Jump to content

Cant access internet DDS/GMER doesn't finish


ArtV

Recommended Posts

Working on friends laptop that is really messed up. First step was to update Malwarebytes free version. His definitions were from April. Update went ok and found 80 malware instances removed and rebooted now it doesn't connect to the internet. I ran the first two tools and logs are attached. DDS/GMER will not finish. The first attempt to run it resulted in a blue screen, the second attempt ran for 15 hours and I decided to power down the laptop as it was locked. How long does the DDS scan usually take? I appreciate any help you can provide.

Tom

DDS (Ver_10-03-17.01) - NTFSx86

Run by Jurgen at 16:37:56.00 on Tue 09/21/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.66 [GMT -5:00]

AV: Charter Security Suite 9.01 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: Charter Security Suite 9.01 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\ACS.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Charter Security Suite\Common\FSMA32.EXE

C:\Program Files\Charter Security Suite\Common\FSHDLL32.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Charter Security Suite\FWES\Program\fsdfwd.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

C:\TOSHIBA\IVP\ISM\pinger.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Program Files\Charter Security Suite\Common\FSM32.EXE

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Documents and Settings\Jurgen\Desktop\Tools\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:6092

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {254e8279-8683-4fa2-aa24-da749e54d8e9} - c:\windows\system32\gebya.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: {51d3f69d-c5e7-42ad-83e0-84787689fef3} - c:\windows\system32\awvtu.dll

BHO: {835c4929-48ce-4248-876a-43791f5c38a4} - c:\windows\system32\pmkhg.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\program files\charter security suite\nrs\iescript\baselitmus.dll

BHO: {c7175b35-0041-4264-b835-212238e3c73f} - c:\windows\system32\pmnlk.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\program files\charter security suite\nrs\iescript\baselitmus.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\toscdspd.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [Apoint] "c:\program files\apoint2k\Apoint.exe"

mRun: [EzButton] "c:\program files\ezbutton\EzButton.EXE"

mRun: [CeEKEY] "c:\program files\toshiba\e-key\CeEKey.exe"

mRun: [TPNF] "c:\program files\toshiba\touchpad\TPTray.exe"

mRun: [PadTouch] "c:\program files\toshiba\touch and launch\PadExe.exe"

mRun: [CeEPOWER] "c:\program files\toshiba\power management\CePMTray.exe"

mRun: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [<NO NAME>]

mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"

mRun: [F-Secure Manager] "c:\program files\charter security suite\common\FSM32.EXE" /splash

mRun: [F-Secure TNB] "c:\program files\charter security suite\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [nceorxwsam.tmp] "c:\docume~1\jurgen\locals~1\temp\nceorxwsam.tmp"

mRunOnce: [systemFolder] "c:\windows\system32\regsvr32.exe" /s "c:\windows\system32\fm20.dll" "c:\windows\system32\vsflex7.ocx" "c:\windows\system32\vsflex3.ocx" "c:\windows\system32\vsflex8n.ocx" "c:\windows\system32\dsofile.dll" "c:\windows\system32\hsppp.dll" "c:\windows\system32\eztoolslib.dll" "c:\windows\system32\msflxgrd.ocx" l" "c:\windows\system32\SaxFile.dll"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\charter security suite\fsps\program\FSLSP.DLL

DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://www.solidworks.com/plugins/edrawings/download.cfm?Release=REL&Type=WEB&Language=English

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} - hxxp://www.charter.net/files/charter/securitysuite/fscax.cab

DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll

WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL

Notify: ackpbsc - c:\windows\system32\ackpbsc.dll

Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jurgen\applic~1\mozilla\firefox\profiles\t8c05an7.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\charter security suite\nrs\litmus-ff@f-secure.com\components\litmus-ff.dll

FF - plugin: c:\documents and settings\jurgen\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\jurgen\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npfreedwg.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmpview.dll

FF - HiddenExtension: XULRunner: {56BA70D0-2479-4B3A-B079-3B100AE5148F} - c:\documents and settings\jurgen\local settings\application data\{56BA70D0-2479-4B3A-B079-3B100AE5148F}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 13);

c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB0F1971D-468F-4647-BBF4-81E71E1CEF94", "AllAccess");

c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCCBDF033-DD85-45fd-AE68-FBC4A7C7C154", "AllAccess");

c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF8C41CBF-721F-4B99-9FC8-2F8077C4AD39", "AllAccess");

c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID1BE73243-A85F-4385-939D-14D4845A286A", "AllAccess");

c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBB3259D6-52FC-4820-898E-15411424DCCD", "AllAccess");

c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE920CB9E-37B4-11D7-8A84-00A0C9EFDDF7", "AllAccess");

c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC7582045-2191-11D6-B705-0040051594CE", "AllAccess");

c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID19240637-B2BB-4589-B9C4-7EF5CE16352A", "AllAccess");

c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB789B7AB-CDE9-450c-B2FF-708BDE6355A1", "AllAccess");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-11-4 41256]

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-11-4 80000]

R1 ECioctl;ECioctl;c:\windows\system32\drivers\ECioctl.sys [2004-5-6 4816]

R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\charter security suite\hips\drivers\fshs.sys [2009-11-4 68064]

R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2008-5-29 198184]

R3 FSORSPClient;F-Secure ORSP Client;c:\program files\charter security suite\orsp client\fsorsp.exe [2009-11-4 58024]

S0 mclhfwnq;mclhfwnq;c:\windows\system32\drivers\lxkt.sys --> c:\windows\system32\drivers\lxkt.sys [?]

S0 sfdubj;sfdubj;c:\windows\system32\drivers\cqoy.sys --> c:\windows\system32\drivers\cqoy.sys [?]

