Jump to content

Need Help - Root Hijack


Recommended Posts

All, I have an issue that i need help. I am infected and Malware and ESET cannot fix it. Below is the DDS and attached are the files from DDS and GMER

protection_log_2010_09_01.zip

DDS (Ver_10-03-17.01) - NTFSx86

Run by Ed at 20:01:53.37 on Wed 09/01/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2810 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

"C:\WINDOWS\System32\svchost.exe"

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Mozilla Firefox\f

Link to post
Share on other sites

Hello reallybigshow! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

Please, uninstall the following applications:

  1. Adobe Reader 9.1

You can read, how to do this here:

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh entire log file of DDS

Link to post
Share on other sites

Thanks for the help. Just curious, but why did i need to remove Adobe Reader?

Below are the logs.

==============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4531

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/2/2010 12:51:04 PM

mbam-log-2010-09-02 (12-51-04).txt

Scan type: Quick scan

Objects scanned: 148223

Time elapsed: 9 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=====================================

DDS (Ver_10-03-17.01) - NTFSx86

Run by Ed at 12:53:21.84 on Thu 09/02/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2818 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\igfxsrvc.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe -k HPService

"C:\WINDOWS\System32\svchost.exe"

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Documents and Settings\Ed\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.chase.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\ed\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm

Link to post
Share on other sites

<Moderator comment>

@reallybigshow

Besides this topic, you had posted 10 other separate topics in this forum on the same issue.

I have deleted the others.

Stay with this topic.

Maniac is your helper. So stay with this topic here. Make sure you are subscribed to this topic.

Your Adobe Reader version is old and subject to security issues. You need to de-install it and afterwards get the latest version.

Also, the copy of your DDS log is chopped and incomplete. See about copying all of the contents and post in a new reply.

<end of comments>

I will not be watching this topic.

Good luck.

Link to post
Share on other sites

Thanks for deleting those others. I had a browser issue probably related and it was timing out and i was unaware it was actually posting. Here is the DDS again.

===================================================

DDS (Ver_10-03-17.01) - NTFSx86

Run by Ed at 12:53:21.84 on Thu 09/02/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2818 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\igfxsrvc.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe -k HPService

"C:\WINDOWS\System32\svchost.exe"

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Documents and Settings\Ed\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.chase.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\ed\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xml

Link to post
Share on other sites

Trying this again. The text keeps getting truncated.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Ed at 20:01:53.37 on Wed 09/01/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2810 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

"C:\WINDOWS\System32\svchost.exe"

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Ed\My Documents\Downloads\Defogger.exe

C:\Documents and Settings\Ed\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.chase.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\ed\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247330226421

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\o3v3ym8l.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.chase.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 6522

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-8-3 95896]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-8-12 810144]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-22 304464]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-22 20952]

R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2009-7-11 3768]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-7-11 845184]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]

S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?]

S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2009-7-11 184320]

=============== Created Last 30 ================

2010-09-02 01:00:57 0 ----a-w- c:\documents and settings\ed\defogger_reenable

2010-09-01 23:58:16 0 d-----w- c:\program files\ESET

2010-08-22 18:28:06 0 d-----w- c:\docume~1\ed\applic~1\WeatherBug

2010-08-22 18:28:01 0 d-----w- c:\program files\AWS

2010-08-22 18:07:41 0 d-----w- c:\windows\system32\InetCntrl

2010-08-22 17:36:06 0 d-----w- c:\docume~1\ed\applic~1\Malwarebytes

2010-08-22 16:49:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-22 16:49:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-22 16:49:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-22 16:49:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-08-22 16:45:29 0 d-----w- c:\program files\CCleaner

2010-08-21 15:46:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Update

2010-08-21 15:46:50 785408 ----a-w- c:\windows\system32\drivers\qxainog.sys

2010-08-21 15:46:43 5 ----a-w- C:\zrpt.xml

2010-08-17 15:39:37 0 d-----w- c:\windows\system32\scripting

2010-08-17 15:39:37 0 d-----w- c:\windows\l2schemas

2010-08-17 15:39:36 0 d-----w- c:\windows\system32\en

2010-08-17 15:34:18 0 d-----w- c:\windows\network diagnostic

2010-08-17 15:31:07 0 d-----w- c:\program files\CodeStuff

2010-08-17 03:19:03 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-08-17 03:19:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-08-15 13:08:31 0 ----a-w- c:\documents and settings\ed\

Link to post
Share on other sites

Thanks Maurice!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Here is the log.

============

ComboFix 10-09-06.03 - Ed 09/06/2010 18:09:50.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.3047 [GMT -5:00]

Running from: c:\documents and settings\Ed\Desktop\Combo-Fix.exe

AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))

.

2010-09-06 23:09 . 2010-09-06 23:09 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\ESET

2010-09-02 00:04 . 2010-09-02 00:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-09-01 23:58 . 2010-09-01 23:58 -------- d-----w- c:\program files\ESET

2010-09-01 23:58 . 2010-09-01 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-09-01 23:25 . 2010-09-01 23:25 -------- d-----w- c:\program files\Windows Defender

2010-08-31 20:30 . 2010-08-31 20:30 0 ----a-w- c:\windows\nsreg.dat

2010-08-31 20:30 . 2010-08-31 20:30 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Mozilla

2010-08-22 18:28 . 2010-08-22 18:28 -------- d-----w- c:\documents and settings\Ed\Application Data\WeatherBug

2010-08-22 18:28 . 2010-08-22 18:28 -------- d-----w- c:\program files\AWS

2010-08-22 18:07 . 2010-08-22 18:07 -------- d-----w- c:\windows\system32\InetCntrl

2010-08-22 17:36 . 2010-08-22 17:36 -------- d-----w- c:\documents and settings\Ed\Application Data\Malwarebytes

2010-08-22 16:49 . 2010-08-22 16:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-08-22 16:40 . 2009-12-03 14:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2010-08-22 16:39 . 2010-08-31 18:13 -------- d-----w- c:\documents and settings\Administrator

2010-08-21 16:18 . 2010-08-21 16:18 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Threat Expert

2010-08-21 16:17 . 2010-08-31 20:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-21 15:47 . 2010-08-21 15:47 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-08-21 15:46 . 2010-08-22 17:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\grcaobtao

2010-08-21 15:46 . 2010-08-22 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-08-21 15:46 . 2010-09-06 23:23 785408 ----a-w- c:\windows\system32\drivers\qxainog.sys

2010-08-17 15:39 . 2010-08-17 15:39 -------- d-----w- c:\windows\system32\scripting

2010-08-17 15:39 . 2010-08-17 15:39 -------- d-----w- c:\windows\l2schemas

2010-08-17 15:39 . 2010-08-17 15:39 -------- d-----w- c:\windows\system32\en

2010-08-17 15:31 . 2010-08-31 20:25 -------- d-----w- c:\program files\CodeStuff

2010-08-17 03:19 . 2010-08-31 20:26 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-17 03:19 . 2010-08-31 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-16 02:31 . 2010-08-16 02:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-08-12 16:57 . 2010-08-12 17:01 -------- d-----w- c:\temp\DMTemp

2010-08-12 16:57 . 2010-08-12 16:57 -------- d-----w- C:\Temp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-02 17:32 . 2009-07-11 18:08 -------- d-----w- c:\program files\Common Files\Adobe

2010-08-31 20:29 . 2009-12-17 01:45 -------- d-----w- c:\program files\Yahoo!

