Jump to content

Am I infected?


Recommended Posts

Hi,

Something definetly changed on my XP system. Might be sytem corruption, but I want to rule out malware/rootkit before the big reformat. Thanks for any assistance rendered:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Admin at HH:mm:ss on Mon 09/20/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1251 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\NetMotion Client\messerv.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\NetMotion Client\nomtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\PSIService.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\WINDOWS\system32\rpcnet.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\D7XZOJTW\dds[1].scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uStart Page = https://owa.nyc.gov/exchange/

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: COmeaHelper Object: {09628aaa-66ad-4fa2-82e2-698185b66463} - c:\program files\jetbrains\omea reader\IexploreOmeaW.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: WinAVI FLVSense: {e8df67a1-b618-4f3f-9e7c-cbe175adef5b} - c:\program files\winavi flv converter\FLVTune.dll

BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\6.0.472.62\npchrome_frame.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Omea: {35402c01-1777-4159-9aba-3480ba70d90a} - c:\program files\jetbrains\omea reader\IexploreOmeaW.dll

TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [ClipMate7] c:\program files\clipmate7\clipmate.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [nomtray] c:\program files\netmotion client\nomtray.exe

mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [HKLM] c:\windows\system32\Isass.exe

mRun: [<NO NAME>]

mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uExplorerRun: [Policies] c:\windows\system32\Isass.exe

mExplorerRun: [Policies] c:\windows\system32\Isass.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gigane~1.lnk - c:\program files\giganews accelerator\GiganewsAccelerator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

dPolicies-explorer: NoSMHelp = 1 (0x1)

dPolicies-explorer: StartMenuLogoff = 1 (0x1)

dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

IE: &Download FLV by WinAVI... - c:\program files\winavi flv converter\flv_link.htm

IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000

IE: Add to &Evernote - c:\program files\evernote\evernote3.5\enbar.dll/2000

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Clip and Edit - c:\program files\jetbrains\omea reader\IexploreOmeaW.dll/1000

IE: Clip and Save - c:\program files\jetbrains\omea reader\IexploreOmeaW.dll/1001

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Subscribe to Feed - c:\program files\jetbrains\omea reader\IexploreOmeaW.dll/1002

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

IE: {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\winavi flv converter\FLVTune.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll

IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll

Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\6.0.472.62\npchrome_frame.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: acaptuser32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\dwi8vs8u.default\

FF - prefs.js: browser.startup.homepage - hxxp://johndillworth0.spaces.live.com/

FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-18 11608]

R1 fsclm;FIPS Driver;c:\program files\netmotion client\fsclm.sys [2008-4-21 97760]

R1 NMDRV;NetMotion Client Driver;c:\program files\netmotion client\nmdrv.sys [2008-4-21 689296]

R1 NMRoam;NetMotion Roaming Detection Daemon;c:\windows\system32\drivers\nmroam.sys [2008-4-21 22672]

R1 NMutilnt;NetMotion Utility Driver;c:\windows\system32\drivers\nmutilnt.sys [2008-4-21 19600]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-18 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-18 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-18 56816]

R2 MESSERV;NetMotion Client;c:\program files\netmotion client\messerv.exe [2008-4-21 897680]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2009-1-3 41216]

R3 nmvnic;NMVNIC Network Adapter;c:\windows\system32\drivers\nmvnic.sys [2008-4-21 75920]

R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2009-1-3 47616]

S1 fliojdc;fliojdc;c:\windows\system32\drivers\fliojdc.sys [2004-8-4 295968]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-10 135664]

S3 IpwP;IPWireless 3G Network Adapter;c:\windows\system32\drivers\ipw3gnet.sys [2009-10-22 51648]

S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2009-10-22 34064]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

============== File Associations ===============

.txt=UltraEdit.txt

=============== Created Last 30 ================

2010-09-20 19:49:38 176 ----a-w- c:\documents and settings\admin\defogger_reenable