S0 vhrxz;vhrxz; [x]

S2 gupdate1cac3d8f4bf48e;Google Update Service (gupdate1cac3d8f4bf48e);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 133104]

S2 mrtRate;mrtRate; [x]

S3 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\charter security suite\anti-virus\fsgk32st.exe [2009-11-4 215648]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\charter security suite\anti-virus\minifilter\fsgk.sys [2009-11-4 123056]

S3 RioDrv;Rio600 driver;c:\windows\system32\drivers\riodrv.sys [2001-8-17 12032]

S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2009-1-16 56960]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\charter security suite\anti-virus\win2k\fsfilter.sys [2009-11-4 39776]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\charter security suite\anti-virus\win2k\fsrec.sys [2009-11-4 25184]

=============== Created Last 30 ================

2010-09-21 21:31:43 0 ----a-w- c:\documents and settings\jurgen\defogger_reenable

2010-09-14 09:17:43 2838 ----a-w- c:\windows\osalecolayi.dll

2010-09-14 07:48:00 0 ----a-w- c:\windows\Bzacujekafiyaci.bin

2010-09-14 07:47:57 120 ----a-w- c:\windows\Lzugogevu.dat

2010-09-14 06:59:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Update

2010-09-14 06:58:55 0 d-sh--w- c:\documents and settings\jurgen\.COMMgr

2010-09-14 06:57:55 0 d-----w- c:\docume~1\jurgen\applic~1\82ADA811F78A2205FAAF268835CE457B

2010-09-01 06:05:08 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-08-07 18:51:49 39936 ----a-w- c:\windows\system32\drivers\CDAC11BA.EXE

2010-08-07 18:51:43 30720 ---h--r- c:\windows\CdaC13BA.EXE

2010-08-07 18:51:43 112128 -c-h--r- c:\windows\CdaC14BA.DLL

2007-11-25 08:16:31 472512 --sh--w- c:\windows\system32\aybeg.bak1

2007-11-27 01:19:33 440752 --sh--w- c:\windows\system32\aybeg.bak2

2007-07-15 04:21:25 6369 --sh--w- c:\windows\system32\bcbeg.bak1

2005-08-31 19:17:29 178566 --sha-w- c:\windows\system32\edeeg.bak1

2005-10-12 06:34:34 352092 --sha-w- c:\windows\system32\edeeg.bak2

2007-11-19 09:23:00 440495 --sh--w- c:\windows\system32\ghkmp.bak1

2007-11-18 09:22:11 441678 --sh--w- c:\windows\system32\ghkmp.bak2

2005-07-02 01:05:05 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys

2007-07-13 09:22:41 6369 --sh--w- c:\windows\system32\klnmp.bak1

2007-07-14 22:30:53 1952482 --sh--w- c:\windows\system32\klnmp.bak2

2007-11-21 05:01:56 6473 --sh--w- c:\windows\system32\mpqss.bak1

2007-11-21 04:46:13 438367 --sh--w- c:\windows\system32\ttvwa.bak1

2009-11-09 01:17:31 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009110820091109\index.dat

============= FINISH: 16:40:09.71 ===============

Attach.zip

mbam_log_2010_09_20__19_19_23_.txt

Link to post
Share on other sites

Welcome to the forum.

If you can't connect to the internet, here's how to fix that:

Open up Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options.

Another way to get to your Internet Properties:

Go to your Start Button > Run > copy and paste this in: inetcpl.cpl > Click OK

Now click on the Connections

Now click on the Lan Settings

Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen.

Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.

---------------------

Another way to fix it is.........

Copy all the text in the code box into notepad.

Save it as fix.reg

Save as file type > All files

Save it to your desktop

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
"ProxyEnable"=-
"ProxyOverride"=-

If you did it right it will look like this except with a different name:

ScreenShot-crop.jpg

Now double click on it and allow it to merge into the registry.

-----------------------------------------

Now see if you can post a HJT log of the system to start with:

You can download the HJT installer HERE:

Doubleclick HJTInstall.exe to install it. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Save the log to a convenient location.

Copy and paste it into your post.

Let me know, MrC

Link to post
Share on other sites

Thanks for helping. I had to go into safe mode and use the registry option to get it to take the proxy setting. Below is the log file from HiJackThis:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:13:45 PM, on 9/22/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\ACS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Charter Security Suite\Common\FSMA32.EXE

C:\Program Files\Charter Security Suite\Common\FSHDLL32.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Program Files\Charter Security Suite\Common\FSM32.EXE

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\Charter Security Suite\FWES\Program\fsdfwd.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\WINDOWS\system32\RAMASST.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {254E8279-8683-4FA2-AA24-DA749E54D8E9} - C:\WINDOWS\system32\gebya.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {51D3F69D-C5E7-42AD-83E0-84787689FEF3} - C:\WINDOWS\system32\awvtu.dll (file missing)

O2 - BHO: (no name) - {835C4929-48CE-4248-876A-43791F5C38A4} - C:\WINDOWS\system32\pmkhg.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Charter Security Suite\NRS\iescript\baselitmus.dll

O2 - BHO: (no name) - {C7175B35-0041-4264-B835-212238E3C73F} - C:\WINDOWS\system32\pmnlk.dll (file missing)

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Charter Security Suite\NRS\iescript\baselitmus.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"

O4 - HKLM\..\Run: [EzButton] "C:\Program Files\EzButton\EzButton.EXE"

O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"

O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"

O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"

O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"

O4 - HKLM\..\Run: [Pinger] "C:\TOSHIBA\IVP\ISM\pinger.exe" /run

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter Security Suite\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [nceorxwsam.tmp] "C:\DOCUME~1\Jurgen\LOCALS~1\Temp\nceorxwsam.tmp"

O4 - HKLM\..\RunOnce: [systemFolder] "C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\fm20.dll" "C:\WINDOWS\system32\vsflex7.ocx" "C:\WINDOWS\system32\vsflex3.ocx" "C:\WINDOWS\system32\vsflex8n.ocx" "C:\WINDOWS\system32\dsofile.dll" "C:\WINDOWS\system32\hsppp.dll" "C:\WINDOWS\system32\eztoolslib.dll" "C:\WINDOWS\system32\MSFlxgrd.ocx" l" "C:\WINDOWS\system32\SaxFile.dll"

O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/edrawing...anguage=English

O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://www.charter.net/files/charter/securitysuite/fscax.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll

O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Charter Security Suite\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter Security Suite\FWES\Program\fsdfwd.exe

O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter Security Suite\Common\FSMA32.EXE

O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter Security Suite\ORSP Client\fsorsp.exe

O23 - Service: Google Update Service (gupdate1cac3d8f4bf48e) (gupdate1cac3d8f4bf48e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 12759 bytes

Link to post
Share on other sites

Interestingly I couldn't get on the internet again. I tried going into the internet options on with IE and it told be I didn't have rights. Using Chrome, and going to the settings and trying to change the proxy setting brought up the typical IE settings you see and it let me change uncheck the proxy and now able to get back on the internet.

