Jump to content

Malwarebytes and other AV updates will not connect and blocked


Squirrel
 Share

Recommended Posts

Malwarebytes will not download new updates.

I have twice scanned with F-secure which on both occasions has detected and then quarantined the virus "Suspicious:W32/Malware!Gemini".

I suspect the virus has crippled anti-virus programs. F-secure updates normally but malwarebytes nor other AV programs such as Emsisoft Anti-Malware cannot download updates. The internet connection is otherwise functional ie firefox, skype and downloading work.

I have installed the updater mbam-rules.exe and also reinstalled malwarebytes. I have also turned off temporarily "f-secure deep guard". But to no avail.

My system is xp pro and everything else is properly updated. The systemdrive is F.

Since Malwarebytes cannot update it has not run and so there is no "Malwarebytes' Anti-Malware log file".

I would appreciate advise and help

John

DDS (Ver_10-12-12.02) - NTFSx86

Run by Administrator at 3:38:39.87 on 14/12/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1334 [GMT 0:00]

AV: F-Secure Client Security 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: F-Secure Client Security 9.01 *Enabled*

============== Running Processes ===============

C:\Program Files\Emsisoft Anti-Malware\a2service.exe

F:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

svchost.exe

F:\WINDOWS\system32\spoolsv.exe

svchost.exe

F:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure\Common\FSMA32.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\F-Secure\Common\FSHDLL32.EXE

F:\WINDOWS\system32\msiexec.exe

F:\WINDOWS\System32\svchost.exe -k HPZ12

F:\WINDOWS\system32\nvsvc32.exe

F:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Macrium\Reflect\ReflectService.exe

F:\WINDOWS\system32\svchost.exe -k imgsvc

F:\WINDOWS\System32\vssvc.exe

C:\Program Files\F-Secure\Common\FSM32.EXE

C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

F:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Everything\Everything.exe

C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

C:\Program Files\F-Secure\Common\FNRB32.EXE

C:\Program Files\F-Secure\Anti-Virus\fssm32.exe

C:\Program Files\F-Secure\Common\FIH32.EXE

C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

F:\Documents and Settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\F-Secure\Anti-Virus\fsav32.exe

F:\Documents and Settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

F:\Documents and Settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

F:\Documents and Settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

F:\WINDOWS\System32\svchost.exe -k netsvcs

K:\My Documents\Downloads\mbam-setup-1.50.0.0.exe

F:\DOCUME~1\ADMINI~1.JRS\LOCALS~1\Temp\is-B5QUR.tmp\mbam-setup-1.50.0.0.tmp

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

K:\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - AskBar BHO

BHO: {53707962-6f74-2d53-2644-206d7942484f} -

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} -

TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\program files\f-secure\nrs\iescript\baselitmus.dll

uRun: [Google Update] "f:\documents and settings\administrator.jrs-1gp3gjvwo3b\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash

mRun: [F-Secure TNB] "c:\program files\f-secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW

mRun: [logo mouse] c:\program files\logitech\mouseware\system\EM_EXEC.EXE

mRun: [Logitech Utility] Logi_MwX.Exe

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Everything] "c:\program files\everything\Everything.exe" -startup

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: f:\docume~1\admini~1.jrs\startm~1\programs\system~1\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE

uPolicies-explorer: NoSMHelp = 01000000

uPolicies-explorer: NoRecentDocsNetHood = 01000000

uPolicies-explorer: NoSMMyDocs = 01000000

uPolicies-explorer: NoSMMyPictures = 00000000

uPolicies-explorer: NoNetworkConnections = 01000000

uPolicies-explorer: NoActiveDesktop = 01000000

mPolicies-explorer: NoWinKeys = 1 (0x1)

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: Backward &Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000

IE: Read By Natural Voice Reader - c:\program files\naturalreaders\natural voice reader pro\read.html

IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105

IE: Si&milar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

IE: {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - c:\program files\naturalreaders\natural voice reader pro\read.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

LSP: c:\program files\f-secure\fsps\program\fslsp.dll

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://toolbar.google.com/data/GoogleActivate.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37900.5179861111

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~2\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL

LSA: Authentication Packages = msv1_0 nwprovau

mASetup: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\msnetmtg.inf,NetMtg.Install.PerUser.NT

mASetup: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\msmsgs.inf,BLC.QuietInstall.PerUser

mASetup: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\fxsocm.inf,Fax.Install.PerUser

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [2009-8-30 41624]

R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [2007-10-23 80080]

R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [2010-9-28 15328]

R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [2004-2-7 10240]

R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure\hips\drivers\fshs.sys [2009-9-8 68144]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-8-6 2953808]

R2 cpuz132;cpuz132;f:\windows\system32\drivers\cpuz132_x32.sys [2009-9-3 12672]

R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure\anti-virus\fsgk32st.exe [2009-9-8 219824]

R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [2004-2-6 10112]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-9-28 220128]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\anti-virus\minifilter\fsgk.sys [2009-9-8 130728]

R3 F-Secure Network Request Broker;F-Secure Network Request Broker;c:\program files\f-secure\common\FNRB32.exe [2009-9-8 166576]

R3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure\orsp client\fsorsp.exe [2009-9-8 64016]

S0 Lbd;Lbd; [x]

S1 GhPciScan;GhostPciScanner;\??\c:\program files\norton systemworks\norton ghost\ghpciscan.sys --> c:\program files\norton systemworks\norton ghost\ghpciscan.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SVKP;SVKP;\??\c:\windows\system32\svkp.sys --> c:\windows\system32\SVKP.sys [?]

S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-8-6 72808]

S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [2003-4-8 265904]

S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [2010-8-3 13192]

S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [2010-8-3 8456]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-1-27 30192]

S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [2008-7-24 366525]

S3 MBAMSwissArmy;MBAMSwissArmy;f:\windows\system32\drivers\mbamswissarmy.sys [2010-12-13 38224]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-9-8 90112]

S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896]

S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [2010-9-28 44512]

S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [2010-9-28 12256]

S3 Second Backup Service;Second Backup Service;c:\program files\second backup\SecondBackup.exe [2007-12-27 1744896]

S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [2002-1-8 162048]

S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure\anti-virus\win2k\fsfilter.sys [2009-9-8 39856]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure\anti-virus\win2k\fsrec.sys [2009-9-8 25264]

S4 NProtectService;Norton Unerase Protection; [x]

=============== File Associations ===============

chm.file="c:\windows\hh.exe" %1

txtfile="c:\program files\jgsoft\editpadlite\EditPadLite.exe" "%1"

=============== Created Last 30 ================

2010-12-14 03:05:42 709456 ----a-w- f:\windows\is-EDTE4.exe

2010-12-13 14:43:00 -------- d-----r- c:\program files\Skype

2010-12-13 05:54:25 -------- d-----w- f:\docume~1\alluse~1\applic~1\MFAData

2010-12-13 05:43:57 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys

2010-12-13 05:43:52 20952 ----a-w- f:\windows\system32\drivers\mbam.sys

2010-12-13 05:43:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-12 07:42:03 -------- d-----w- f:\docume~1\alluse~1\applic~1\DivX