2010-08-31 20:27 . 2010-02-07 18:20 -------- d-----w- c:\program files\TVersity

2010-08-31 20:25 . 2010-04-21 15:56 -------- d-----w- c:\documents and settings\Ed\Application Data\uTorrent

2010-08-31 20:06 . 2010-08-22 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-22 16:49 . 2010-08-22 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-22 16:45 . 2010-08-22 16:45 -------- d-----w- c:\program files\CCleaner

2010-08-21 16:18 . 2009-07-11 17:58 -------- d-----w- c:\program files\Google

2010-08-19 03:21 . 2009-07-11 18:40 -------- d-----w- c:\documents and settings\Ed\Application Data\Apple Computer

2010-08-17 15:42 . 2009-07-03 03:28 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

2010-08-12 16:20 . 2009-07-11 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-08-04 16:50 . 2010-08-04 16:50 140752 ----a-w- c:\windows\system32\drivers\eamon.sys

2010-08-03 18:28 . 2010-08-03 18:28 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys

2010-08-01 15:30 . 2010-07-09 01:46 -------- d-----w- c:\program files\iTunes

2010-08-01 15:29 . 2010-08-01 15:29 -------- d-----w- c:\program files\iPod

2010-08-01 15:29 . 2009-07-11 18:39 -------- d-----w- c:\program files\Common Files\Apple

2010-08-01 15:26 . 2010-08-01 15:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-07-29 18:31 . 2010-07-29 18:31 115008 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2010-07-12 20:06 . 2009-07-11 18:32 -------- d-----w- c:\program files\Common Files\InstallShield

2010-07-09 01:47 . 2010-07-09 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-07-09 01:44 . 2010-07-09 01:44 -------- d-----w- c:\program files\QuickTime

2010-06-27 17:51 . 2010-06-27 17:51 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb7D.tmp.exe

2010-06-25 18:11 . 2010-06-25 18:11 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb6F.tmp.exe

2010-06-23 14:12 . 2010-06-23 14:12 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb58.tmp.exe

2010-06-14 14:31 . 2009-07-03 03:26 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-06-30 1652736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-21 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-21 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-21 137752]

"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-08-15 30003200]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]

c:\documents and settings\Ed\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-9 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 1:28 PM 95896]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [8/12/2010 2:16 PM 810144]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/22/2010 11:49 AM 304464]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/22/2010 11:49 AM 20952]

R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [7/11/2009 1:43 PM 3768]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [7/11/2009 1:33 PM 845184]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 4:07 PM 135664]

S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]

S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [7/11/2009 1:43 PM 184320]

--- Other Services/Drivers In Memory ---

*Deregistered* - qxainog

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 21:07]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 21:07]

2010-09-06 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-09-06 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-12-03 04:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.chase.com/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\o3v3ym8l.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.chase.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 6522

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-06 18:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes

c:\windows\TEMP\TMP0000004114DCDBAB64D76A1C 524288 bytes executable

scan completed successfully

hidden files: 2

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AD4BACE]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9e4a852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9d56bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d63a21

SendHandler -> NDIS.sys @ 0xb9d4187b

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qxainog]

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(552)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3724)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2010-09-06 18:31:52 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-06 23:31

Pre-Run: 386,925,256,704 bytes free

Post-Run: 387,463,933,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 67B85A57D6F5CA982CA24EF77920149D

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=61777

Collect::[8]
c:\windows\system32\drivers\qxainog.sys

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qxainog]

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 6522
FF - prefs.js: network.proxy.type - 0

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Here is the log. Can you explain what we are doing so I can understand (just curious)? Does the ComboFix remove the malicious files or just help us identify them so we can figure out a way to delete, etc....??

=============

ComboFix 10-09-07.01 - Ed 09/07/2010 21:17:42.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.3042 [GMT -5:00]

Running from: c:\documents and settings\Ed\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Ed\Desktop\cfscript.txt

AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* Resident AV is active

file zipped: c:\windows\system32\drivers\qxainog.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\qxainog.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_qxainog

-------\Service_qxainog

((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))

.

2010-09-06 23:09 . 2010-09-06 23:09 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\ESET

2010-09-06 22:48 . 2010-09-06 23:32 -------- d-----w- C:\Combo-Fix

2010-09-02 00:04 . 2010-09-02 00:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-09-01 23:58 . 2010-09-01 23:58 -------- d-----w- c:\program files\ESET

2010-09-01 23:58 . 2010-09-01 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-09-01 23:25 . 2010-09-01 23:25 -------- d-----w- c:\program files\Windows Defender

2010-08-31 20:30 . 2010-08-31 20:30 0 ----a-w- c:\windows\nsreg.dat

2010-08-31 20:30 . 2010-08-31 20:30 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Mozilla

2010-08-22 18:28 . 2010-08-22 18:28 -------- d-----w- c:\documents and settings\Ed\Application Data\WeatherBug

2010-08-22 18:28 . 2010-08-22 18:28 -------- d-----w- c:\program files\AWS

2010-08-22 18:07 . 2010-08-22 18:07 -------- d-----w- c:\windows\system32\InetCntrl

2010-08-22 17:36 . 2010-08-22 17:36 -------- d-----w- c:\documents and settings\Ed\Application Data\Malwarebytes

2010-08-22 16:49 . 2010-08-22 16:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-08-22 16:49 . 2010-08-31 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-22 16:40 . 2009-12-03 14:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2010-08-22 16:39 . 2010-08-31 18:13 -------- d-----w- c:\documents and settings\Administrator

2010-08-21 16:18 . 2010-08-21 16:18 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Threat Expert

2010-08-21 16:17 . 2010-08-31 20:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-21 15:47 . 2010-08-21 15:47 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-08-21 15:46 . 2010-08-22 17:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\grcaobtao

2010-08-21 15:46 . 2010-08-22 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-08-17 15:39 . 2010-08-17 15:39 -------- d-----w- c:\windows\system32\scripting

2010-08-17 15:39 . 2010-08-17 15:39 -------- d-----w- c:\windows\l2schemas

2010-08-17 15:39 . 2010-08-17 15:39 -------- d-----w- c:\windows\system32\en

2010-08-17 15:31 . 2010-08-31 20:25 -------- d-----w- c:\program files\CodeStuff

2010-08-17 03:19 . 2010-08-31 20:26 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-17 03:19 . 2010-08-31 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-16 02:31 . 2010-08-16 02:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-08-12 16:57 . 2010-08-12 17:01 -------- d-----w- c:\temp\DMTemp

2010-08-12 16:57 . 2010-08-12 16:57 -------- d-----w- C:\Temp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-02 17:32 . 2009-07-11 18:08 -------- d-----w- c:\program files\Common Files\Adobe

2010-08-31 20:29 . 2009-12-17 01:45 -------- d-----w- c:\program files\Yahoo!