Link to post
Share on other sites

OK, please do this:

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092

O2 - BHO: (no name) - {254E8279-8683-4FA2-AA24-DA749E54D8E9} - C:\WINDOWS\system32\gebya.dll (file missing)

O2 - BHO: (no name) - {51D3F69D-C5E7-42AD-83E0-84787689FEF3} - C:\WINDOWS\system32\awvtu.dll (file missing)

O2 - BHO: (no name) - {835C4929-48CE-4248-876A-43791F5C38A4} - C:\WINDOWS\system32\pmkhg.dll (file missing)

O2 - BHO: (no name) - {C7175B35-0041-4264-B835-212238E3C73F} - C:\WINDOWS\system32\pmnlk.dll (file missing)

O4 - HKLM\..\Run: [nceorxwsam.tmp] "C:\DOCUME~1\Jurgen\LOCALS~1\Temp\nceorxwsam.tmp"

Click on Fix Checked when finished and exit HijackThis.

------------------------

Please download ComboFix from Here or Here to your Desktop.<----important!

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

MrC

Link to post
Share on other sites

Try right clicking on the System Tray icon and choose disable/exit.

or run HJT and fix these:

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter Security Suite\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

When we're done just open up HJT and choose back-ups and you can restore them.

Let me know, MrC

Link to post
Share on other sites

ComboFix.txt

ComboFix 10-09-22.05 - Jurgen 09/22/2010 20:44:08.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.177 [GMT -5:00]

Running from: c:\documents and settings\Jurgen\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\check_LSA7.txt

c:\documents and settings\All Users\Application Data\n04d56NX.exe

c:\documents and settings\All Users\Documents\Server\admin.txt

c:\documents and settings\All Users\Documents\Server\server.dat

c:\documents and settings\Jurgen\.COMMgr

c:\documents and settings\Jurgen\Application Data\Busoto

c:\documents and settings\Jurgen\Application Data\Busoto\humo.exe

c:\documents and settings\Jurgen\g2mdlhlpx.exe

c:\documents and settings\Jurgen\Local Settings\Application Data\{56BA70D0-2479-4B3A-B079-3B100AE5148F}

c:\documents and settings\Jurgen\Local Settings\Application Data\{56BA70D0-2479-4B3A-B079-3B100AE5148F}\chrome.manifest

c:\documents and settings\Jurgen\Local Settings\Application Data\{56BA70D0-2479-4B3A-B079-3B100AE5148F}\chrome\content\_cfg.js

c:\documents and settings\Jurgen\Local Settings\Application Data\{56BA70D0-2479-4B3A-B079-3B100AE5148F}\chrome\content\overlay.xul

c:\documents and settings\Jurgen\Local Settings\Application Data\{56BA70D0-2479-4B3A-B079-3B100AE5148F}\install.rdf

c:\program files\ActivIdentity\ActivClient\accrdsub.exe

c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

c:\program files\Apoint2K\Apoint.exe

c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

c:\program files\Common Files\Real\Update_OB\realsched.exe

c:\program files\driver

c:\program files\EzButton\EzButton.EXE

c:\program files\Microsoft IntelliPoint\point32.exe

c:\program files\Mozilla Firefox\searchplugins\google_search.xml

c:\program files\Pure Networks\Network Magic\nmapp.exe

c:\program files\QuickTime\QTTask .exe

c:\program files\QuickTime\QTTask.exe

c:\program files\TOSHIBA\E-KEY\CeEKey.exe

c:\program files\Toshiba\Power Management\CePMTray.exe

c:\program files\TOSHIBA\Touch and Launch\PadExe.exe

c:\program files\Toshiba\TouchPad\TPTray.exe

c:\temp\iee

c:\temp\xOe

c:\temp\xOe\tOasF.log

c:\toshiba\IVP\ISM\pinger.exe

c:\windows\Fonts\C623U51q.com

c:\windows\osalecolayi.dll

c:\windows\system32\aybeg.bak1

c:\windows\system32\aybeg.bak2

c:\windows\system32\aybeg.ini

c:\windows\system32\bcbeg.bak1

c:\windows\system32\bcbeg.ini

c:\windows\system32\edeeg.bak1

c:\windows\system32\edeeg.bak2

c:\windows\system32\edeeg.ini

c:\windows\system32\ghkmp.bak1

c:\windows\system32\ghkmp.bak2

c:\windows\system32\ghkmp.ini

c:\windows\system32\ghkmp.tmp

c:\windows\system32\k1

c:\windows\system32\k1\IKtzudll2.exe

c:\windows\system32\klnmp.bak1

c:\windows\system32\klnmp.bak2

c:\windows\system32\klnmp.ini

c:\windows\system32\klnmp.tmp

c:\windows\system32\mpqss.bak1

c:\windows\system32\mpqss.ini

c:\windows\system32\nett12.dll

c:\windows\system32\o02PrEz

c:\windows\system32\o09PrEz

c:\windows\system32\tmp.reg

c:\windows\system32\ttvwa.bak1

c:\windows\system32\ttvwa.ini

c:\windows\system32\vMW02a

c:\windows\Tasks\At1.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected

Restored copy from - Kitty had a snack :P

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.

((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))

.

