati3duag.dll)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2150400 bytes

0x804D7000 RAW 2150400 bytes

0x804D7000 WMIxWDM 2150400 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xF6B3F000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1368064 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0xF699D000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1040384 bytes (Conexant Systems, Inc., HSF_DP driver)

0xF7416000 iaStor.sys 872448 bytes (Intel Corporation, Intel Matrix Storage Manager driver)

0xF68F1000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 704512 bytes (Conexant Systems, Inc., HSF_CNXT driver)

0xBF30C000 C:\WINDOWS\System32\ativvaxx.dll 602112 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)

0xF72CD000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xF21D6000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xF2112000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)

0xF6461000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xF235B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xEF90E000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xF73BB000 ftsata2.sys 274432 bytes (Promise Technology, Inc., Promise Driver for Windows Server 2003)

0xEF98D000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 258048 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xBF051000 C:\WINDOWS\System32\ati2cqag.dll 233472 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xF6A9B000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 221184 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)

0xBF08A000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xF64E7000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xF7541000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xEFBE9000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xF72A0000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xEEA1B000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xF2246000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xF2333000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF74EB000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xF21B0000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xF209E000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xF6553000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF6B07000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF6AE4000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xF2311000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x806E4000 ACPI_HAL 134400 bytes

0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF7383000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF7511000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xF7286000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF73FE000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xF2086000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xF73A3000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)

0xF735A000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF6528000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xEFBAC000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xF653F000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xF6B2B000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xF23B4000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xF6AD1000 C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys 77824 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF7371000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF7530000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF6517000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xEEECC000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF7850000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF7870000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)

0xF7680000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)

0xF7730000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)

0xF7700000 Combo-Fix.sys 61440 bytes

0xF7880000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF7860000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xEFD3E000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF6CED000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF7690000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)

0xF7830000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)

0xF76D0000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF7740000 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))

0xF7890000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xF78A0000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF76B0000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF78C0000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF6C9D000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF7840000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF76A0000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF78B0000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF7670000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF6D1D000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF78E0000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF76E0000 bb-run.sys 36864 bytes (Promise Technology, Inc., Promise Disk Accelerator)

0xF76C0000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF78D0000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF6CBD000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xEED54000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xF76F0000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xF6C8D000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF7990000 C:\WINDOWS\system32\drivers\Afc.sys 32768 bytes (Arcsoft, Inc., Arcsoft® ASPI Shell)

0xF20CA000 C:\ComboFix1\catchme.sys 32768 bytes

0xF7998000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)

0xF79F8000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF7A00000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0xF7988000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF79A0000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)

0xF78F0000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF79B0000 C:\WINDOWS\system32\DRIVERS\PS2.sys 28672 bytes (Hewlett-Packard Company, PS2 SYS)

0xF7A20000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)

0xF7978000 C:\WINDOWS\system32\DRIVERS\aracpi.sys 24576 bytes (Microsoft Corporation, Microsoft AR ACPI Driver (Beta 2 Release 2))

0xF7A28000 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))

0xF79B8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF20E2000 C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mbr.sys 24576 bytes

0xF79A8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF79E8000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF79D8000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)

0xF79F0000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF78F8000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF79C8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF79D0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF79C0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF7980000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xF7A48000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF7B54000 C:\WINDOWS\System32\Drivers\cdrbsdrv.SYS 16384 bytes (B.H.A Corporation, CD-ROM Filter Driver for Windows2000/xp)

0xF7B40000 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)

0xF7252000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xEFE66000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF7B60000 C:\WINDOWS\system32\DRIVERS\arpolicy.sys 12288 bytes (Microsoft Corporation, Microsoft AR Policy Driver (Beta 2 Release 2))

0xF7A80000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xF64D3000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xEF9F2000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)

0xF7B64000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF7B1C000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF7BCA000 C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys 8192 bytes (Microsoft Corporation, Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2))

0xF7BC8000 C:\WINDOWS\system32\DRIVERS\armoucfltr.sys 8192 bytes (Microsoft Corporation, Microsoft AR PS/2 Mouse Filter Driver (Beta 2 Release 2))

0xF7BD2000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF7B78000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xF7BDE000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xF7BD0000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF7B76000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)

0xF7B70000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF7BD4000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF7BB8000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes

0xF7BD6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF7BCC000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF7BCE000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF7B74000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

0xF7B72000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF7D59000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF7D06000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF7CB3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF7C38000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

==============================================

>Stealth

==============================================

Nothing detected :)

Link to post
Share on other sites

I haven't seen any problems so far....seems to be back to "normal". I ran MBAM and when I tried to update it mention that there was an error updating but I do believe I have the most up to date because I installed in right before we started all this, trying to get it to work and of course it didn't at the time. It does now and here is what it had as the log. I did remove the selected objects after I saved the log.

Here is the log.....

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

8/28/2010 5:24:26 PM

mbam-log-2010-08-28 (17-24-26).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 237204

Time elapsed: 56 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcgqpj0ea3r (Rogue.AntiVirusXP) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir (Trojan.Downloader) -> No action taken.

Link to post
Share on other sites

I swore this went through yesterday but I guess it did not. I did run MBAM and it had two things on there. Sorry not on my computer to repost log, it had the quartined file and one other thing on there. I did remove the selected and reran MBAM and nothing is showing infected. If you really need that log, I can send it once I'm back on my home computer, just let me know.

Thanks!!!