2010-08-31 20:27 . 2010-02-07 18:20 -------- d-----w- c:\program files\TVersity

2010-08-31 20:25 . 2010-04-21 15:56 -------- d-----w- c:\documents and settings\Ed\Application Data\uTorrent

2010-08-22 16:49 . 2010-08-22 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-22 16:45 . 2010-08-22 16:45 -------- d-----w- c:\program files\CCleaner

2010-08-21 16:18 . 2009-07-11 17:58 -------- d-----w- c:\program files\Google

2010-08-19 03:21 . 2009-07-11 18:40 -------- d-----w- c:\documents and settings\Ed\Application Data\Apple Computer

2010-08-17 15:42 . 2009-07-03 03:28 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

2010-08-12 16:20 . 2009-07-11 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-08-04 16:50 . 2010-08-04 16:50 140752 ----a-w- c:\windows\system32\drivers\eamon.sys

2010-08-03 18:28 . 2010-08-03 18:28 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys

2010-08-01 15:30 . 2010-07-09 01:46 -------- d-----w- c:\program files\iTunes

2010-08-01 15:29 . 2010-08-01 15:29 -------- d-----w- c:\program files\iPod

2010-08-01 15:29 . 2009-07-11 18:39 -------- d-----w- c:\program files\Common Files\Apple

2010-08-01 15:26 . 2010-08-01 15:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-07-29 18:31 . 2010-07-29 18:31 115008 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2010-07-12 20:06 . 2009-07-11 18:32 -------- d-----w- c:\program files\Common Files\InstallShield

2010-06-27 17:51 . 2010-06-27 17:51 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb7D.tmp.exe

2010-06-25 18:11 . 2010-06-25 18:11 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb6F.tmp.exe

2010-06-23 14:12 . 2010-06-23 14:12 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb58.tmp.exe

2010-06-14 14:31 . 2009-07-03 03:26 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-09-06_23.22.27 )))))))))))))))))))))))))))))))))))))))))

.

- 2002-08-29 12:00 . 2010-09-06 23:12 41040 c:\windows\system32\perfc009.dat

+ 2002-08-29 12:00 . 2010-09-08 02:19 41040 c:\windows\system32\perfc009.dat

+ 2002-08-29 12:00 . 2010-09-08 02:19 314838 c:\windows\system32\perfh009.dat

- 2002-08-29 12:00 . 2010-09-06 23:12 314838 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-06-30 1652736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-21 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-21 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-21 137752]

"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-08-15 30003200]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]

c:\documents and settings\Ed\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-9 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 1:28 PM 95896]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [8/12/2010 2:16 PM 810144]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/22/2010 11:49 AM 304464]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/22/2010 11:49 AM 20952]

R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [7/11/2009 1:43 PM 3768]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [7/11/2009 1:33 PM 845184]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 4:07 PM 135664]

S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]

S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [7/11/2009 1:43 PM 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 21:07]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 21:07]

2010-09-08 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-09-08 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-12-03 04:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.chase.com/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\o3v3ym8l.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.chase.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 6522

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-07 21:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AF6FACE]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9e4a852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9d56bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d63a21

SendHandler -> NDIS.sys @ 0xb9d4187b

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(476)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(544)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3116)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2010-09-07 21:38:20 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-08 02:38

ComboFix2.txt 2010-09-06 23:31

Pre-Run: 387,551,731,712 bytes free

Post-Run: 387,538,980,864 bytes free

- - End Of File - - 7A0E3AEB536E0E835653667E3E62E1E3

Link to post
Share on other sites

I found it and killed it. :)

Step 1

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Step 2

  1. Download mbr.exe to your Desktop.
  2. Doubleclick mbr.exe and follow prompts.
  3. When mbr.exe is ready, it will create a log.
  4. Copy and paste contents of that file to your next reply.

Link to post
Share on other sites

Here is the Log. It created it right away so not sure if this is correct. Also, per your comment that "you killed it", am i supposed to be seeing improvements yet? I am still getting significant blocks by Malwarebytes and also the ENOD. Please advise.

============

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

Link to post
Share on other sites

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=3a91d3079012eb498f65e52c526bd3bd

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-09-10 08:39:06

# local_time=2010-09-10 03:39:06 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5889 16768381 100 100 678662 123969318 0 0

# compatibility_mode=8199 39157077 100 100 0 2421730 0 0

# scanned=85225

# found=5

# cleaned=5

# scan_time=2573

# nod_component=V3 Build:0x30000000

C:\Qoobox\Quarantine\[8]-Submit_2010-09-07_21.16.57.zip a variant of Win32/Bubnix.AZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\qxainog.sys.vir a variant of Win32/Bubnix.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\_qxainog_.sys.zip a variant of Win32/Bubnix.AZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{49AE18BF-4234-4592-9960-EF1743AE465A}\RP385\A0037090.dll a variant of Win32/Routmo.N trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{49AE18BF-4234-4592-9960-EF1743AE465A}\RP401\A0044338.sys a variant of Win32/Bubnix.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Hello there and sorry for the delay, Maniac is currently unavailable, so I will take over this thread.

There is still some work to do here. :)

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

here is the log

==================

2010/09/20 08:50:28.0500 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2010/09/20 08:50:28.0500 ================================================================================

2010/09/20 08:50:28.0500 SystemInfo:

2010/09/20 08:50:28.0500

2010/09/20 08:50:28.0500 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/20 08:50:28.0500 Product type: Workstation

2010/09/20 08:50:28.0500 ComputerName: KITCHEN

2010/09/20 08:50:28.0500 UserName: Ed

2010/09/20 08:50:28.0500 Windows directory: C:\WINDOWS

2010/09/20 08:50:28.0500 System windows directory: C:\WINDOWS

2010/09/20 08:50:28.0500 Processor architecture: Intel x86

2010/09/20 08:50:28.0500 Number of processors: 2

2010/09/20 08:50:28.0500 Page size: 0x1000

2010/09/20 08:50:28.0500 Boot type: Normal boot

2010/09/20 08:50:28.0500 ================================================================================

2010/09/20 08:50:28.0625 Initialize success

2010/09/20 08:50:33.0203 ================================================================================

2010/09/20 08:50:33.0203 Scan started

2010/09/20 08:50:33.0203 Mode: Manual;

2010/09/20 08:50:33.0203 ================================================================================

2010/09/20 08:50:34.0171 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/20 08:50:34.0203 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/09/20 08:50:34.0265 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/09/20 08:50:34.0281 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/09/20 08:50:34.0390 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/20 08:50:34.0390 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/20 08:50:34.0421 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/20 08:50:34.0468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/20 08:50:34.0500 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/20 08:50:34.0546 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/20 08:50:34.0578 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/09/20 08:50:34.0609 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/20 08:50:34.0625 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/20 08:50:34.0687 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/20 08:50:34.0781 DgiVecp (a5034f77b278f07e224fe07cf98a8b76) C:\WINDOWS\system32\Drivers\DgiVecp.sys

2010/09/20 08:50:34.0781 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/20 08:50:34.0843 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/20 08:50:34.0875 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/09/20 08:50:34.0875 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/20 08:50:34.0890 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/20 08:50:34.0953 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/20 08:50:34.0984 eamon (1ceb779239965000b8f6adee17d4515b) C:\WINDOWS\system32\DRIVERS\eamon.sys

2010/09/20 08:50:35.0046 ehdrv (7d300a43a7bd8769e0f901bf9e1ae367) C:\WINDOWS\system32\DRIVERS\ehdrv.sys

2010/09/20 08:50:35.0078 epfwtdir (ecd5f68e32ff5c6a728eb03dc892ae7f) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys

2010/09/20 08:50:35.0125 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/20 08:50:35.0171 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/09/20 08:50:35.0171 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/20 08:50:35.0187 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/09/20 08:50:35.0187 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/09/20 08:50:35.0218 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/20 08:50:35.0234 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/20 08:50:35.0265 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/09/20 08:50:35.0281 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/20 08:50:35.0328 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/09/20 08:50:35.0406 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/20 08:50:35.0421 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/20 08:50:35.0578 ialm (cd32607f1cc8ac67224334ae123f7b98) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/09/20 08:50:35.0593 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/20 08:50:35.0640 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/09/20 08:50:35.0656 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/09/20 08:50:35.0687 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/20 08:50:35.0703 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/20 08:50:35.0718 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/20 08:50:35.0734 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/20 08:50:35.0765 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/20 08:50:35.0765 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/20 08:50:35.0781 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/20 08:50:35.0796 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/20 08:50:35.0812 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/20 08:50:35.0828 L1e (93e64bab9dee162ca0ca5258d132a047) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys

2010/09/20 08:50:35.0875 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys

2010/09/20 08:50:35.0890 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/20 08:50:35.0906 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/20 08:50:35.0953 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys

2010/09/20 08:50:35.0968 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/20 08:50:35.0984 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/20 08:50:36.0015 MovRVDrv32 (cb48c23769c56977ec3de6df0c6dbb8c) C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys

2010/09/20 08:50:36.0031 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/20 08:50:36.0062 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/20 08:50:36.0078 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/20 08:50:36.0125 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/20 08:50:36.0140 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/20 08:50:36.0140 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/20 08:50:36.0171 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/20 08:50:36.0203 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/09/20 08:50:36.0234 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys

2010/09/20 08:50:36.0234 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/20 08:50:36.0250 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/09/20 08:50:36.0281 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/20 08:50:36.0296 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/09/20 08:50:36.0312 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/20 08:50:36.0328 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/20 08:50:36.0343 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/20 08:50:36.0343 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/20 08:50:36.0359 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/20 08:50:36.0375 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/20 08:50:36.0390 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/20 08:50:36.0406 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/20 08:50:36.0437 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/20 08:50:36.0468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/20 08:50:36.0468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/20 08:50:36.0484 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/09/20 08:50:36.0484 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/20 08:50:36.0515 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/20 08:50:36.0531 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/20 08:50:36.0531 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/20 08:50:36.0562 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/09/20 08:50:36.0625 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/20 08:50:36.0640 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/09/20 08:50:36.0640 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/09/20 08:50:36.0656 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/20 08:50:36.0656 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/09/20 08:50:36.0718 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/20 08:50:36.0734 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/20 08:50:36.0734 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/20 08:50:36.0750 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/20 08:50:36.0750 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/20 08:50:36.0765 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/20 08:50:36.0781 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/09/20 08:50:36.0781 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/20 08:50:36.0796 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/20 08:50:36.0828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/20 08:50:36.0843 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/09/20 08:50:36.0843 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/09/20 08:50:36.0859 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/09/20 08:50:36.0890 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/09/20 08:50:36.0937 SndTDriverV32 (2f45c17b2af029e76c863c48dd885a3f) C:\WINDOWS\system32\drivers\SndTDriverV32.sys

2010/09/20 08:50:36.0968 sonypvs1 (dfadfc2c86662f40759bf02add27d569) C:\WINDOWS\system32\DRIVERS\sonypvs1.sys

2010/09/20 08:50:37.0015 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/20 08:50:37.0031 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/09/20 08:50:37.0062 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/09/20 08:50:37.0109 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys

2010/09/20 08:50:37.0125 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/09/20 08:50:37.0125 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/20 08:50:37.0156 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/20 08:50:37.0234 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/20 08:50:37.0250 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/20 08:50:37.0296 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/20 08:50:37.0296 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/20 08:50:37.0312 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/20 08:50:37.0375 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/20 08:50:37.0437 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/20 08:50:37.0484 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/09/20 08:50:37.0500 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/09/20 08:50:37.0500 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/20 08:50:37.0531 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/20 08:50:37.0531 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/20 08:50:37.0546 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/09/20 08:50:37.0562 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/20 08:50:37.0562 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/20 08:50:37.0593 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/09/20 08:50:37.0593 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/09/20 08:50:37.0656 VIAHdAudAddService (51b24990850076f659d1d1daefbed6f1) C:\WINDOWS\system32\drivers\viahduaa.sys

2010/09/20 08:50:37.0671 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/20 08:50:37.0703 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/20 08:50:37.0718 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/20 08:50:37.0765 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/09/20 08:50:37.0781 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/09/20 08:50:37.0812 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/09/20 08:50:37.0812 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/09/20 08:50:37.0859 ================================================================================

2010/09/20 08:50:37.0859 Scan finished

2010/09/20 08:50:37.0859 ================================================================================

Link to post
Share on other sites

Your latest combofix log still shows some problems, however because its been a while, please redownload it (delete your old copy) and rerun it. Post me the new log.

Before running combofix, run defogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Link to post
Share on other sites

Here is the combo fix. Also, note the defogger did not ask me to reboot.

================================================

ComboFix 10-09-19.04 - Ed 09/20/2010 9:23.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2800 [GMT -5:00]

Running from: c:\documents and settings\Ed\Desktop\Combo-Fix.exe

AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((( Files Created from 2010-08-20 to 2010-09-20 )))))))))))))))))))))))))))))))

.

2010-09-13 12:21 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-09-08 02:06 . 2010-09-08 02:38 -------- d-----w- C:\Combo-Fix32351C

2010-09-06 23:09 . 2010-09-06 23:09 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\ESET

2010-09-06 22:48 . 2010-09-06 23:32 -------- d-----w- C:\Combo-Fix

2010-09-02 00:04 . 2010-09-02 00:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-09-01 23:58 . 2010-09-10 20:52 -------- d-----w- c:\program files\ESET

2010-09-01 23:58 . 2010-09-01 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-09-01 23:25 . 2010-09-01 23:25 -------- d-----w- c:\program files\Windows Defender

2010-08-31 20:30 . 2010-08-31 20:30 0 ----a-w- c:\windows\nsreg.dat

2010-08-31 20:30 . 2010-08-31 20:30 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Mozilla

2010-08-22 18:28 . 2010-08-22 18:28 -------- d-----w- c:\documents and settings\Ed\Application Data\WeatherBug

2010-08-22 18:28 . 2010-08-22 18:28 -------- d-----w- c:\program files\AWS

2010-08-22 18:07 . 2010-08-22 18:07 -------- d-----w- c:\windows\system32\InetCntrl

2010-08-22 17:36 . 2010-08-22 17:36 -------- d-----w- c:\documents and settings\Ed\Application Data\Malwarebytes

2010-08-22 16:49 . 2010-08-22 16:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-08-22 16:49 . 2010-08-31 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-22 16:40 . 2009-12-03 14:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2010-08-22 16:39 . 2010-08-31 18:13 -------- d-----w- c:\documents and settings\Administrator

2010-08-21 16:18 . 2010-08-21 16:18 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Threat Expert

2010-08-21 16:17 . 2010-08-31 20:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-21 15:47 . 2010-08-21 15:47 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-08-21 15:46 . 2010-08-22 17:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\grcaobtao

2010-08-21 15:46 . 2010-08-22 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-16 12:06 . 2009-07-11 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-09-02 17:32 . 2009-07-11 18:08 -------- d-----w- c:\program files\Common Files\Adobe

2010-08-31 20:29 . 2009-12-17 01:45 -------- d-----w- c:\program files\Yahoo!