2010-09-22 21:30 . 2010-09-22 21:30 -------- d-----w- c:\program files\Trend Micro

2010-09-22 21:18 . 2010-09-22 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2010-09-14 09:23 . 2010-09-14 09:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-14 07:48 . 2010-09-14 07:48 0 ----a-w- c:\windows\Bzacujekafiyaci.bin

2010-09-14 07:47 . 2010-09-14 07:47 120 ----a-w- c:\windows\Lzugogevu.dat

2010-09-14 07:00 . 2010-09-21 00:19 -------- d-----w- c:\documents and settings\Jurgen\Local Settings\Application Data\ognwkmaci

2010-09-14 06:59 . 2010-09-21 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-09-14 06:57 . 2010-09-21 00:19 -------- d-----w- c:\documents and settings\Jurgen\Application Data\82ADA811F78A2205FAAF268835CE457B

2010-09-01 06:05 . 2010-09-01 06:05 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-23 01:56 . 2010-01-22 01:54 -------- d-----w- c:\program files\QuickTime

2010-09-23 01:56 . 2005-06-06 20:14 -------- d-----w- c:\program files\Microsoft IntelliPoint

2010-09-23 01:56 . 2003-12-02 22:47 -------- d-----w- c:\program files\EzButton

2010-09-23 01:56 . 2003-12-02 22:36 -------- d-----w- c:\program files\Apoint2K

2010-09-23 01:13 . 2009-01-05 08:38 -------- d-----w- c:\program files\Charter Security Suite

2010-09-23 01:07 . 2009-01-05 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure

2010-09-23 00:58 . 2010-09-23 00:58 112 ----a-w- c:\documents and settings\All Users\Application Data\NnAW6tha.dat

2010-08-07 18:51 . 2005-10-07 20:39 39936 ----a-w- c:\windows\system32\drivers\CDAC11BA.EXE

2010-08-07 18:51 . 2005-10-07 20:40 30720 ---h--r- c:\windows\CdaC13BA.EXE

2010-08-07 18:51 . 2005-10-07 20:40 112128 -c-h--r- c:\windows\CdaC14BA.DLL

2010-07-30 05:36 . 2010-07-30 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PhotoStitch

2010-07-26 00:54 . 2010-07-26 00:54 -------- d-----w- c:\documents and settings\Jurgen\Application Data\Canon

2010-07-26 00:00 . 2010-07-25 23:55 -------- d-----w- c:\program files\Canon

2010-07-25 23:58 . 2010-07-25 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2010-07-25 23:41 . 2010-07-25 23:41 -------- d-----w- c:\program files\Common Files\Canon

2005-10-28 17:45 . 2005-10-28 17:45 28672 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2005-10-28 17:45 . 2005-10-28 17:45 98304 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2005-07-02 01:05 . 2005-07-02 01:05 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

<pre>
c:\program files\ActivIdentity\ActivClient\accrdsub .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Apoint2K\Apoint .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Charter Security Suite\Common\FSM32 .exe
c:\program files\Charter Security Suite\FSGUI\TNBUtil .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\EzButton\EzButton .exe
c:\program files\Microsoft IntelliPoint\point32 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]

"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 88363]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [N/A]

"EzButton"="c:\program files\EzButton\EzButton.EXE" [N/A]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [N/A]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [N/A]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [N/A]

"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [N/A]

"Pinger"="c:\toshiba\IVP\ISM\pinger.exe" [N/A]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [N/A]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [N/A]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2008-05-29 298024]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [N/A]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [N/A]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]

"<NO NAME>"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"SystemFolder"="c:\windows\system32\fm20.dll" [2003-08-03 1146184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2008-5-29 128552]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-3 110592]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-8 805392]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-12-2 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2008-05-29 23:57 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2008-05-29 23:57 293888 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel MEDIA FOLDERS INDEXER 8.LNK

backup=c:\windows\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk

backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]

c:\program files\Charter High-Speed Security Suite\Common\FSM32.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]

c:\program files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

2003-04-22 22:43 413775 ----a-w- c:\program files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]

KHALMNPR.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

KHALMNPR.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]

c:\program files\Charter High-Speed Security Suite\FSGUI\ispnews.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AOL ACS"=3 (0x3)

"WebrootSpySweeperService"=2 (0x2)

"F-Secure Gatekeeper Handler Starter"=3 (0x3)

"gupdate1c9a07223ed7410"=2 (0x2)

"napagent"=3 (0x3)

"FSORSPClient"=3 (0x3)

"FSDFWD"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Omnivex\\DataPipe Server\\DPServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R1 ECioctl;ECioctl;c:\windows\system32\drivers\ECioctl.sys [5/6/2004 3:40 PM 4816]

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/29/2008 6:57 PM 198184]

S0 mclhfwnq;mclhfwnq;c:\windows\system32\drivers\lxkt.sys --> c:\windows\system32\drivers\lxkt.sys [?]

S0 sfdubj;sfdubj;c:\windows\system32\drivers\cqoy.sys --> c:\windows\system32\drivers\cqoy.sys [?]

S0 vhrxz;vhrxz; [x]

S2 gupdate1cac3d8f4bf48e;Google Update Service (gupdate1cac3d8f4bf48e);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 7:40 PM 133104]

S2 mrtRate;mrtRate; [x]

S3 RioDrv;Rio600 driver;c:\windows\system32\drivers\riodrv.sys [8/17/2001 8:24 AM 12032]

S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/16/2009 11:14 PM 56960]

.

Contents of the 'Scheduled Tasks' folder

2010-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2006-01-25 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p officejet 6100 seriesF56855811176EC24C9B302F94878AD886AF77CFF114812415.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:39]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:39]

2010-09-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2384713622-1720328257-1980244613-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2384713622-1720328257-1980244613-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

FF - ProfilePath - c:\documents and settings\Jurgen\Application Data\Mozilla\Firefox\Profiles\t8c05an7.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\Jurgen\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Jurgen\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npfreedwg.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmpview.dll

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 13);

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB0F1971D-468F-4647-BBF4-81E71E1CEF94", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCCBDF033-DD85-45fd-AE68-FBC4A7C7C154", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF8C41CBF-721F-4B99-9FC8-2F8077C4AD39", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID1BE73243-A85F-4385-939D-14D4845A286A", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBB3259D6-52FC-4820-898E-15411424DCCD", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE920CB9E-37B4-11D7-8A84-00A0C9EFDDF7", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC7582045-2191-11D6-B705-0040051594CE", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID19240637-B2BB-4589-B9C4-7EF5CE16352A", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB789B7AB-CDE9-450c-B2FF-708BDE6355A1", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Jurgen\Desktop\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-22 21:12

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2384713622-1720328257-1980244613-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(452)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\accrypto.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\windows\system32\aicext.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

- - - - - - - > 'explorer.exe'(2500)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\corel\Graphics8\programs\CMFFld80.dll

c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\windows\System32\ACS.exe

c:\windows\System32\SCardSvr.exe

c:\windows\system32\drivers\CDAC11BA.EXE

c:\program files\Toshiba\Power Management\CeEPwrSvc.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\System32\DVDRAMSV.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\toshiba\Ivp\Swupdate\swupdtmr.exe

c:\windows\wanmpsvc.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\wscntfy.exe

c:\windows\AGRSMMSG.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\program files\ActivIdentity\ActivClient\acevents.exe

.