2010-12-11 20:35:40 -------- d-----w- f:\windows\system32\wbem\repository\FS

2010-12-11 20:35:40 -------- d-----w- f:\windows\system32\wbem\Repository

2010-12-05 13:57:10 -------- d-----w- c:\program files\Network Stumbler

2010-11-30 12:22:34 -------- d-----w- c:\program files\Everything

2010-11-28 13:59:26 -------- d-----w- f:\documents and settings\administrator.jrs-1gp3gjvwo3b\imap-mail101128

2010-11-28 11:45:40 -------- d-----w- f:\documents and settings\administrator.jrs-1gp3gjvwo3b\%LOCALAPPDATA%

2010-11-28 10:39:46 -------- d-----w- c:\program files\Microsoft Office Labs

2010-11-16 16:43:50 -------- d-----w- c:\program files\Microsoft Synchronization Services

2010-11-16 16:43:44 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2010-11-16 13:47:46 -------- d-----w- c:\program files\Classic Menu for Office 2010

2010-11-16 12:31:21 -------- d-----w- f:\documents and settings\all users\Microsoft

2010-11-16 12:30:01 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2010-11-16 12:29:23 -------- d-----w- c:\program files\Microsoft Analysis Services

2010-11-15 07:10:33 56496 ----a-w- f:\windows\system32\wbhelp2.dll

2010-11-15 07:10:33 544768 ----a-w- f:\windows\system32\wbocx.ocx

2010-11-15 07:10:33 258352 ----a-w- f:\windows\system32\unicows.dll

2010-11-15 07:10:33 1706800 ----a-w- f:\windows\system32\gdiplus.dll

2010-11-15 07:10:32 33968 ----a-w- f:\windows\system32\anim.dll

2010-11-15 07:10:32 -------- d-----w- c:\program files\WinUtilities

2010-11-15 07:06:04 -------- d-----w- c:\program files\Wise Registry Cleaner

==================== Find3M ====================

2010-10-13 10:55:02 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe

2010-10-10 05:19:16 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe

2010-09-18 11:23:26 974848 ----a-w- f:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- f:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- f:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- f:\windows\system32\mfc40u.dll

2010-09-15 04:50:37 472808 ----a-w- f:\windows\system32\deployJava1.dll

2010-08-13 21:28:40 1237504 ------w- c:\program files\TweakMe!.exe

2010-08-08 08:58:06 33280 ------w- c:\program files\shmnview.exe

2009-08-15 17:09:50 32256 ------w- c:\program files\OfficeIns.exe

2008-03-16 20:32:32 2507710 ----a-w- c:\program files\bomb-countdown.exe

2004-11-28 19:33:44 1208320 ------w- c:\program files\IfoEdit.exe

2002-11-24 20:53:56 507904 ------w- c:\program files\TheRenameProgram.exe

2000-10-16 12:30:56 217088 ------w- c:\program files\SpaceMonger.exe

============= FINISH: 3:40:09.79 ===============

attach.zip

Link to post
Share on other sites

Hello John! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

I can't see your Attach.txt . Please post it!

I have twice scanned with F-secure which on both occasions has detected and then quarantined the virus "Suspicious:W32/Malware!Gemini".

Please check exactly which file detect F-Secure. Suspicious:W32/Malware!Gemini is a proactive Heuristic Detection, which may be triggered by a file that behaves in a suspicious manner indicative of malware infection. Given the symptoms, this is hardly a false alarm, but I would still like to know more before I started.

Link to post
Share on other sites

Thanks Borislav,

Apologies about the attachment not containing Attach.txt. The present attach.zip contains it.

F-Secure does not provide in the program interface any information about the file except size 344 KB and Platform: W32.

John

Hello John! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

I can't see your Attach.txt . Please post it!

Please check exactly which file detect F-Secure. Suspicious:W32/Malware!Gemini is a proactive Heuristic Detection, which may be triggered by a file that behaves in a suspicious manner indicative of malware infection. Given the symptoms, this is hardly a false alarm, but I would still like to know more before I started.

attach.zip

Link to post
Share on other sites

Thanks Maniac for your further assistance.

I have problems now getting on to the internet. As soon as I attempt to update or install any AV, the internet connection gets barred not only for them but also for firefox/google chrome. Attempts to use restore to restore a previous state get error message terminated.

However, I have found if I do a F-Secure scan it finds Malware!Gemini quarantines it [see log below]. Then this allows a restore to an earlier date and this allows access to the internet.

As instructed I renamed mbam.exe into firefox.exe. On rebooting (I do think this was coincidental and unrelated but I mention it in case) but there was an installation of 15 Microsoft updates.

Clicking the new file still did not work so unable to provide Malwarebytes' Anti-Malware log. However, there was an error message "PROGRAM_ERROR_UPDATING(12002,0,WinHttpReceiveResponse)"

Thanks for the warning about

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Maniac

Two issues: unloading f-secure gives two options either to leave the firewall on off or allow all traffic. I did the former.

Related to this combo-fix noted the PC did not have RECOVERY CONSOLE INSTALLED. It was not able to install it.

The log is below

Best

John

ComboFix 10-12-14.05 - Administrator 15/12/2010 11:45:56.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1433 [GMT 0:00]

Running from: l:\d\Combo-Fix.exe

AV: F-Secure Client Security 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: F-Secure Client Security 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

f:\windows\system\Color

f:\windows\system\Color\DivioCAM.icm

f:\windows\system32\42KJE738.ocx

f:\windows\system32\ccrpTmr6.dll

f:\windows\system32\win.ini

f:\windows\system32\wservice.exe

f:\windows\twain_16.dll

G:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))

.

2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository

2010-12-15 07:11 . 2010-12-15 07:11 709456 ----a-w- f:\windows\isRS-000.tmp

2010-12-15 01:25 . 2010-12-15 07:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-14 13:09 . 2010-12-15 02:39 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft

2010-12-13 05:54 . 2010-12-15 01:25 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData

2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX

2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler

2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc

2010-11-30 12:22 . 2010-12-15 11:25 -------- d-----w- c:\program files\Everything

2010-11-28 13:59 . 2010-11-28 14:33 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\imap-mail101128

2010-11-28 11:45 . 2010-11-28 11:45 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\%LOCALAPPDATA%

2010-11-28 10:39 . 2010-11-28 10:39 -------- d-----w- c:\program files\Microsoft Office Labs

2010-11-16 16:43 . 2010-11-16 16:43 -------- d-----w- c:\program files\Microsoft Synchronization Services

2010-11-16 16:43 . 2010-11-16 16:43 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2010-11-16 13:47 . 2010-11-16 16:44 -------- d-----w- c:\program files\Classic Menu for Office 2010