2010-08-31 20:27 . 2010-02-07 18:20 -------- d-----w- c:\program files\TVersity

2010-08-31 20:26 . 2010-08-17 03:19 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-31 20:26 . 2010-08-17 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-31 20:25 . 2010-08-17 15:31 -------- d-----w- c:\program files\CodeStuff

2010-08-31 20:25 . 2010-04-21 15:56 -------- d-----w- c:\documents and settings\Ed\Application Data\uTorrent

2010-08-22 16:49 . 2010-08-22 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-22 16:45 . 2010-08-22 16:45 -------- d-----w- c:\program files\CCleaner

2010-08-21 16:18 . 2009-07-11 17:58 -------- d-----w- c:\program files\Google

2010-08-19 03:21 . 2009-07-11 18:40 -------- d-----w- c:\documents and settings\Ed\Application Data\Apple Computer

2010-08-17 15:42 . 2009-07-03 03:28 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

2010-08-17 13:17 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-04 16:50 . 2010-08-04 16:50 140752 ----a-w- c:\windows\system32\drivers\eamon.sys

2010-08-03 18:28 . 2010-08-03 18:28 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys

2010-08-01 15:30 . 2010-07-09 01:46 -------- d-----w- c:\program files\iTunes

2010-08-01 15:29 . 2010-08-01 15:29 -------- d-----w- c:\program files\iPod

2010-08-01 15:29 . 2009-07-11 18:39 -------- d-----w- c:\program files\Common Files\Apple

2010-08-01 15:26 . 2010-08-01 15:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-07-29 18:31 . 2010-07-29 18:31 115008 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2010-07-22 15:49 . 2002-08-29 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-12-03 00:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-06-30 12:31 . 2002-08-29 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-27 17:51 . 2010-06-27 17:51 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb7D.tmp.exe

2010-06-25 18:11 . 2010-06-25 18:11 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb6F.tmp.exe

2010-06-24 12:22 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 14:12 . 2010-06-23 14:12 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb58.tmp.exe

2010-06-23 13:44 . 2002-08-29 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-09-06_23.22.27 )))))))))))))))))))))))))))))))))))))))))

.

- 2002-08-29 12:00 . 2008-04-14 00:12 90112 c:\windows\system32\wshext.dll

+ 2002-08-29 12:00 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll

+ 2002-08-29 12:00 . 2010-09-16 12:27 41040 c:\windows\system32\perfc009.dat

- 2002-08-29 12:00 . 2010-09-06 23:12 41040 c:\windows\system32\perfc009.dat

+ 2009-03-08 09:31 . 2010-06-24 12:21 55296 c:\windows\system32\msfeedsbs.dll

- 2009-03-08 09:31 . 2010-05-06 10:41 55296 c:\windows\system32\msfeedsbs.dll

- 2002-08-29 12:00 . 2010-05-06 10:41 25600 c:\windows\system32\jsproxy.dll

+ 2002-08-29 12:00 . 2010-06-24 12:21 25600 c:\windows\system32\jsproxy.dll

- 2002-08-29 12:00 . 2008-04-14 00:11 80384 c:\windows\system32\iccvid.dll

+ 2002-08-29 12:00 . 2010-06-17 14:03 80384 c:\windows\system32\iccvid.dll

- 2010-05-28 22:59 . 2010-05-06 10:41 12800 c:\windows\system32\dllcache\xpshims.dll

+ 2010-05-28 22:59 . 2010-06-24 12:22 12800 c:\windows\system32\dllcache\xpshims.dll

+ 2008-05-09 10:53 . 2008-05-09 10:53 90112 c:\windows\system32\dllcache\wshext.dll

+ 2010-08-17 13:17 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe

+ 2010-05-28 22:59 . 2010-06-24 12:21 55296 c:\windows\system32\dllcache\msfeedsbs.dll

- 2010-05-28 22:59 . 2010-05-06 10:41 55296 c:\windows\system32\dllcache\msfeedsbs.dll

- 2009-09-25 05:56 . 2010-05-06 10:41 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2009-09-25 05:56 . 2010-06-24 12:21 25600 c:\windows\system32\dllcache\jsproxy.dll

- 2009-07-11 17:16 . 2010-08-12 16:20 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe

+ 2009-07-11 17:16 . 2010-09-16 12:06 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe

+ 2009-07-11 17:16 . 2010-09-16 12:06 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe

- 2009-07-11 17:16 . 2010-08-12 16:20 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe

+ 2009-07-11 17:16 . 2010-09-16 12:06 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe

- 2009-07-11 17:16 . 2010-08-12 16:20 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe

+ 2010-09-14 13:20 . 2010-05-06 10:41 12800 c:\windows\ie8updates\KB2183461-IE8\xpshims.dll

+ 2010-09-14 13:20 . 2010-05-06 10:41 55296 c:\windows\ie8updates\KB2183461-IE8\msfeedsbs.dll

+ 2010-09-14 13:20 . 2010-05-06 10:41 25600 c:\windows\ie8updates\KB2183461-IE8\jsproxy.dll