2010-09-20 19:01:05 0 d-----w- c:\program files\Trend Micro

2010-09-20 18:56:26 0 d-----w- c:\program files\Smart Virus Remover

2010-09-20 15:07:21 0 d-----w- c:\docume~1\alluse~1\applic~1\xml_param

2010-09-20 15:04:07 153600 ----a-w- c:\windows\system32\WSContextMenu.dll

2010-09-20 15:03:57 892928 ----a-w- c:\windows\system32\iconv.dll

2010-09-20 15:03:57 675840 ----a-w- c:\windows\system32\ac3filter.ax

2010-09-20 15:03:57 496640 ----a-w- c:\windows\system32\xvid.ax

2010-09-20 15:03:47 0 d-----w- c:\program files\Daniusoft

2010-09-20 12:27:55 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2010-09-20 12:26:45 0 d-----w- c:\program files\iPod

2010-09-20 12:26:39 0 d-----w- c:\program files\iTunes

2010-09-20 12:21:31 0 d-----w- c:\program files\Bonjour

2010-09-17 15:07:12 0 d-----w- c:\windows\system32\winrm

2010-09-17 15:07:05 0 dc-h--w- c:\windows\$968930Uinstall_KB968930$

2010-09-17 15:01:50 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe

2010-09-17 15:01:47 293376 ------w- c:\windows\system32\dllcache\winsrv.dll

2010-09-17 15:01:31 406016 ------w- c:\windows\system32\dllcache\usp10.dll

2010-08-23 23:29:11 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-09-20 19:54:08 17408 ----a-w- c:\windows\system32\rpcnetp.exe

2010-09-20 19:54:06 57752 ----a-w- c:\windows\system32\rpcnet.dll

2010-09-17 15:20:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf

2010-09-17 15:20:11 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-10 18:14:46 44952 ----a-w- c:\windows\system32\pkgmgr.dll

2010-07-27 22:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-07-27 22:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll

2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-10 14:10:47 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-09 23:16:34 48024 ----a-w- c:\windows\system32\pkgslv.exe

2010-07-01 13:53:54 75544 ---ha-w- c:\windows\system32\mlfcache.dat

2010-06-30 22:26:52 57752 ------w- c:\windows\system32\rpcnet.exe

2010-06-30 21:02:31 17408 ----a-w- c:\windows\system32\rpcnetp.dll

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll

2010-06-24 21:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll

2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll

2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll

2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll

2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll

2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll

2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll

2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll

2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll

2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys

2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe

2009-03-26 19:05:01 88 --sh--r- c:\windows\system32\8FBE10C5C9.sys

2009-03-26 19:05:01 952 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: HH:mm:ss ===============

Attach.zip

Link to post
Share on other sites

Welcome to the forum, Yes you're infected.

Please do this:

Download ComboFix from one of these locations:

Link 1

Link 2

ComboFix Guide

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit. More info HERE
    They may interfere with the running of ComboFix.
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

5.Give it atleast 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

Welcome to the forum, Yes you're infected.

Please do this:

Download ComboFix from one of these locations:

Link 1

Link 2

ComboFix Guide

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit. More info HERE
    They may interfere with the running of ComboFix.
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

5.Give it atleast 20-30 minutes to finish if needed.

MrC

Thjanks for your help, for some reason I can't paste into response so I am attacheing the log file

combofix.txt

Link to post
Share on other sites

You don't have to quote my post, just use the add reply button...Thanks!

Please do this:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\docume~1\Admin\LOCALS~1\Temp\YFUJZPIGUBH.exe

c:\windows\system32\drivers\fliojdc.sys

Driver::

fliojdc

YFUJZPIGUBH

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply and a fresh HJT log.

MrC

Link to post
Share on other sites

Something isn't right because nothing was deleted.

Looks like you didn't have CFScript.txt on your desktop, it has to be there:

Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe

Command switches used :: c:\combofix\CFScript.txt

This is what should have been inside the script:

------------------------------------------------------------------------------------------------------

File::

c:\docume~1\Admin\LOCALS~1\Temp\YFUJZPIGUBH.exe

c:\windows\system32\drivers\fliojdc.sys

Driver::

fliojdc

YFUJZPIGUBH

-------------------------------------------------------------------------------------------------------

Try it again and see what happens, MrC

Link to post
Share on other sites

This one I can post in text:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4676

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/23/2010 1:47:23 PM

mbam-log-2010-09-23 (13-47-23).txt

Scan type: Quick scan

Objects scanned: 165303

Time elapsed: 10 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Great :)

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------

Before you go lets just check your computers security:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.