2010-11-16 13:19 . 2010-11-16 13:19 -------- d-----r- F:\MSOCache

2010-11-16 12:31 . 2010-11-16 12:31 -------- d-----w- f:\documents and settings\All Users\Microsoft

2010-11-16 12:31 . 2010-11-16 12:31 -------- d-----w- c:\program files\Microsoft Sync Framework

2010-11-16 12:30 . 2010-11-16 16:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2010-11-16 12:29 . 2010-11-16 12:29 -------- d-----w- c:\program files\Microsoft Analysis Services

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 17:42 . 2009-09-17 02:03 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys

2010-11-29 17:42 . 2009-09-17 02:03 20952 ----a-w- f:\windows\system32\drivers\mbam.sys

2010-11-03 12:25 . 2006-02-28 12:00 385024 ------w- f:\windows\system32\html.iec

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd(2).dll

2010-10-13 10:55 . 2010-10-13 10:55 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe

2010-10-10 05:19 . 2010-10-10 05:19 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe

2010-09-28 13:03 . 2010-09-28 13:40 12256 ------w- f:\windows\system32\drivers\PSVolAcc.sys

2010-09-28 13:03 . 2010-09-28 13:40 15328 ------w- f:\windows\system32\drivers\pssnap.sys

2010-09-28 13:03 . 2010-09-28 13:40 44512 ------w- f:\windows\system32\drivers\psmounter.sys

2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll

2010-08-13 21:28 . 2010-08-21 06:51 1237504 ------w- c:\program files\TweakMe!.exe

2010-08-08 08:58 . 2010-08-17 13:21 33280 ------w- c:\program files\shmnview.exe

2009-08-15 17:09 . 2009-10-13 07:29 32256 ------w- c:\program files\OfficeIns.exe

2008-03-16 20:32 . 2010-11-10 05:31 2507710 ----a-w- c:\program files\bomb-countdown.exe

2004-11-28 19:33 . 2009-09-08 06:44 1208320 ------w- c:\program files\IfoEdit.exe

2002-11-24 20:53 . 2009-09-08 06:44 507904 ------w- c:\program files\TheRenameProgram.exe

2000-10-16 12:30 . 2009-09-30 13:39 217088 ------w- c:\program files\SpaceMonger.exe

2010-09-17 03:00 . 2010-01-27 17:58 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-03-26 301744]

"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-03-26 1653424]

"logo mouse"="c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE" [2004-01-08 37888]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-17 30192]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-05-12 13684736]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Start Menu\Programs\System Tools\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWinKeys"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

"NoRecentDocsNetHood"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 00000000

"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"

"WService"=WService.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe

"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe

"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe"

"DT ACR"=c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR

"nwiz"=nwiz.exe /install

"00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe"

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [30/08/2009 10:06 41624]

R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [23/10/2007 12:11 80080]

R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [28/09/2010 13:40 15328]

R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [07/02/2004 18:27 10240]

R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [08/09/2009 05:23 68144]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [06/08/2010 03:54 2953808]

R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [06/02/2004 10:35 10112]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 13:40 220128]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [08/09/2009 05:23 130728]

R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [08/09/2009 05:23 64016]

S0 Lbd;Lbd; [x]

S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?]

S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [06/08/2010 03:54 72808]

S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [08/04/2003 10:48 265904]

S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [03/08/2010 15:37 13192]

S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [03/08/2010 15:37 8456]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [27/01/2010 17:58 30192]

S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [24/07/2008 20:36 366525]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]

S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [08/09/2009 12:58 90112]

S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896]

S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [28/09/2010 13:40 44512]

S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [28/09/2010 13:40 12256]

S3 Second Backup Service;Second Backup Service;c:\program files\Second Backup\SecondBackup.exe [27/12/2007 05:22 1744896]

S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [08/01/2002 18:53 162048]

S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [28/02/2006 12:00 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [08/09/2009 05:23 39856]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [08/09/2009 05:23 25264]

S4 NProtectService;Norton Unerase Protection; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-12-15 f:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-09-08 10:21]

2010-12-14 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500Core.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-15 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500UA.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-15 f:\windows\Tasks\WGASetup.job

- f:\windows\system32\KB905474\wgasetup.exe [2009-08-31 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000

IE: Read By Natural Voice Reader - c:\program files\NaturalReaders\Natural Voice Reader Pro\read.html

IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105

IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

FF - ProfilePath -

.

.

------- File Associations -------

.

txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"

.

- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)

AddRemove-SiS7018 - c:\progra~1\SiS7018\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7018

AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-15 11:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-789336058-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_413c&Pid_3016\6&280bb194&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)

f:\windows\system32\Ati2evxx.dll

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(812)

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(3992)

f:\windows\system32\WININET.dll

c:\program files\f-secure\hips\fshook32.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll

c:\program files\MozyHome\mozyshell.dll

c:\program files\MozyHome\LIBEAY32.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

f:\windows\system32\msi.dll

f:\windows\system32\ieframe.dll

f:\windows\system32\webcheck.dll

f:\windows\system32\WPDShServiceObj.dll

f:\windows\system32\PortableDeviceTypes.dll

f:\windows\system32\PortableDeviceApi.dll

f:\windows\System32\netshell.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\svchost.exe

c:\program files\F-Secure\Anti-Virus\fsgk32st.exe

c:\program files\F-Secure\Common\FSMA32.EXE

c:\program files\F-Secure\Anti-Virus\FSGK32.EXE

c:\program files\F-Secure\Common\FSHDLL32.EXE

c:\program files\Java\jre6\bin\jqs.exe

f:\windows\system32\msiexec.exe

f:\windows\system32\nvsvc32.exe

f:\windows\system32\locator.exe

c:\program files\F-Secure\Common\FNRB32.EXE

c:\program files\F-Secure\Common\FIH32.EXE

c:\program files\F-Secure\Anti-Virus\fssm32.exe

c:\program files\F-Secure\FWES\Program\fsdfwd.exe

c:\program files\F-Secure\Anti-Virus\fsav32.exe

c:\windows\system32\wbem\wmiprvse.exe

.

**************************************************************************

.

Completion time: 2010-12-15 11:58:41 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-15 11:58

Pre-Run: 55,366,643,712 bytes free

Post-Run: 55,221,829,632 bytes free

- - End Of File - - 63E3B06BB7CEEC8BABBBE6C0EE5CEE46

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Maniac

After posting the above I went for lunch and found this that scotty the window watchdog popped up a message--jpeg in the attachment. I clicked no.

Run a DLL as an App

F:windows\system32\rundll32.exe f:\windows\system\ieframe.dll,OpenURL %|

A change was made to use the following program for this file type

Run a DLL as an App

rundll32.exe ieframe.OpenURL ?%|

While writing this the message has again appear and agained I clicked no.