+ 2002-08-29 12:00 . 2008-05-08 11:24 155648 c:\windows\system32\wscript.exe

- 2002-08-29 12:00 . 2008-04-14 00:12 155648 c:\windows\system32\wscript.exe

- 2004-08-04 07:56 . 2008-04-14 00:12 233472 c:\windows\system32\wmpdxm.dll

+ 2004-08-04 07:56 . 2009-07-12 17:21 233472 c:\windows\system32\wmpdxm.dll

+ 2002-08-29 12:00 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll

- 2002-08-29 12:00 . 2008-04-14 00:12 293376 c:\windows\system32\winsrv.dll

- 2002-08-29 12:00 . 2008-04-14 00:12 406016 c:\windows\system32\usp10.dll

+ 2002-08-29 12:00 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll

- 2002-08-29 12:00 . 2008-04-14 00:12 474112 c:\windows\system32\shlwapi.dll

+ 2002-08-29 12:00 . 2009-12-08 09:23 474112 c:\windows\system32\shlwapi.dll

- 2002-08-29 12:00 . 2008-04-14 00:12 172032 c:\windows\system32\scrrun.dll

+ 2002-08-29 12:00 . 2008-05-09 10:53 172032 c:\windows\system32\scrrun.dll

- 2002-08-29 12:00 . 2008-04-14 00:12 180224 c:\windows\system32\scrobj.dll

+ 2002-08-29 12:00 . 2008-05-09 10:53 180224 c:\windows\system32\scrobj.dll

+ 2002-08-29 12:00 . 2010-09-16 12:27 314838 c:\windows\system32\perfh009.dat

- 2002-08-29 12:00 . 2010-09-06 23:12 314838 c:\windows\system32\perfh009.dat

- 2002-08-29 12:00 . 2010-05-06 10:41 206848 c:\windows\system32\occache.dll

+ 2002-08-29 12:00 . 2010-06-24 12:22 206848 c:\windows\system32\occache.dll

+ 2002-08-29 12:00 . 2010-06-24 12:22 611840 c:\windows\system32\mstime.dll

- 2002-08-29 12:00 . 2010-05-06 10:41 611840 c:\windows\system32\mstime.dll

- 2009-03-08 09:32 . 2010-05-06 10:41 599040 c:\windows\system32\msfeeds.dll

+ 2009-03-08 09:32 . 2010-06-24 12:21 599040 c:\windows\system32\msfeeds.dll

+ 2006-10-19 02:47 . 2010-03-30 17:24 317440 c:\windows\system32\mp4sdecd.dll

- 2006-10-19 02:47 . 2006-10-19 02:47 317440 c:\windows\system32\MP4SDECD.dll

+ 2009-07-03 03:26 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll

- 2002-08-29 12:00 . 2010-05-06 10:41 184320 c:\windows\system32\iepeers.dll

+ 2002-08-29 12:00 . 2010-06-24 12:21 184320 c:\windows\system32\iepeers.dll

- 2002-08-29 12:00 . 2010-05-06 10:41 387584 c:\windows\system32\iedkcs32.dll

+ 2002-08-29 12:00 . 2010-06-24 12:21 387584 c:\windows\system32\iedkcs32.dll

+ 2002-08-29 12:00 . 2010-06-23 12:08 173056 c:\windows\system32\ie4uinit.exe

- 2002-08-29 12:00 . 2010-05-05 13:30 173056 c:\windows\system32\ie4uinit.exe

+ 2009-07-02 20:22 . 2010-09-15 02:08 322728 c:\windows\system32\FNTCACHE.DAT

- 2009-07-02 20:22 . 2010-08-17 16:03 322728 c:\windows\system32\FNTCACHE.DAT

+ 2002-08-29 12:00 . 2010-06-21 15:27 354304 c:\windows\system32\drivers\srv.sys

+ 2008-05-08 11:24 . 2008-05-08 11:24 155648 c:\windows\system32\dllcache\wscript.exe

+ 2009-07-13 08:18 . 2009-07-12 17:21 233472 c:\windows\system32\dllcache\wmpdxm.dll

- 2009-07-13 08:18 . 2008-04-14 00:12 233472 c:\windows\system32\dllcache\wmpdxm.dll

+ 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll

+ 2009-09-25 05:56 . 2010-06-24 12:22 916480 c:\windows\system32\dllcache\wininet.dll

- 2009-09-25 05:56 . 2010-05-06 10:41 916480 c:\windows\system32\dllcache\wininet.dll

+ 2010-04-16 15:36 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll

+ 2009-12-03 00:13 . 2010-06-21 15:27 354304 c:\windows\system32\dllcache\srv.sys

+ 2009-12-08 09:23 . 2009-12-08 09:23 474112 c:\windows\system32\dllcache\shlwapi.dll

+ 2008-05-09 10:53 . 2008-05-09 10:53 172032 c:\windows\system32\dllcache\scrrun.dll

+ 2008-05-09 10:53 . 2008-05-09 10:53 180224 c:\windows\system32\dllcache\scrobj.dll

+ 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll

+ 2009-04-15 14:51 . 2010-07-22 15:49 590848 c:\windows\system32\dllcache\rpcrt4.dll

+ 2009-03-08 09:34 . 2010-06-24 12:22 206848 c:\windows\system32\dllcache\occache.dll

- 2009-03-08 09:34 . 2010-05-06 10:41 206848 c:\windows\system32\dllcache\occache.dll

- 2009-09-25 05:56 . 2010-05-06 10:41 611840 c:\windows\system32\dllcache\mstime.dll

+ 2009-09-25 05:56 . 2010-06-24 12:22 611840 c:\windows\system32\dllcache\mstime.dll

+ 2010-05-28 22:59 . 2010-06-24 12:21 599040 c:\windows\system32\dllcache\msfeeds.dll

- 2010-05-28 22:59 . 2010-05-06 10:41 599040 c:\windows\system32\dllcache\msfeeds.dll

+ 2010-03-30 17:24 . 2010-03-30 17:24 317440 c:\windows\system32\dllcache\mp4sdecd.dll

+ 2009-12-03 00:13 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll

- 2010-05-28 22:59 . 2010-05-06 10:41 247808 c:\windows\system32\dllcache\ieproxy.dll

+ 2010-05-28 22:59 . 2010-06-24 12:21 247808 c:\windows\system32\dllcache\ieproxy.dll

+ 2009-09-25 05:56 . 2010-06-24 12:21 184320 c:\windows\system32\dllcache\iepeers.dll

- 2009-09-25 05:56 . 2010-05-06 10:41 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2010-06-09 18:08 . 2010-06-24 12:21 743424 c:\windows\system32\dllcache\iedvtool.dll

- 2010-06-09 18:08 . 2010-05-06 10:41 743424 c:\windows\system32\dllcache\iedvtool.dll

- 2009-03-08 19:09 . 2010-05-06 10:41 387584 c:\windows\system32\dllcache\iedkcs32.dll

+ 2009-03-08 19:09 . 2010-06-24 12:21 387584 c:\windows\system32\dllcache\iedkcs32.dll

- 2009-03-08 09:32 . 2010-05-05 13:30 173056 c:\windows\system32\dllcache\ie4uinit.exe

+ 2009-03-08 09:32 . 2010-06-23 12:08 173056 c:\windows\system32\dllcache\ie4uinit.exe

+ 2008-05-07 09:07 . 2008-05-07 09:07 135168 c:\windows\system32\dllcache\cscript.exe

+ 2002-08-29 12:00 . 2008-05-07 09:07 135168 c:\windows\system32\cscript.exe

+ 2010-08-04 20:13 . 2010-08-04 20:13 686080 c:\windows\Installer\74808ad.msp

- 2009-07-11 17:16 . 2010-08-12 16:20 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe

+ 2009-07-11 17:16 . 2010-09-16 12:06 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe

+ 2009-07-11 17:16 . 2010-09-16 12:06 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe

- 2009-07-11 17:16 . 2010-08-12 16:20 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe

- 2009-07-11 17:16 . 2010-08-12 16:20 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe

+ 2009-07-11 17:16 . 2010-09-16 12:06 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe

- 2009-07-11 17:16 . 2010-08-12 16:20 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe

+ 2009-07-11 17:16 . 2010-09-16 12:06 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe

- 2009-07-11 17:16 . 2010-08-12 16:20 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe

+ 2009-07-11 17:16 . 2010-09-16 12:06 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe

+ 2010-09-14 13:20 . 2010-05-06 10:41 916480 c:\windows\ie8updates\KB2183461-IE8\wininet.dll

+ 2010-09-14 13:20 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB2183461-IE8\spuninst\updspapi.dll

+ 2010-09-14 13:20 . 2009-05-26 09:01 231288 c:\windows\ie8updates\KB2183461-IE8\spuninst\spuninst.exe

+ 2010-09-14 13:20 . 2010-05-06 10:41 206848 c:\windows\ie8updates\KB2183461-IE8\occache.dll

+ 2010-09-14 13:20 . 2010-05-06 10:41 611840 c:\windows\ie8updates\KB2183461-IE8\mstime.dll

+ 2010-09-14 13:20 . 2010-05-06 10:41 599040 c:\windows\ie8updates\KB2183461-IE8\msfeeds.dll

+ 2010-09-14 13:20 . 2010-05-06 10:41 247808 c:\windows\ie8updates\KB2183461-IE8\ieproxy.dll

+ 2010-09-14 13:20 . 2010-05-06 10:41 184320 c:\windows\ie8updates\KB2183461-IE8\iepeers.dll

+ 2010-09-14 13:20 . 2010-05-06 10:41 743424 c:\windows\ie8updates\KB2183461-IE8\iedvtool.dll

+ 2010-09-14 13:20 . 2010-05-06 10:41 387584 c:\windows\ie8updates\KB2183461-IE8\iedkcs32.dll

+ 2010-09-14 13:20 . 2010-05-05 13:30 173056 c:\windows\ie8updates\KB2183461-IE8\ie4uinit.exe