**************************************************************************

.

Completion time: 2010-09-22 21:28:39 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-23 02:28

Pre-Run: 13,300,432,896 bytes free

Post-Run: 14,241,091,584 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 6DA9D2BD387F99E1442DAD1C1EF0A3A6

`````````````````````````````````````````````````````

Re-scan of HJT:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 9:31:27 PM, on 9/22/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\ACS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\WINDOWS\system32\ctfmon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"

O4 - HKLM\..\Run: [EzButton] "C:\Program Files\EzButton\EzButton.EXE"

O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"

O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"

O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"

O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"

O4 - HKLM\..\Run: [Pinger] "C:\TOSHIBA\IVP\ISM\pinger.exe" /run

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [systemFolder] "C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\fm20.dll" "C:\WINDOWS\system32\vsflex7.ocx" "C:\WINDOWS\system32\vsflex3.ocx" "C:\WINDOWS\system32\vsflex8n.ocx" "C:\WINDOWS\system32\dsofile.dll" "C:\WINDOWS\system32\hsppp.dll" "C:\WINDOWS\system32\eztoolslib.dll" "C:\WINDOWS\system32\MSFlxgrd.ocx" l" "C:\WINDOWS\system32\SaxFile.dll"

O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/edrawing...anguage=English

O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://www.charter.net/files/charter/securitysuite/fscax.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll

O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: Google Update Service (gupdate1cac3d8f4bf48e) (gupdate1cac3d8f4bf48e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 10361 bytes

Link to post
Share on other sites

Can you have a look at this folder, see if you recognize it:

c:\documents and settings\Jurgen\Application Data\82ADA811F78A2205FAAF268835CE457B

If not...please delete it.

I'm pretty sure it's malware related.

------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

Driver::

vhrxz

mrtRate

mclhfwnq

sfdubj

File::

c:\windows\Bzacujekafiyaci.bin

c:\windows\Lzugogevu.dat

c:\windows\system32\drivers\lxkt.sys

c:\windows\system32\drivers\cqoy.sys

Folder::

c:\documents and settings\Jurgen\Local Settings\Application Data\ognwkmaci

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]

RenV::

c:\program files\ActivIdentity\ActivClient\accrdsub .exe

c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe

c:\program files\Apoint2K\Apoint .exe

c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe

c:\program files\Charter Security Suite\Common\FSM32 .exe

c:\program files\Charter Security Suite\FSGUI\TNBUtil .exe

c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth .exe

c:\program files\Common Files\Real\Update_OB\realsched .exe

c:\program files\EzButton\EzButton .exe

c:\program files\Microsoft IntelliPoint\point32 .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply and a fresh HJT log.

MrC

Link to post
Share on other sites

As requested. Thanks.

ComboFix.txt

ComboFix 10-09-23.01 - Jurgen 09/23/2010 16:37:28.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.143 [GMT -5:00]

Running from: c:\documents and settings\Jurgen\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Jurgen\Desktop\CFScript.txt

FILE ::

"c:\windows\Bzacujekafiyaci.bin"

"c:\windows\Lzugogevu.dat"

"c:\windows\system32\drivers\cqoy.sys"

"c:\windows\system32\drivers\lxkt.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Jurgen\Local Settings\Application Data\ognwkmaci

c:\windows\Bzacujekafiyaci.bin

c:\windows\Lzugogevu.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MRTRATE

-------\Legacy_VHRXZ

-------\Service_mclhfwnq

-------\Service_mrtRate

-------\Service_sfdubj

-------\Service_vhrxz

((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))

.

2010-09-22 21:30 . 2010-09-22 21:30 -------- d-----w- c:\program files\Trend Micro

2010-09-22 21:18 . 2010-09-22 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2010-09-14 09:23 . 2010-09-14 09:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-14 06:59 . 2010-09-21 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-09-01 06:05 . 2010-09-01 06:05 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-23 21:37 . 2005-06-06 20:14 -------- d-----w- c:\program files\Microsoft IntelliPoint

2010-09-23 21:37 . 2003-12-02 22:47 -------- d-----w- c:\program files\EzButton

2010-09-23 21:37 . 2003-12-02 22:36 -------- d-----w- c:\program files\Apoint2K

2010-09-23 01:56 . 2010-01-22 01:54 -------- d-----w- c:\program files\QuickTime

2010-09-23 01:13 . 2009-01-05 08:38 -------- d-----w- c:\program files\Charter Security Suite

2010-09-23 01:07 . 2009-01-05 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure

2010-09-23 00:58 . 2010-09-23 00:58 112 ----a-w- c:\documents and settings\All Users\Application Data\NnAW6tha.dat

2010-08-07 18:51 . 2005-10-07 20:39 39936 ----a-w- c:\windows\system32\drivers\CDAC11BA.EXE

2010-08-07 18:51 . 2005-10-07 20:40 30720 ---h--r- c:\windows\CdaC13BA.EXE

2010-08-07 18:51 . 2005-10-07 20:40 112128 -c-h--r- c:\windows\CdaC14BA.DLL

2010-07-30 05:36 . 2010-07-30 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PhotoStitch

2010-07-26 00:54 . 2010-07-26 00:54 -------- d-----w- c:\documents and settings\Jurgen\Application Data\Canon

2010-07-26 00:00 . 2010-07-25 23:55 -------- d-----w- c:\program files\Canon

2010-07-25 23:58 . 2010-07-25 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2010-07-25 23:41 . 2010-07-25 23:41 -------- d-----w- c:\program files\Common Files\Canon

2005-10-28 17:45 . 2005-10-28 17:45 28672 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2005-10-28 17:45 . 2005-10-28 17:45 98304 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2005-07-02 01:05 . 2005-07-02 01:05 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

<pre>
c:\program files\Pure Networks\Network Magic\nmapp .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Toshiba\E-KEY\CeEKey .exe
c:\program files\Toshiba\Power Management\CePMTray .exe
c:\program files\Toshiba\Touch and Launch\PadExe .exe
c:\program files\Toshiba\TouchPad\TPTray .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-22 335872]

"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 88363]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-31 192512]

"EzButton"="c:\program files\EzButton\EzButton.EXE" [2004-05-14 712704]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [N/A]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [N/A]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [N/A]

"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [N/A]

"Pinger"="c:\toshiba\IVP\ISM\pinger.exe" [N/A]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [N/A]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2008-05-29 298024]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [N/A]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [N/A]

"News Service"="c:\program files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [N/A]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [N/A]

"F-Secure TNB"="c:\program files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" [N/A]

"F-Secure Manager"="c:\program files\Charter High-Speed Security Suite\Common\FSM32.EXE" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"SystemFolder"="c:\windows\system32\fm20.dll" [2003-08-03 1146184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2008-5-29 128552]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-3 110592]