Also Scotty created another message after combo-fix rebooted [unfortunately I lacked the presence to grab a screen print and this comes from a quick notes-- ??? are where I cannot read my handwriting]. I clicked yes as this was immediately after the reboot.

Change to the file type

ObjectDelayLoad

system32/stobject.dll 5.1.2600 5512

??? ???? accept host

Best

John

Maniac

Two issues: unloading f-secure gives two options either to leave the firewall on off or allow all traffic. I did the former.

Related to this combo-fix noted the PC did not have RECOVERY CONSOLE INSTALLED. It was not able to install it.

The log is below

Best

John

ComboFix 10-12-14.05 - Administrator 15/12/2010 11:45:56.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1433 [GMT 0:00]

Running from: l:\d\Combo-Fix.exe

AV: F-Secure Client Security 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: F-Secure Client Security 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

f:\windows\system\Color

f:\windows\system\Color\DivioCAM.icm

f:\windows\system32\42KJE738.ocx

f:\windows\system32\ccrpTmr6.dll

f:\windows\system32\win.ini

f:\windows\system32\wservice.exe

f:\windows\twain_16.dll

G:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))

.

2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository

2010-12-15 07:11 . 2010-12-15 07:11 709456 ----a-w- f:\windows\isRS-000.tmp

2010-12-15 01:25 . 2010-12-15 07:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-14 13:09 . 2010-12-15 02:39 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft

2010-12-13 05:54 . 2010-12-15 01:25 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData

2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX

2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler

2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc

2010-11-30 12:22 . 2010-12-15 11:25 -------- d-----w- c:\program files\Everything

2010-11-28 13:59 . 2010-11-28 14:33 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\imap-mail101128

2010-11-28 11:45 . 2010-11-28 11:45 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\%LOCALAPPDATA%

2010-11-28 10:39 . 2010-11-28 10:39 -------- d-----w- c:\program files\Microsoft Office Labs

2010-11-16 16:43 . 2010-11-16 16:43 -------- d-----w- c:\program files\Microsoft Synchronization Services

2010-11-16 16:43 . 2010-11-16 16:43 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2010-11-16 13:47 . 2010-11-16 16:44 -------- d-----w- c:\program files\Classic Menu for Office 2010

2010-11-16 13:19 . 2010-11-16 13:19 -------- d-----r- F:\MSOCache

2010-11-16 12:31 . 2010-11-16 12:31 -------- d-----w- f:\documents and settings\All Users\Microsoft

2010-11-16 12:31 . 2010-11-16 12:31 -------- d-----w- c:\program files\Microsoft Sync Framework

2010-11-16 12:30 . 2010-11-16 16:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2010-11-16 12:29 . 2010-11-16 12:29 -------- d-----w- c:\program files\Microsoft Analysis Services

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 17:42 . 2009-09-17 02:03 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys

2010-11-29 17:42 . 2009-09-17 02:03 20952 ----a-w- f:\windows\system32\drivers\mbam.sys

2010-11-03 12:25 . 2006-02-28 12:00 385024 ------w- f:\windows\system32\html.iec

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd(2).dll

2010-10-13 10:55 . 2010-10-13 10:55 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe

2010-10-10 05:19 . 2010-10-10 05:19 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe

2010-09-28 13:03 . 2010-09-28 13:40 12256 ------w- f:\windows\system32\drivers\PSVolAcc.sys

2010-09-28 13:03 . 2010-09-28 13:40 15328 ------w- f:\windows\system32\drivers\pssnap.sys

2010-09-28 13:03 . 2010-09-28 13:40 44512 ------w- f:\windows\system32\drivers\psmounter.sys

2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll

2010-08-13 21:28 . 2010-08-21 06:51 1237504 ------w- c:\program files\TweakMe!.exe

2010-08-08 08:58 . 2010-08-17 13:21 33280 ------w- c:\program files\shmnview.exe

2009-08-15 17:09 . 2009-10-13 07:29 32256 ------w- c:\program files\OfficeIns.exe

2008-03-16 20:32 . 2010-11-10 05:31 2507710 ----a-w- c:\program files\bomb-countdown.exe

2004-11-28 19:33 . 2009-09-08 06:44 1208320 ------w- c:\program files\IfoEdit.exe

2002-11-24 20:53 . 2009-09-08 06:44 507904 ------w- c:\program files\TheRenameProgram.exe

2000-10-16 12:30 . 2009-09-30 13:39 217088 ------w- c:\program files\SpaceMonger.exe

2010-09-17 03:00 . 2010-01-27 17:58 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-03-26 301744]

"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-03-26 1653424]

"logo mouse"="c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE" [2004-01-08 37888]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-17 30192]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-05-12 13684736]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Start Menu\Programs\System Tools\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWinKeys"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

"NoRecentDocsNetHood"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 00000000

"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"

"WService"=WService.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe

"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe

"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe"

"DT ACR"=c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR

"nwiz"=nwiz.exe /install

"00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe"

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [30/08/2009 10:06 41624]

R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [23/10/2007 12:11 80080]

R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [28/09/2010 13:40 15328]

R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [07/02/2004 18:27 10240]

R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [08/09/2009 05:23 68144]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [06/08/2010 03:54 2953808]

R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [06/02/2004 10:35 10112]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 13:40 220128]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [08/09/2009 05:23 130728]

R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [08/09/2009 05:23 64016]

S0 Lbd;Lbd; [x]

S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?]

S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [06/08/2010 03:54 72808]

S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [08/04/2003 10:48 265904]

S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [03/08/2010 15:37 13192]

S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [03/08/2010 15:37 8456]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [27/01/2010 17:58 30192]

S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [24/07/2008 20:36 366525]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]

S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [08/09/2009 12:58 90112]

S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896]

S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [28/09/2010 13:40 44512]

S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [28/09/2010 13:40 12256]

S3 Second Backup Service;Second Backup Service;c:\program files\Second Backup\SecondBackup.exe [27/12/2007 05:22 1744896]

S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [08/01/2002 18:53 162048]

S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [28/02/2006 12:00 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [08/09/2009 05:23 39856]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [08/09/2009 05:23 25264]

S4 NProtectService;Norton Unerase Protection; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-12-15 f:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-09-08 10:21]

2010-12-14 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500Core.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-15 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500UA.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-15 f:\windows\Tasks\WGASetup.job

- f:\windows\system32\KB905474\wgasetup.exe [2009-08-31 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000

IE: Read By Natural Voice Reader - c:\program files\NaturalReaders\Natural Voice Reader Pro\read.html

IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105

IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

FF - ProfilePath -

.

.

------- File Associations -------

.

txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"

.

- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)

AddRemove-SiS7018 - c:\progra~1\SiS7018\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7018

AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-15 11:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-789336058-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_413c&Pid_3016\6&280bb194&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)

f:\windows\system32\Ati2evxx.dll

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(812)

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(3992)

f:\windows\system32\WININET.dll

c:\program files\f-secure\hips\fshook32.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll

c:\program files\MozyHome\mozyshell.dll

c:\program files\MozyHome\LIBEAY32.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

f:\windows\system32\msi.dll

f:\windows\system32\ieframe.dll

f:\windows\system32\webcheck.dll

f:\windows\system32\WPDShServiceObj.dll

f:\windows\system32\PortableDeviceTypes.dll

f:\windows\system32\PortableDeviceApi.dll

f:\windows\System32\netshell.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\svchost.exe

c:\program files\F-Secure\Anti-Virus\fsgk32st.exe

c:\program files\F-Secure\Common\FSMA32.EXE

c:\program files\F-Secure\Anti-Virus\FSGK32.EXE

c:\program files\F-Secure\Common\FSHDLL32.EXE

c:\program files\Java\jre6\bin\jqs.exe

f:\windows\system32\msiexec.exe

f:\windows\system32\nvsvc32.exe

f:\windows\system32\locator.exe

c:\program files\F-Secure\Common\FNRB32.EXE

c:\program files\F-Secure\Common\FIH32.EXE

c:\program files\F-Secure\Anti-Virus\fssm32.exe

c:\program files\F-Secure\FWES\Program\fsdfwd.exe

c:\program files\F-Secure\Anti-Virus\fsav32.exe

c:\windows\system32\wbem\wmiprvse.exe

.

**************************************************************************

.

Completion time: 2010-12-15 11:58:41 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-15 11:58

Pre-Run: 55,366,643,712 bytes free

Post-Run: 55,221,829,632 bytes free

- - End Of File - - 63E3B06BB7CEEC8BABBBE6C0EE5CEE46

post-62557-1292416139_thumb.jpg

Link to post
Share on other sites

Thanks Maniac,

This is a bit of a learning curve for me so apologies for not realizing that WinPatrol should have been disabled.

I installed Recovery Console. Here is the new combotix.txt

Best

John

ComboFix 10-12-14.05 - Administrator 16/12/2010 18:53:44.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1447 [GMT 0:00]

Running from: l:\d\Combo-Fix.exe

Command switches used :: l:\d\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

AV: F-Secure Client Security 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: F-Secure Client Security 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}

.

((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))

.

2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository

2010-12-15 07:11 . 2010-12-15 07:11 709456 ----a-w- f:\windows\isRS-000.tmp

2010-12-15 02:44 . 2010-11-02 15:17 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys

2010-12-15 02:43 . 2010-10-11 14:59 45568 -c----w- f:\windows\system32\dllcache\wab.exe

2010-12-15 01:25 . 2010-12-15 07:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-14 13:09 . 2010-12-15 02:39 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft

2010-12-13 05:54 . 2010-12-15 01:25 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData

2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX

2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler

2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc

2010-11-30 12:22 . 2010-12-16 17:47 -------- d-----w- c:\program files\Everything

2010-11-28 13:59 . 2010-11-28 14:33 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\imap-mail101128

2010-11-28 11:45 . 2010-11-28 11:45 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\%LOCALAPPDATA%

2010-11-28 10:39 . 2010-11-28 10:39 -------- d-----w- c:\program files\Microsoft Office Labs

2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- f:\windows\system32\dllcache\isign32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-15 13:06 . 2009-08-30 10:06 42664 ----a-w- f:\windows\system32\drivers\fsbts.sys

2010-11-29 17:42 . 2009-09-17 02:03 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys

2010-11-29 17:42 . 2009-09-17 02:03 20952 ----a-w- f:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2003-02-07 18:15 81920 ----a-w- f:\windows\system32\isign32.dll

2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- f:\windows\system32\wininet.dll

2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- f:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- f:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2006-02-28 12:00 385024 ------w- f:\windows\system32\html.iec

2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- f:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd.dll

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd(2).dll

2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- f:\windows\system32\win32k.sys

2010-10-13 10:55 . 2010-10-13 10:55 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe

2010-10-10 05:19 . 2010-10-10 05:19 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe

2010-09-28 13:03 . 2010-09-28 13:40 12256 ------w- f:\windows\system32\drivers\PSVolAcc.sys

2010-09-28 13:03 . 2010-09-28 13:40 15328 ------w- f:\windows\system32\drivers\pssnap.sys

2010-09-28 13:03 . 2010-09-28 13:40 44512 ------w- f:\windows\system32\drivers\psmounter.sys

2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll

2010-08-13 21:28 . 2010-08-21 06:51 1237504 ------w- c:\program files\TweakMe!.exe

2010-08-08 08:58 . 2010-08-17 13:21 33280 ------w- c:\program files\shmnview.exe

2009-08-15 17:09 . 2009-10-13 07:29 32256 ------w- c:\program files\OfficeIns.exe

2008-03-16 20:32 . 2010-11-10 05:31 2507710 ----a-w- c:\program files\bomb-countdown.exe

2004-11-28 19:33 . 2009-09-08 06:44 1208320 ------w- c:\program files\IfoEdit.exe

2002-11-24 20:53 . 2009-09-08 06:44 507904 ------w- c:\program files\TheRenameProgram.exe

2000-10-16 12:30 . 2009-09-30 13:39 217088 ------w- c:\program files\SpaceMonger.exe

2010-09-17 03:00 . 2010-01-27 17:58 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-12-15_11.54.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-07-11 16:04 . 2010-11-03 13:12 46080 f:\windows\system32\tzchange.exe

- 2008-07-11 16:04 . 2010-06-21 14:46 46080 f:\windows\system32\tzchange.exe

+ 2009-09-21 14:25 . 2009-05-26 11:40 17272 f:\windows\system32\spmsg.dll

- 2009-09-21 14:25 . 2007-11-30 05:39 17272 f:\windows\system32\spmsg.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 66560 f:\windows\system32\mshtmled.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 66560 f:\windows\system32\mshtmled.dll

- 2009-03-08 03:31 . 2010-09-10 05:58 55296 f:\windows\system32\msfeedsbs.dll

+ 2009-03-08 03:31 . 2010-11-06 00:26 55296 f:\windows\system32\msfeedsbs.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 25600 f:\windows\system32\jsproxy.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 25600 f:\windows\system32\jsproxy.dll

+ 2009-09-14 17:31 . 2010-11-06 00:26 12800 f:\windows\system32\dllcache\xpshims.dll

- 2009-09-14 17:31 . 2010-09-10 05:58 12800 f:\windows\system32\dllcache\xpshims.dll

+ 2009-03-08 03:31 . 2010-11-06 00:26 66560 f:\windows\system32\dllcache\mshtmled.dll

- 2009-03-08 03:31 . 2010-09-10 05:58 66560 f:\windows\system32\dllcache\mshtmled.dll

+ 2009-09-14 17:31 . 2010-11-06 00:26 55296 f:\windows\system32\dllcache\msfeedsbs.dll

- 2009-09-14 17:31 . 2010-09-10 05:58 55296 f:\windows\system32\dllcache\msfeedsbs.dll