+ 2004-08-04 07:56 . 2010-03-19 23:05 4874240 c:\windows\system32\wmp.dll

- 2004-08-04 07:56 . 2008-04-14 00:12 4874240 c:\windows\system32\wmp.dll

+ 2002-08-29 12:00 . 2010-06-24 12:22 1210368 c:\windows\system32\urlmon.dll

+ 2002-08-29 12:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll

- 2002-08-29 12:00 . 2010-02-16 14:08 2146304 c:\windows\system32\ntoskrnl.exe

+ 2002-08-29 12:00 . 2010-04-27 13:59 2146304 c:\windows\system32\ntoskrnl.exe

- 2002-08-29 01:04 . 2010-02-16 13:25 2024448 c:\windows\system32\ntkrnlpa.exe

+ 2002-08-29 01:04 . 2010-04-27 13:05 2024448 c:\windows\system32\ntkrnlpa.exe

+ 2002-08-29 12:00 . 2010-06-14 07:41 1172480 c:\windows\system32\msxml3.dll

- 2002-08-29 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll

+ 2009-07-03 03:25 . 2009-06-10 14:19 2066432 c:\windows\system32\mstscax.dll

+ 2002-08-29 12:00 . 2010-06-24 12:22 5951488 c:\windows\system32\mshtml.dll

+ 2009-03-08 09:32 . 2010-06-24 12:21 1986560 c:\windows\system32\iertutil.dll

+ 2009-07-13 08:18 . 2010-03-19 23:05 4874240 c:\windows\system32\dllcache\wmp.dll

- 2009-07-13 08:18 . 2008-04-14 00:12 4874240 c:\windows\system32\dllcache\wmp.dll

+ 2009-08-14 13:21 . 2010-06-23 13:44 1851904 c:\windows\system32\dllcache\win32k.sys

+ 2009-09-25 05:56 . 2010-06-24 12:22 1210368 c:\windows\system32\dllcache\urlmon.dll

+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll

+ 2009-12-03 00:13 . 2010-04-28 02:25 2189952 c:\windows\system32\dllcache\ntoskrnl.exe

- 2009-12-03 00:13 . 2010-02-17 14:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe

+ 2009-12-03 00:13 . 2010-04-27 13:05 2024448 c:\windows\system32\dllcache\ntkrpamp.exe

- 2009-12-03 00:13 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe

+ 2009-02-08 01:02 . 2010-04-27 13:05 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe

- 2009-02-08 01:02 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe

- 2009-12-03 00:13 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe

+ 2009-12-03 00:13 . 2010-04-27 13:59 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe

- 2006-09-13 05:01 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll

+ 2006-09-13 05:01 . 2010-06-14 07:41 1172480 c:\windows\system32\dllcache\msxml3.dll

+ 2009-12-03 00:12 . 2009-06-10 14:19 2066432 c:\windows\system32\dllcache\mstscax.dll

+ 2009-09-25 05:56 . 2010-06-24 12:22 5951488 c:\windows\system32\dllcache\mshtml.dll

+ 2010-03-11 02:00 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe

- 2010-03-11 02:00 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe

+ 2010-05-28 22:59 . 2010-06-24 12:21 1986560 c:\windows\system32\dllcache\iertutil.dll

+ 2010-08-19 22:57 . 2010-08-19 22:57 3395584 c:\windows\Installer\748089a.msp

- 2009-07-11 17:16 . 2010-08-12 16:20 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe

+ 2009-07-11 17:16 . 2010-09-16 12:06 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe

- 2009-07-11 17:16 . 2010-08-12 16:20 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe

+ 2009-07-11 17:16 . 2010-09-16 12:06 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe

+ 2010-09-14 13:20 . 2010-05-06 10:41 1209344 c:\windows\ie8updates\KB2183461-IE8\urlmon.dll

+ 2010-09-14 13:20 . 2010-05-06 10:41 5950976 c:\windows\ie8updates\KB2183461-IE8\mshtml.dll

+ 2010-09-14 13:20 . 2010-05-06 10:41 1985536 c:\windows\ie8updates\KB2183461-IE8\iertutil.dll

- 2009-12-03 00:13 . 2010-02-17 14:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe

+ 2009-12-03 00:13 . 2010-04-28 02:25 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe

+ 2009-12-03 00:13 . 2010-04-27 13:05 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe

- 2009-12-03 00:13 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe

+ 2009-02-08 01:02 . 2010-04-27 13:05 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe

- 2009-02-08 01:02 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe

+ 2009-12-03 00:13 . 2010-04-27 13:59 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe

- 2009-12-03 00:13 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe

+ 2009-07-11 16:57 . 2010-09-16 12:05 35552200 c:\windows\system32\MRT.exe

+ 2009-03-08 09:39 . 2010-06-24 22:51 11077120 c:\windows\system32\ieframe.dll

+ 2010-02-25 16:54 . 2010-06-24 22:51 11077120 c:\windows\system32\dllcache\ieframe.dll

+ 2010-07-23 06:04 . 2010-07-23 06:04 11395072 c:\windows\Installer\7480887.msp

+ 2010-09-14 13:20 . 2010-05-06 10:41 11076096 c:\windows\ie8updates\KB2183461-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-06-30 1652736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-21 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-21 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-21 137752]

"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-08-15 30003200]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]

c:\documents and settings\Ed\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-9 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 1:28 PM 95896]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [8/12/2010 2:16 PM 810144]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/22/2010 11:49 AM 304464]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/22/2010 11:49 AM 20952]

R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [7/11/2009 1:43 PM 3768]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [7/11/2009 1:33 PM 845184]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 4:07 PM 135664]

S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]

S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [7/11/2009 1:43 PM 184320]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD25

*Deregistered* - klmd25

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2010-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 21:07]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 21:07]

2010-09-16 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-09-16 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-12-03 04:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.chase.com/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\o3v3ym8l.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.chase.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 6522

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-20 09:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)

c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(1688)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-20 09:31:27

ComboFix-quarantined-files.txt 2010-09-20 14:31

ComboFix2.txt 2010-09-08 02:38

ComboFix3.txt 2010-09-06 23:31

Pre-Run: 386,947,977,216 bytes free

Post-Run: 386,957,860,864 bytes free

- - End Of File - - 97E37128995A66F53D54415894865CB0

Link to post
Share on other sites

That is looking quite good. Lets see if there is anything else that needs fixing.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Link to post
Share on other sites

OTL logfile created on: 9/20/2010 10:41:11 AM - Run 1

OTL by OldTimer - Version 3.2.14.0 Folder = C:\Documents and Settings\Ed\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 81.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 90.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.75 Gb Total Space | 360.52 Gb Free Space | 77.41% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: KITCHEN

Current User Name: Ed

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/20 10:40:27 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed\Desktop\OTL.exe

PRC - [2010/08/12 14:16:26 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

PRC - [2010/08/12 14:16:12 | 002,215,064 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

PRC - [2010/07/22 21:06:53 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010/06/30 16:46:16 | 001,652,736 | R--- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe

PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2006/11/03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe

PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe

PRC - [2005/09/09 03:24:30 | 000,102,400 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

PRC - [2005/09/09 01:18:10 | 000,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe

========== Modules (SafeList) ==========

MOD - [2010/09/20 10:40:27 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed\Desktop\OTL.exe

MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe -- (SqueezeMySQL)

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)

SRV - [2010/08/12 14:18:40 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)