Corel MEDIA FOLDERS INDEXER 8.LNK - c:\corel\Graphics8\Programs\MFIndexer.exe [2005-11-3 83456]

hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-8 805392]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-12-2 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2008-05-29 23:57 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2008-05-29 23:57 293888 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WebrootSpySweeperService"=2 (0x2)

"F-Secure Gatekeeper Handler Starter"=3 (0x3)

"gupdate1c9a07223ed7410"=2 (0x2)

"FSORSPClient"=3 (0x3)

"FSDFWD"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Omnivex\\DataPipe Server\\DPServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R1 ECioctl;ECioctl;c:\windows\system32\drivers\ECioctl.sys [5/6/2004 3:40 PM 4816]

S3 RioDrv;Rio600 driver;c:\windows\system32\drivers\riodrv.sys [8/17/2001 8:24 AM 12032]

S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/16/2009 11:14 PM 56960]

.

Contents of the 'Scheduled Tasks' folder

2010-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2006-01-25 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p officejet 6100 seriesF56855811176EC24C9B302F94878AD886AF77CFF114812415.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:39]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:39]

2010-09-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2384713622-1720328257-1980244613-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2384713622-1720328257-1980244613-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

FF - ProfilePath - c:\documents and settings\Jurgen\Application Data\Mozilla\Firefox\Profiles\t8c05an7.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 13);

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB0F1971D-468F-4647-BBF4-81E71E1CEF94", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCCBDF033-DD85-45fd-AE68-FBC4A7C7C154", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF8C41CBF-721F-4B99-9FC8-2F8077C4AD39", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID1BE73243-A85F-4385-939D-14D4845A286A", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBB3259D6-52FC-4820-898E-15411424DCCD", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE920CB9E-37B4-11D7-8A84-00A0C9EFDDF7", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC7582045-2191-11D6-B705-0040051594CE", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID19240637-B2BB-4589-B9C4-7EF5CE16352A", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB789B7AB-CDE9-450c-B2FF-708BDE6355A1", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-23 17:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2384713622-1720328257-1980244613-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(456)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\accrypto.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\windows\system32\aicext.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

- - - - - - - > 'explorer.exe'(3932)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\corel\Graphics8\programs\CMFFld80.dll

c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\windows\System32\ACS.exe

c:\windows\System32\SCardSvr.exe

c:\program files\ActivIdentity\ActivClient\acevents.exe

c:\program files\ActivIdentity\ActivClient\accoca.exe

c:\windows\system32\drivers\CDAC11BA.EXE

c:\program files\Toshiba\Power Management\CeEPwrSvc.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\System32\DVDRAMSV.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\toshiba\Ivp\Swupdate\swupdtmr.exe

c:\windows\wanmpsvc.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\windows\system32\wscntfy.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\AGRSMMSG.exe

c:\program files\Microsoft ActiveSync\WCESCOMM.EXE

c:\program files\ActivIdentity\ActivClient\acevents.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2010-09-23 17:16:48 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-23 22:16

ComboFix2.txt 2010-09-23 02:28

Pre-Run: 14,173,458,432 bytes free

Post-Run: 14,017,728,512 bytes free

- - End Of File - - 8EE4903B015E3DCE898F673C660220A1

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

HJT Log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 5:24:41 PM, on 9/23/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\ACS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Corel\Graphics8\Programs\MFIndexer.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\WINDOWS\system32\RAMASST.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Jurgen\Desktop\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"

O4 - HKLM\..\Run: [EzButton] "C:\Program Files\EzButton\EzButton.EXE"

O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"

O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"

O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"

O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"

O4 - HKLM\..\Run: [Pinger] "C:\TOSHIBA\IVP\ISM\pinger.exe" /run

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash

O4 - HKLM\..\RunOnce: [systemFolder] "C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\fm20.dll" "C:\WINDOWS\system32\vsflex7.ocx" "C:\WINDOWS\system32\vsflex3.ocx" "C:\WINDOWS\system32\vsflex8n.ocx" "C:\WINDOWS\system32\dsofile.dll" "C:\WINDOWS\system32\hsppp.dll" "C:\WINDOWS\system32\eztoolslib.dll" "C:\WINDOWS\system32\MSFlxgrd.ocx" l" "C:\WINDOWS\system32\SaxFile.dll"

O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/edrawing...anguage=English

O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://www.charter.net/files/charter/securitysuite/fscax.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll

O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: Google Update Service (gupdate1cac3d8f4bf48e) (gupdate1cac3d8f4bf48e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 11620 bytes

Link to post
Share on other sites

We're getting there.

One more time......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

RenV::

c:\program files\Pure Networks\Network Magic\nmapp .exe

c:\program files\QuickTime\QTTask .exe

c:\program files\Toshiba\E-KEY\CeEKey .exe

c:\program files\Toshiba\Power Management\CePMTray .exe

c:\program files\Toshiba\Touch and Launch\PadExe .exe

c:\program files\Toshiba\TouchPad\TPTray .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

Latest Combofix log

ComboFix 10-09-23.01 - Jurgen 09/23/2010 18:44:57.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.199 [GMT -5:00]

Running from: c:\documents and settings\Jurgen\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Jurgen\Desktop\CFScript.txt.txt

.

((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))

.

2010-09-22 21:30 . 2010-09-22 21:30 -------- d-----w- c:\program files\Trend Micro

2010-09-22 21:18 . 2010-09-22 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2010-09-14 09:23 . 2010-09-14 09:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-14 06:59 . 2010-09-21 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-09-01 06:05 . 2010-09-01 06:05 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-23 21:37 . 2005-06-06 20:14 -------- d-----w- c:\program files\Microsoft IntelliPoint

2010-09-23 21:37 . 2003-12-02 22:47 -------- d-----w- c:\program files\EzButton

2010-09-23 21:37 . 2003-12-02 22:36 -------- d-----w- c:\program files\Apoint2K

2010-09-23 01:56 . 2010-01-22 01:54 -------- d-----w- c:\program files\QuickTime