+ 2009-03-08 03:34 . 2010-11-06 00:26 43520 f:\windows\system32\dllcache\licmgr10.dll

- 2009-03-08 03:34 . 2010-09-10 05:58 43520 f:\windows\system32\dllcache\licmgr10.dll

- 2009-03-08 03:33 . 2010-09-10 05:58 25600 f:\windows\system32\dllcache\jsproxy.dll

+ 2009-03-08 03:33 . 2010-11-06 00:26 25600 f:\windows\system32\dllcache\jsproxy.dll

+ 2010-11-16 12:36 . 2010-12-16 18:27 34144 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\oisicon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 34144 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\oisicon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 42848 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\msouc.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 42848 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\msouc.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 19296 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\cagicon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 19296 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\cagicon.exe

+ 2010-02-28 02:22 . 2010-02-28 02:22 48504 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\PUBTRAP.DLL

+ 2010-12-16 18:27 . 2010-09-10 05:58 12800 f:\windows\ie8updates\KB2416400-IE8\xpshims.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 66560 f:\windows\ie8updates\KB2416400-IE8\mshtmled.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 55296 f:\windows\ie8updates\KB2416400-IE8\msfeedsbs.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 43520 f:\windows\ie8updates\KB2416400-IE8\licmgr10.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 25600 f:\windows\ie8updates\KB2416400-IE8\jsproxy.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 206848 f:\windows\system32\occache.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 206848 f:\windows\system32\occache.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 611840 f:\windows\system32\mstime.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 611840 f:\windows\system32\mstime.dll

+ 2009-03-08 03:32 . 2010-11-06 00:26 602112 f:\windows\system32\msfeeds.dll

- 2009-03-08 03:32 . 2010-09-10 05:58 602112 f:\windows\system32\msfeeds.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 184320 f:\windows\system32\iepeers.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 184320 f:\windows\system32\iepeers.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 387584 f:\windows\system32\iedkcs32.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 387584 f:\windows\system32\iedkcs32.dll

+ 2006-02-28 12:00 . 2010-11-03 12:26 173568 f:\windows\system32\ie4uinit.exe

+ 2003-02-07 17:59 . 2010-12-16 18:38 396752 f:\windows\system32\FNTCACHE.DAT

- 2003-02-07 17:59 . 2010-12-15 07:20 396752 f:\windows\system32\FNTCACHE.DAT

- 2009-06-26 16:50 . 2010-09-10 05:58 916480 f:\windows\system32\dllcache\wininet.dll

+ 2009-06-26 16:50 . 2010-11-06 00:26 916480 f:\windows\system32\dllcache\wininet.dll

- 2009-03-08 03:34 . 2010-09-10 05:58 206848 f:\windows\system32\dllcache\occache.dll

+ 2009-03-08 03:34 . 2010-11-06 00:26 206848 f:\windows\system32\dllcache\occache.dll

+ 2009-03-08 03:32 . 2010-11-06 00:26 611840 f:\windows\system32\dllcache\mstime.dll

- 2009-03-08 03:32 . 2010-09-10 05:58 611840 f:\windows\system32\dllcache\mstime.dll

- 2009-09-14 17:31 . 2010-09-10 05:58 602112 f:\windows\system32\dllcache\msfeeds.dll

+ 2009-09-14 17:31 . 2010-11-06 00:26 602112 f:\windows\system32\dllcache\msfeeds.dll

+ 2009-09-14 17:31 . 2010-11-06 00:26 247808 f:\windows\system32\dllcache\ieproxy.dll

- 2009-09-14 17:31 . 2010-09-10 05:58 247808 f:\windows\system32\dllcache\ieproxy.dll

- 2009-03-08 03:31 . 2010-09-10 05:58 184320 f:\windows\system32\dllcache\iepeers.dll

+ 2009-03-08 03:31 . 2010-11-06 00:26 184320 f:\windows\system32\dllcache\iepeers.dll

- 2010-06-11 12:45 . 2010-09-10 05:58 743424 f:\windows\system32\dllcache\iedvtool.dll

+ 2010-06-11 12:45 . 2010-11-06 00:26 743424 f:\windows\system32\dllcache\iedvtool.dll

- 2009-03-08 13:09 . 2010-09-10 05:58 387584 f:\windows\system32\dllcache\iedkcs32.dll

+ 2009-03-08 13:09 . 2010-11-06 00:26 387584 f:\windows\system32\dllcache\iedkcs32.dll

+ 2009-03-08 03:32 . 2010-11-03 12:26 173568 f:\windows\system32\dllcache\ie4uinit.exe

+ 2010-04-20 05:30 . 2010-10-28 13:13 290048 f:\windows\system32\dllcache\atmfd.dll

+ 2010-07-22 02:43 . 2010-07-22 02:43 257024 f:\windows\Installer\68d44b4.msp

+ 2010-12-09 11:39 . 2010-12-09 11:39 720896 f:\windows\Installer\68d4493.msp

- 2010-11-16 12:36 . 2010-11-16 13:22 415584 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pubs.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 415584 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pubs.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 303456 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\outicon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 303456 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\outicon.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 571232 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\misc.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 571232 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\misc.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 326496 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\joticon.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 326496 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\joticon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 469856 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\inficon.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 469856 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\inficon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 178528 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\grvicons.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 178528 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\grvicons.exe

+ 2010-03-01 04:56 . 2010-03-01 04:56 604024 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\PUBCONV.DLL

+ 2010-01-09 21:50 . 2010-01-09 21:50 119160 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MSCONV97.DLL

+ 2010-03-01 04:56 . 2010-03-01 04:56 457104 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MORPH9.DLL

+ 2010-12-16 18:27 . 2010-09-10 05:58 916480 f:\windows\ie8updates\KB2416400-IE8\wininet.dll

+ 2010-12-16 18:27 . 2010-07-05 13:16 382840 f:\windows\ie8updates\KB2416400-IE8\spuninst\updspapi.dll

+ 2010-12-16 18:27 . 2010-02-22 14:23 231288 f:\windows\ie8updates\KB2416400-IE8\spuninst\spuninst.exe

+ 2010-12-16 18:27 . 2010-09-10 05:58 206848 f:\windows\ie8updates\KB2416400-IE8\occache.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 611840 f:\windows\ie8updates\KB2416400-IE8\mstime.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 602112 f:\windows\ie8updates\KB2416400-IE8\msfeeds.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 247808 f:\windows\ie8updates\KB2416400-IE8\ieproxy.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 184320 f:\windows\ie8updates\KB2416400-IE8\iepeers.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 743424 f:\windows\ie8updates\KB2416400-IE8\iedvtool.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 387584 f:\windows\ie8updates\KB2416400-IE8\iedkcs32.dll

+ 2010-12-16 18:27 . 2010-08-26 12:22 173056 f:\windows\ie8updates\KB2416400-IE8\ie4uinit.exe