SRV - [2010/08/12 14:16:26 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)

SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2008/04/17 13:30:14 | 000,184,320 | ---- | M] (SoundMovieServer) [On_Demand | Stopped] -- C:\WINDOWS\System32\snmvtsvc.exe -- (SoundMovieServer)

SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)

SRV - [2005/09/09 03:24:30 | 000,102,400 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor4.0)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Ed\LOCALS~1\Temp\catchme.sys -- (catchme)

DRV - [2010/08/04 11:50:36 | 000,140,752 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)

DRV - [2010/08/03 13:28:36 | 000,095,896 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)

DRV - [2010/07/29 13:31:26 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)

DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2008/07/25 07:09:24 | 000,845,184 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)

DRV - [2008/06/25 11:47:00 | 000,036,864 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)

DRV - [2008/04/17 11:57:48 | 000,003,768 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MovRVDrv32.sys -- (MovRVDrv32)

DRV - [2008/04/17 11:57:46 | 000,508,544 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SndTDriverV32.sys -- (SndTDriverV32)

DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2008/03/16 19:45:50 | 005,955,872 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)

DRV - [2008/02/14 01:12:00 | 001,389,056 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)

DRV - [2004/08/13 05:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)

DRV - [2004/05/17 22:04:16 | 000,041,984 | ---- | M] (DeviceGuys, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Dgivecp.Sys -- (DgiVecp)

DRV - [2002/10/15 23:41:06 | 000,102,220 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sonypvs1.sys -- (sonypvs1)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-776561741-1454471165-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.chase.com/

IE - HKU\S-1-5-21-776561741-1454471165-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\S-1-5-21-776561741-1454471165-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.chase.com/"

FF - prefs.js..network.proxy.http: "127.0.0.1"

FF - prefs.js..network.proxy.http_port: 6522

FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"

FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/31 15:30:47 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/31 15:30:40 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/09/01 18:58:18 | 000,000,000 | ---D | M]

[2010/08/31 15:30:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\Mozilla\Extensions

[2010/08/31 15:30:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\o3v3ym8l.default\extensions

[2010/08/31 15:30:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/09/07 21:29:10 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)

O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\S-1-5-21-776561741-1454471165-839522115-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKU\S-1-5-21-776561741-1454471165-839522115-1003..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)

O4 - Startup: C:\Documents and Settings\Ed\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-776561741-1454471165-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-776561741-1454471165-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-776561741-1454471165-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-776561741-1454471165-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll ()

O9 - Extra 'Tools' menuitem : Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll ()

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O15 - HKU\S-1-5-21-776561741-1454471165-839522115-1003\..Trusted Domains: ([]msn in My Computer)

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (Musicnotes Viewer)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1247330226421 (WUWebControl Class)

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/...tiveXPlugin.cab (ScorchPlugin Class)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/07/02 22:28:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/20 10:40:12 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ed\Desktop\OTL.exe

[2010/09/20 09:20:08 | 000,000,000 | ---D | C] -- C:\Combo-Fix261C

[2010/09/20 08:49:08 | 001,293,400 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ed\Desktop\tdsskiller.exe

[2010/09/07 21:06:02 | 000,000,000 | ---D | C] -- C:\Combo-Fix32351C

[2010/09/06 18:09:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Local Settings\Application Data\ESET

[2010/09/06 17:53:12 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/09/06 17:48:57 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/09/06 17:48:57 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/09/06 17:48:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/09/06 17:48:57 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/09/06 17:48:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/09/06 17:48:37 | 000,000,000 | ---D | C] -- C:\Combo-Fix

[2010/09/06 17:48:11 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/09/01 18:58:16 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/09/01 18:58:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET

[2010/09/01 18:25:08 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender

[2010/08/31 15:30:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Local Settings\Application Data\Mozilla

[2010/08/31 15:30:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\Mozilla

[2010/08/25 20:03:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\refi 0820120

[2010/08/22 13:28:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\WeatherBug

[2010/08/22 13:28:01 | 000,000,000 | ---D | C] -- C:\Program Files\AWS

[2010/08/22 13:07:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\InetCntrl

[2010/08/22 12:36:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\Malwarebytes

[2010/08/22 11:49:08 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/08/22 11:49:08 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/08/22 11:49:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/08/22 11:49:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/08/22 11:45:29 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

[2010/08/22 11:39:40 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC

[2010/08/21 11:18:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Local Settings\Application Data\Threat Expert

[2010/08/21 11:17:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2010/08/21 10:46:52 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2010/08/21 10:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\grcaobtao

[2010/08/21 10:46:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update

[2010/08/17 11:04:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch

[2010/08/17 10:39:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting

[2010/08/17 10:39:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas

[2010/08/17 10:39:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en

[2010/08/17 10:34:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic

[2010/08/17 10:31:07 | 000,000,000 | ---D | C] -- C:\Program Files\CodeStuff

[2010/08/16 22:19:03 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2010/08/16 22:19:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2010/08/15 21:30:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia

[2010/08/15 21:30:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

[2010/08/12 21:19:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/08/12 21:19:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/08/12 11:57:57 | 000,000,000 | ---D | C] -- C:\Temp

[2010/08/04 11:50:36 | 000,140,752 | ---- | C] (ESET) -- C:\WINDOWS\System32\drivers\eamon.sys

[2010/08/03 13:28:36 | 000,095,896 | ---- | C] (ESET) -- C:\WINDOWS\System32\drivers\epfwtdir.sys

[2010/08/01 10:29:30 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2010/07/29 13:31:26 | 000,115,008 | ---- | C] (ESET) -- C:\WINDOWS\System32\drivers\ehdrv.sys

[2010/07/08 20:46:57 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes

[2010/07/08 20:46:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2010/07/08 20:44:23 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime

[2010/07/03 18:58:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\Unity

[2010/07/03 18:32:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Local Settings\Application Data\Unity

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/20 10:42:44 | 000,360,124 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/09/20 10:42:44 | 000,314,838 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/09/20 10:42:44 | 000,041,040 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/09/20 10:41:17 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/09/20 10:40:27 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed\Desktop\OTL.exe

[2010/09/20 10:38:49 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job

[2010/09/20 10:38:12 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/09/20 10:38:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/09/20 10:38:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/09/20 10:38:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/09/20 10:37:08 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\Ed\NTUSER.DAT

[2010/09/20 10:37:08 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Ed\ntuser.ini

[2010/09/20 10:36:41 | 003,761,598 | -H-- | M] () -- C:\Documents and Settings\Ed\Local Settings\Application Data\IconCache.db

[2010/09/20 09:29:15 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/09/20 09:19:38 | 003,847,274 | R--- | M] () -- C:\Documents and Settings\Ed\Desktop\Combo-Fix.exe

[2010/09/20 09:13:01 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\Defogger.exe

[2010/09/20 08:49:42 | 001,293,400 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ed\Desktop\tdsskiller.exe

[2010/09/19 16:22:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/09/16 08:32:24 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\Microsoft Office Outlook 2007.lnk

[2010/09/16 07:07:06 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/09/14 21:08:17 | 000,322,728 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/09/12 19:44:12 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Ed\

Link to post
Share on other sites

Hi again, a few leftovers to take care of. :) Let me know if there are any more problems.

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"
    :otl
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 6522

    :commands
    [emptytemp]


  3. Push the Run Fix button.
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the ESET Online button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the ESET smart Install icon on your desktop.

    3. Check Accept Terms.
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.