Link to post
Share on other sites

No problem, if the last log was clean, it is okay. :blush:

Open notepad and copy/paste the text in the codebox below into it:

@echo off
for %%g in (
c:\qoobox\quarantine\c\docume~1\HP_ADM~1\LOCALS~1\Temp\csrss.exe.vir
c:\qoobox\quarantine\c\docume~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe.vir
c:\qoobox\quarantine\c\docume~1\HP_ADM~1\LOCALS~1\Temp\services.exe.vir
c:\qoobox\quarantine\c\docume~1\HP_ADM~1\LOCALS~1\Temp\svchost.exe.vir
c:\qoobox\quarantine\c\docume~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe.vir
c:\qoobox\quarantine\c\docume~1\HP_ADM~1\LOCALS~1\Temp\winlogon.exe.vir
c:\qoobox\quarantine\c\documents and settings\HP_Administrator\Local Settings\Application Data\gagcpfptv\gofkwcmtssd.exe.vir
c:\qoobox\quarantine\c\documents and settings\LocalService\Application Data\1007491577.exe.vir
c:\qoobox\quarantine\c\documents and settings\LocalService\Application Data\1057695219.exe.vir
c:\qoobox\quarantine\c\documents and settings\LocalService\Application Data\1059006019.exe.vir
c:\qoobox\quarantine\c\documents and settings\LocalService\Application Data\1059989118.exe.vir
c:\qoobox\quarantine\c\documents and settings\LocalService\Application Data\1061889779.exe.vir
c:\qoobox\quarantine\c\documents and settings\LocalService\Application Data\1072703876.exe.vir
c:\qoobox\quarantine\c\documents and settings\LocalService\Application Data\1137457396.exe.vir
c:\qoobox\quarantine\c\documents and settings\LocalService\Application Data\937953636.exe.vir
c:\qoobox\quarantine\c\program files\AV Security Suite Basic\avsuite.exe.vir
c:\qoobox\quarantine\c\program files\Shared\lib.sig.vir
c:\qoobox\quarantine\c\windows\equzuzeqijiw.dll.vir
c:\qoobox\quarantine\c\windows\icujuqumof.dll.vir
c:\qoobox\quarantine\c\windows\MailSwitch.ocx.vir
c:\qoobox\quarantine\c\windows\oyositefesuf.dll.vir
c:\qoobox\quarantine\c\windows\Readme.txt.vir
c:\qoobox\quarantine\c\windows\system32\driVERs\mvlkof.sys.vir
c:\qoobox\quarantine\c\windows\system32\ernel32.dll.vir
c:\qoobox\quarantine\c\windows\system32\wr7a2ig92.dll.vir
c:\qoobox\quarantine\c\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job.vir
c:\qoobox\quarantine\c\windows\tholgt.dll.vir
c\windows\ucoceweweciqusol.dll.vir
) do zip Files_for_submission %%g
del %0

Save this as grab.bat

Choose to "Save type as - All Files"

Save it on your desktop.

Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload that file.

Please see here for instructions on how to upload the zip file. Let me know if you run into any problems.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

okay files for submission is attached and here is the log that came from ESETScan...it found 28 infected items......

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bof.jar-3d84a2f0-76c5a9cc.zip multiple threats

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\des.jar-1624ecec-7aa70333.zip multiple threats

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\des.jar-da145d9-678fd3d9.zip multiple threats

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\des.jar-da14674-65ce9663.zip multiple threats

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmaudio.jar-1ac8c67f-2bdcc986.zip probably a variant of Win32/Agent.HRYTTOE trojan

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmaudio.jar-66017969-3a0b92bb.zip probably a variant of Win32/Agent.HRYTTOE trojan

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-38906e0b-7b35f457.zip multiple threats

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-6d57bb21-7b70b8f1.zip multiple threats

C:\Documents and Settings\HP_Administrator\Desktop\Files_for_submission.zip multiple threats

C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Application Data\4fbab23a.exe.vir a variant of Win32/Kryptik.FGR trojan

C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Application Data\FDCE7A7D0972FE534A5EB0596586084D\070700Setup.exe.vir a variant of Win32/Kryptik.FJW trojan

C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Local Settings\Application Data\gagcpfptv\gofkwcmtssd.exe.vir Win32/Adware.SpywareProtect2009 application

C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Local Settings\Application Data\{DC013930-612F-47B4-BDC8-57F0505379DC}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan

C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\1007491577.exe.vir Win32/SpamTool.Agent.NAQ trojan

C:\Qoobox\Quarantine\C\Program Files\AV Security Suite Basic\avsuite.exe.vir a variant of Win32/Adware.SpyProtector.T application

C:\Qoobox\Quarantine\C\WINDOWS\equzuzeqijiw.dll.vir a variant of Win32/Cimag.CK trojan

C:\Qoobox\Quarantine\C\WINDOWS\tholgt.dll.vir a variant of Win32/Cimag.CW trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\ernel32.dll.vir a variant of Win32/Kryptik.FGR trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\wr7a2ig92.dll.vir probably a variant of Win32/Agent.BNTBNQA trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir Win32/Olmarik.ZC trojan

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0001126.sys Win32/Olmarik.ZC trojan

C:\WINDOWS\Vtixea.exe Win32/TrojanDownloader.FakeAlert.AQI trojan

C:\WINDOWS\$NtServicePackUninstall$\explorer.exe Win32/TrojanProxy.Agent.NCI virus

C:\WINDOWS\$NtServicePackUninstall$\lsass.exe Win32/TrojanProxy.Agent.NCI virus

C:\WINDOWS\$NtServicePackUninstall$\services.exe Win32/TrojanProxy.Agent.NCI virus

C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe Win32/TrojanProxy.Agent.NCI virus

C:\WINDOWS\$NtServicePackUninstall$\svchost.exe Win32/TrojanProxy.Agent.NCI virus

C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe Win32/TrojanProxy.Agent.NCI virus

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.