+ 2006-02-28 12:00 . 2010-11-06 00:26 1210880 f:\windows\system32\urlmon.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 1210880 f:\windows\system32\urlmon.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 5959168 f:\windows\system32\mshtml.dll

+ 2009-03-08 03:32 . 2010-11-06 00:26 1991680 f:\windows\system32\iertutil.dll

+ 2009-04-17 12:26 . 2010-10-26 13:25 1853312 f:\windows\system32\dllcache\win32k.sys

+ 2009-06-26 16:50 . 2010-11-06 00:26 1210880 f:\windows\system32\dllcache\urlmon.dll

- 2009-06-26 16:50 . 2010-09-10 05:58 1210880 f:\windows\system32\dllcache\urlmon.dll

+ 2009-07-18 16:05 . 2010-11-06 00:26 5959168 f:\windows\system32\dllcache\mshtml.dll

+ 2009-09-14 17:31 . 2010-11-06 00:26 1991680 f:\windows\system32\dllcache\iertutil.dll

+ 2010-10-08 22:12 . 2010-10-08 22:12 8354304 f:\windows\Installer\68d445e.msp

+ 2010-11-19 13:34 . 2010-11-19 13:34 3459584 f:\windows\Installer\68d443c.msp

+ 2010-11-11 12:54 . 2010-11-11 12:54 1002496 f:\windows\Installer\68d441b.msp

+ 2010-11-11 12:54 . 2010-11-11 12:54 1121792 f:\windows\Installer\68d441a.msp

+ 2010-11-11 12:54 . 2010-11-11 12:54 1310720 f:\windows\Installer\68d4419.msp

- 2010-11-16 12:36 . 2010-11-16 13:22 1479520 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\xlicons.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 1479520 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\xlicons.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 1858400 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\wordicon.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 1858400 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\wordicon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 3792736 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pptico.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 3792736 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pptico.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 1449312 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\accicons.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 1449312 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\accicons.exe

+ 2010-03-01 05:20 . 2010-03-01 05:20 2323840 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKWORD.DLL

+ 2010-03-01 05:20 . 2010-03-01 05:20 2102656 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKPOWERPOINT.DLL

+ 2010-03-01 05:20 . 2010-03-01 05:20 3355008 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKEXCEL.DLL

+ 2010-12-16 18:27 . 2010-09-10 05:58 1210880 f:\windows\ie8updates\KB2416400-IE8\urlmon.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 5957120 f:\windows\ie8updates\KB2416400-IE8\mshtml.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 1986560 f:\windows\ie8updates\KB2416400-IE8\iertutil.dll

+ 2005-05-31 22:17 . 2010-12-16 18:23 37366216 f:\windows\system32\MRT.exe

+ 2009-03-08 03:39 . 2010-11-06 00:26 11080704 f:\windows\system32\ieframe.dll

+ 2009-07-19 17:48 . 2010-11-06 00:26 11080704 f:\windows\system32\dllcache\ieframe.dll

+ 2010-11-11 12:52 . 2010-11-11 12:52 13486592 f:\windows\Installer\68d4481.msp

+ 2010-03-01 04:56 . 2010-03-01 04:56 10272104 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MSPUB.EXE

+ 2010-12-16 18:27 . 2010-09-10 05:58 11080192 f:\windows\ie8updates\KB2416400-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-03-26 301744]

"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-03-26 1653424]

"logo mouse"="c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE" [2004-01-08 37888]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-17 30192]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-05-12 13684736]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Start Menu\Programs\System Tools\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWinKeys"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

"NoRecentDocsNetHood"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 00000000

"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"

"WService"=WService.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe

"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe

"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe"

"DT ACR"=c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR

"nwiz"=nwiz.exe /install

"00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe"

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [30/08/2009 10:06 42664]

R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [23/10/2007 12:11 80080]

R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [28/09/2010 13:40 15328]

R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [07/02/2004 18:27 10240]

R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [08/09/2009 05:23 68144]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [06/08/2010 03:54 2953808]

R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [06/02/2004 10:35 10112]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 13:40 220128]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [08/09/2009 05:23 130728]

S0 Lbd;Lbd; [x]

S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?]

S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [06/08/2010 03:54 72808]

S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [08/04/2003 10:48 265904]

S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [03/08/2010 15:37 13192]

S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [03/08/2010 15:37 8456]

S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [08/09/2009 05:23 64016]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [27/01/2010 17:58 30192]

S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [24/07/2008 20:36 366525]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]

S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [08/09/2009 12:58 90112]

S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896]

S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [28/09/2010 13:40 44512]

S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [28/09/2010 13:40 12256]

S3 Second Backup Service;Second Backup Service;c:\program files\Second Backup\SecondBackup.exe [27/12/2007 05:22 1744896]

S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [08/01/2002 18:53 162048]

S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [28/02/2006 12:00 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [08/09/2009 05:23 39856]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [08/09/2009 05:23 25264]

S4 NProtectService;Norton Unerase Protection; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-12-16 f:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-09-08 10:21]

2010-12-15 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500Core.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-16 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500UA.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-16 f:\windows\Tasks\WGASetup.job

- f:\windows\system32\KB905474\wgasetup.exe [2009-08-31 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000

IE: Read By Natural Voice Reader - c:\program files\NaturalReaders\Natural Voice Reader Pro\read.html

IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105

IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

FF - ProfilePath -

.

.

------- File Associations -------

.

txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-16 18:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-789336058-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_413c&Pid_3016\6&280bb194&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)

f:\windows\system32\Ati2evxx.dll

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(808)

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(2076)

f:\windows\system32\WININET.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll

c:\program files\MozyHome\mozyshell.dll

c:\program files\MozyHome\LIBEAY32.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

f:\windows\system32\msi.dll

f:\windows\system32\ieframe.dll

f:\windows\system32\webcheck.dll

f:\windows\system32\WPDShServiceObj.dll

f:\windows\system32\PortableDeviceTypes.dll

f:\windows\system32\PortableDeviceApi.dll

f:\windows\System32\netshell.dll

.