2010-09-23 01:13 . 2009-01-05 08:38 -------- d-----w- c:\program files\Charter Security Suite

2010-09-23 01:07 . 2009-01-05 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure

2010-09-23 00:58 . 2010-09-23 00:58 112 ----a-w- c:\documents and settings\All Users\Application Data\NnAW6tha.dat

2010-09-22 21:30 . 2010-09-22 21:30 388096 ----a-r- c:\documents and settings\Jurgen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-08-07 18:51 . 2005-10-07 20:39 39936 ----a-w- c:\windows\system32\drivers\CDAC11BA.EXE

2010-08-07 18:51 . 2005-10-07 20:40 30720 ---h--r- c:\windows\CdaC13BA.EXE

2010-08-07 18:51 . 2005-10-07 20:40 112128 -c-h--r- c:\windows\CdaC14BA.DLL

2010-07-30 05:36 . 2010-07-30 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PhotoStitch

2010-07-26 00:54 . 2010-07-26 00:54 -------- d-----w- c:\documents and settings\Jurgen\Application Data\Canon

2005-10-28 17:45 . 2005-10-28 17:45 28672 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2005-10-28 17:45 . 2005-10-28 17:45 98304 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2005-07-02 01:05 . 2005-07-02 01:05 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

<pre>
c:\program files\QuickTime\QTTask .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-22 335872]

"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 88363]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-31 192512]

"EzButton"="c:\program files\EzButton\EzButton.EXE" [2004-05-14 712704]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 638976]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 53248]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1089589]

"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 135168]

"Pinger"="c:\toshiba\IVP\ISM\pinger.exe" [N/A]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [N/A]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2008-05-29 298024]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [N/A]

"News Service"="c:\program files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [N/A]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [N/A]

"F-Secure TNB"="c:\program files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" [N/A]

"F-Secure Manager"="c:\program files\Charter High-Speed Security Suite\Common\FSM32.EXE" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"SystemFolder"="c:\windows\system32\fm20.dll" [2003-08-03 1146184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2008-5-29 128552]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-3 110592]

Corel MEDIA FOLDERS INDEXER 8.LNK - c:\corel\Graphics8\Programs\MFIndexer.exe [2005-11-3 83456]

hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-8 805392]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-12-2 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2008-05-29 23:57 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2008-05-29 23:57 293888 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WebrootSpySweeperService"=2 (0x2)

"F-Secure Gatekeeper Handler Starter"=3 (0x3)

"gupdate1c9a07223ed7410"=2 (0x2)

"FSORSPClient"=3 (0x3)

"FSDFWD"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Omnivex\\DataPipe Server\\DPServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R1 ECioctl;ECioctl;c:\windows\system32\drivers\ECioctl.sys [5/6/2004 3:40 PM 4816]

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/29/2008 6:57 PM 198184]

S2 gupdate1cac3d8f4bf48e;Google Update Service (gupdate1cac3d8f4bf48e);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 7:40 PM 133104]

S3 RioDrv;Rio600 driver;c:\windows\system32\drivers\riodrv.sys [8/17/2001 8:24 AM 12032]

S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/16/2009 11:14 PM 56960]

.

Contents of the 'Scheduled Tasks' folder

2010-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2006-01-25 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p officejet 6100 seriesF56855811176EC24C9B302F94878AD886AF77CFF114812415.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:39]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:39]

2010-09-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2384713622-1720328257-1980244613-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2384713622-1720328257-1980244613-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

FF - ProfilePath - c:\documents and settings\Jurgen\Application Data\Mozilla\Firefox\Profiles\t8c05an7.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 13);

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB0F1971D-468F-4647-BBF4-81E71E1CEF94", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCCBDF033-DD85-45fd-AE68-FBC4A7C7C154", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF8C41CBF-721F-4B99-9FC8-2F8077C4AD39", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID1BE73243-A85F-4385-939D-14D4845A286A", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBB3259D6-52FC-4820-898E-15411424DCCD", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE920CB9E-37B4-11D7-8A84-00A0C9EFDDF7", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC7582045-2191-11D6-B705-0040051594CE", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID19240637-B2BB-4589-B9C4-7EF5CE16352A", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB789B7AB-CDE9-450c-B2FF-708BDE6355A1", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-23 18:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2384713622-1720328257-1980244613-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(456)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\accrypto.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\windows\system32\aicext.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

- - - - - - - > 'explorer.exe'(3688)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-23 19:05:55

ComboFix-quarantined-files.txt 2010-09-24 00:05

ComboFix2.txt 2010-09-23 22:16

ComboFix3.txt 2010-09-23 02:28

Pre-Run: 14,034,288,640 bytes free

Post-Run: 14,013,870,080 bytes free

- - End Of File - - E2FD4E72B55CB205BAB0C46EDF2D7246

Link to post
Share on other sites

ComboFix 10-09-23.01 - Jurgen 09/23/2010 19:52:02.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.133 [GMT -5:00]

Running from: c:\documents and settings\Jurgen\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Jurgen\Desktop\CFScript.txt

.

((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))

.

2010-09-22 21:30 . 2010-09-22 21:30 -------- d-----w- c:\program files\Trend Micro

2010-09-22 21:18 . 2010-09-22 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2010-09-14 09:23 . 2010-09-14 09:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-14 06:59 . 2010-09-21 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-09-01 06:05 . 2010-09-01 06:05 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-23 21:37 . 2005-06-06 20:14 -------- d-----w- c:\program files\Microsoft IntelliPoint

2010-09-23 21:37 . 2003-12-02 22:47 -------- d-----w- c:\program files\EzButton

2010-09-23 21:37 . 2003-12-02 22:36 -------- d-----w- c:\program files\Apoint2K

2010-09-23 01:56 . 2010-01-22 01:54 -------- d-----w- c:\program files\QuickTime

2010-09-23 01:13 . 2009-01-05 08:38 -------- d-----w- c:\program files\Charter Security Suite

2010-09-23 01:07 . 2009-01-05 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure

2010-09-23 00:58 . 2010-09-23 00:58 112 ----a-w- c:\documents and settings\All Users\Application Data\NnAW6tha.dat

2010-09-22 21:30 . 2010-09-22 21:30 388096 ----a-r- c:\documents and settings\Jurgen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-08-07 18:51 . 2005-10-07 20:39 39936 ----a-w- c:\windows\system32\drivers\CDAC11BA.EXE

2010-08-07 18:51 . 2005-10-07 20:40 30720 ---h--r- c:\windows\CdaC13BA.EXE

2010-08-07 18:51 . 2005-10-07 20:40 112128 -c-h--r- c:\windows\CdaC14BA.DLL

2010-07-30 05:36 . 2010-07-30 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PhotoStitch

2005-10-28 17:45 . 2005-10-28 17:45 28672 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2005-10-28 17:45 . 2005-10-28 17:45 98304 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2005-07-02 01:05 . 2005-07-02 01:05 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

<pre>
c:\program files\QuickTime\QTTask .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-22 335872]

"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 88363]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-31 192512]

"EzButton"="c:\program files\EzButton\EzButton.EXE" [2004-05-14 712704]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 638976]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 53248]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1089589]

"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 135168]

"Pinger"="c:\toshiba\IVP\ISM\pinger.exe" [N/A]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [N/A]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2008-05-29 298024]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [N/A]

"News Service"="c:\program files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [N/A]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [N/A]

"F-Secure TNB"="c:\program files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" [N/A]

"F-Secure Manager"="c:\program files\Charter High-Speed Security Suite\Common\FSM32.EXE" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"SystemFolder"="c:\windows\system32\fm20.dll" [2003-08-03 1146184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2008-5-29 128552]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-3 110592]

Corel MEDIA FOLDERS INDEXER 8.LNK - c:\corel\Graphics8\Programs\MFIndexer.exe [2005-11-3 83456]

hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-8 805392]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-12-2 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2008-05-29 23:57 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2008-05-29 23:57 293888 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WebrootSpySweeperService"=2 (0x2)

"F-Secure Gatekeeper Handler Starter"=3 (0x3)

"gupdate1c9a07223ed7410"=2 (0x2)

"FSORSPClient"=3 (0x3)

"FSDFWD"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Omnivex\\DataPipe Server\\DPServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R1 ECioctl;ECioctl;c:\windows\system32\drivers\ECioctl.sys [5/6/2004 3:40 PM 4816]

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/29/2008 6:57 PM 198184]

S2 gupdate1cac3d8f4bf48e;Google Update Service (gupdate1cac3d8f4bf48e);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 7:40 PM 133104]

S3 RioDrv;Rio600 driver;c:\windows\system32\drivers\riodrv.sys [8/17/2001 8:24 AM 12032]

S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/16/2009 11:14 PM 56960]

.

Contents of the 'Scheduled Tasks' folder

2010-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2006-01-25 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p officejet 6100 seriesF56855811176EC24C9B302F94878AD886AF77CFF114812415.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:39]

2010-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:39]

2010-09-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2384713622-1720328257-1980244613-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2384713622-1720328257-1980244613-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

FF - ProfilePath - c:\documents and settings\Jurgen\Application Data\Mozilla\Firefox\Profiles\t8c05an7.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 13);

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB0F1971D-468F-4647-BBF4-81E71E1CEF94", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCCBDF033-DD85-45fd-AE68-FBC4A7C7C154", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF8C41CBF-721F-4B99-9FC8-2F8077C4AD39", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID1BE73243-A85F-4385-939D-14D4845A286A", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBB3259D6-52FC-4820-898E-15411424DCCD", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE920CB9E-37B4-11D7-8A84-00A0C9EFDDF7", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC7582045-2191-11D6-B705-0040051594CE", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID19240637-B2BB-4589-B9C4-7EF5CE16352A", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB789B7AB-CDE9-450c-B2FF-708BDE6355A1", "AllAccess");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-23 20:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2384713622-1720328257-1980244613-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(456)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\accrypto.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\windows\system32\aicext.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

- - - - - - - > 'explorer.exe'(3836)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-23 20:12:41

ComboFix-quarantined-files.txt 2010-09-24 01:12

ComboFix2.txt 2010-09-24 00:05

ComboFix3.txt 2010-09-23 22:16

ComboFix4.txt 2010-09-23 02:28

Pre-Run: 14,023,057,408 bytes free

Post-Run: 14,004,924,416 bytes free

- - End Of File - - 8313AB89983569ABE60BBBF31625D222

Link to post
Share on other sites

QuickTime can't be cleaned so uninstall it from your control panels add/remove programs and delete this folder if found:

c:\program files\QuickTime

Check HJT and fix this one if found:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

You'll be prompted to download the program again if needed.

-------------------------------------------------

Update and run a quick scan with MBAM and post the log.

---------------------------

Lets check the computers security:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4678

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

9/23/2010 9:22:31 PM

mbam-log-2010-09-23 (21-22-31).txt

Scan type: Quick scan

Objects scanned: 157646

Time elapsed: 10 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

------------------------------------------------------------------------------

Results of screen317's Security Check version 0.99.5

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

```````````````````````````````

Anti-malware/Other Utilities Check:

Out of date Spybot installed!

Malwarebytes' Anti-Malware

Java 6 Update 17

Java 2 Runtime Environment, SE v1.4.2_03

Out of date Java installed!

Adobe Flash Player 10.1.82.76

Adobe Reader 9.3.3

````````````````````````````````

Process Check:

objlist.exe by Laurent

````````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````

Link to post
Share on other sites

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

-------------------------------------------

Just a couple of problems.

1. Spybot is out of date....update it or uninstall it

2. Your Java is out of date:

Go to your control panels add/remove programs and uninstall all Java and then install the latest version

JRE 6 Update 21

Info on Java can be found HERE.

3. Install an anti-virus....use Avast or Avira

4. I would install a better firewall then Windows.

You can find all this info and more in My Preventive Maintenance

Any questions...please post back.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.