Completion time: 2010-12-16 19:00:22

ComboFix-quarantined-files.txt 2010-12-16 19:00

ComboFix2.txt 2010-12-15 11:58

Pre-Run: 55,118,704,640 bytes free

Post-Run: 55,101,149,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer /SOS

- - End Of File - - B80A44C72052C7E20FCEC3FBD1A36E21

Before ComboFix, you should disable everything - F-Secure, WinPatrol and every security active program. Disable them and then install Recovery Console:

http://www.bleepingcomputer.com/combofix/h...manual_recovery

Link to post
Share on other sites

Maniac,

I notice combofix also created ComboFix-quarantined-files.txt. Here it is in case it is of any use

Best

John

2010-12-15 11:57:52 . 2010-12-15 11:57:52 1,154 ----a-w- F:\Qoobox\Quarantine\Registry_backups\AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7}.reg.dat

2010-12-15 11:57:51 . 2010-12-15 11:57:51 494 ----a-w- F:\Qoobox\Quarantine\Registry_backups\AddRemove-SiS7018.reg.dat

2010-12-15 11:56:39 . 2010-12-15 11:56:39 853 ----a-w- F:\Qoobox\Quarantine\Registry_backups\WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98}.reg.dat

2010-12-15 11:56:37 . 2010-12-15 11:56:38 798 ----a-w- F:\Qoobox\Quarantine\Registry_backups\Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98}.reg.dat

2010-12-15 11:56:35 . 2010-12-15 11:56:35 571 ----a-w- F:\Qoobox\Quarantine\Registry_backups\BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed}.reg.dat

2010-12-15 11:53:52 . 2010-12-15 11:53:52 336 ----a-w- F:\Qoobox\Quarantine\G\av1.zip

2010-12-15 11:53:52 . 2004-05-01 02:01:00 53 ----a-w- F:\Qoobox\Quarantine\G\Autorun.inf.vir

2010-12-15 11:32:39 . 2010-12-16 18:56:28 9,080 ----a-w- F:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2010-12-15 11:27:31 . 2010-12-16 18:50:12 153 ----a-w- F:\Qoobox\Quarantine\catchme.log

2010-08-16 11:45:28 . 2007-12-15 08:07:52 90,112 ----a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\ccrpTmr6.dll.vir

2004-02-16 10:56:05 . 2007-06-27 07:13:31 0 -c--a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\WIN.INI.vir

2003-04-08 10:48:22 . 1999-08-16 18:20:56 715 -c--a-w- F:\Qoobox\Quarantine\F\WINDOWS\system\color\DivioCAM.icm.vir

2002-09-07 17:23:46 . 2002-09-07 17:23:46 28,672 ----a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\WService.exe.vir

1999-12-06 23:00:00 . 1999-12-06 23:00:00 24,956 -c--a-w- F:\Qoobox\Quarantine\F\WINDOWS\twain_16.dll.vir

1617-10-04 18:22:49 . 1617-10-04 18:22:49 3,120 ----a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\42KJE738.ocx.vir

Thanks Maniac,

This is a bit of a learning curve for me so apologies for not realizing that WinPatrol should have been disabled.

I installed Recovery Console. Here is the new combotix.txt

Best

John

ComboFix 10-12-14.05 - Administrator 16/12/2010 18:53:44.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1447 [GMT 0:00]

Running from: l:\d\Combo-Fix.exe

Command switches used :: l:\d\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

AV: F-Secure Client Security 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: F-Secure Client Security 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}

.

((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))

.

2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository

2010-12-15 07:11 . 2010-12-15 07:11 709456 ----a-w- f:\windows\isRS-000.tmp

2010-12-15 02:44 . 2010-11-02 15:17 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys

2010-12-15 02:43 . 2010-10-11 14:59 45568 -c----w- f:\windows\system32\dllcache\wab.exe

2010-12-15 01:25 . 2010-12-15 07:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-14 13:09 . 2010-12-15 02:39 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft

2010-12-13 05:54 . 2010-12-15 01:25 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData

2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX

2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler

2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc

2010-11-30 12:22 . 2010-12-16 17:47 -------- d-----w- c:\program files\Everything

2010-11-28 13:59 . 2010-11-28 14:33 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\imap-mail101128

2010-11-28 11:45 . 2010-11-28 11:45 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\%LOCALAPPDATA%

2010-11-28 10:39 . 2010-11-28 10:39 -------- d-----w- c:\program files\Microsoft Office Labs

2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- f:\windows\system32\dllcache\isign32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-15 13:06 . 2009-08-30 10:06 42664 ----a-w- f:\windows\system32\drivers\fsbts.sys

2010-11-29 17:42 . 2009-09-17 02:03 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys

2010-11-29 17:42 . 2009-09-17 02:03 20952 ----a-w- f:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2003-02-07 18:15 81920 ----a-w- f:\windows\system32\isign32.dll

2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- f:\windows\system32\wininet.dll

2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- f:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- f:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2006-02-28 12:00 385024 ------w- f:\windows\system32\html.iec

2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- f:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd.dll

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd(2).dll

2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- f:\windows\system32\win32k.sys

2010-10-13 10:55 . 2010-10-13 10:55 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe

2010-10-10 05:19 . 2010-10-10 05:19 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe

2010-09-28 13:03 . 2010-09-28 13:40 12256 ------w- f:\windows\system32\drivers\PSVolAcc.sys

2010-09-28 13:03 . 2010-09-28 13:40 15328 ------w- f:\windows\system32\drivers\pssnap.sys

2010-09-28 13:03 . 2010-09-28 13:40 44512 ------w- f:\windows\system32\drivers\psmounter.sys

2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll

2010-08-13 21:28 . 2010-08-21 06:51 1237504 ------w- c:\program files\TweakMe!.exe

2010-08-08 08:58 . 2010-08-17 13:21 33280 ------w- c:\program files\shmnview.exe

2009-08-15 17:09 . 2009-10-13 07:29 32256 ------w- c:\program files\OfficeIns.exe

2008-03-16 20:32 . 2010-11-10 05:31 2507710 ----a-w- c:\program files\bomb-countdown.exe

2004-11-28 19:33 . 2009-09-08 06:44 1208320 ------w- c:\program files\IfoEdit.exe

2002-11-24 20:53 . 2009-09-08 06:44 507904 ------w- c:\program files\TheRenameProgram.exe

2000-10-16 12:30 . 2009-09-30 13:39 217088 ------w- c:\program files\SpaceMonger.exe

2010-09-17 03:00 . 2010-01-27 17:58 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-12-15_11.54.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-07-11 16:04 . 2010-11-03 13:12 46080 f:\windows\system32\tzchange.exe

- 2008-07-11 16:04 . 2010-06-21 14:46 46080 f:\windows\system32\tzchange.exe

+ 2009-09-21 14:25 . 2009-05-26 11:40 17272 f:\windows\system32\spmsg.dll

- 2009-09-21 14:25 . 2007-11-30 05:39 17272 f:\windows\system32\spmsg.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 66560 f:\windows\system32\mshtmled.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 66560 f:\windows\system32\mshtmled.dll

- 2009-03-08 03:31 . 2010-09-10 05:58 55296 f:\windows\system32\msfeedsbs.dll

+ 2009-03-08 03:31 . 2010-11-06 00:26 55296 f:\windows\system32\msfeedsbs.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 25600 f:\windows\system32\jsproxy.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 25600 f:\windows\system32\jsproxy.dll

+ 2009-09-14 17:31 . 2010-11-06 00:26 12800 f:\windows\system32\dllcache\xpshims.dll

- 2009-09-14 17:31 . 2010-09-10 05:58 12800 f:\windows\system32\dllcache\xpshims.dll

+ 2009-03-08 03:31 . 2010-11-06 00:26 66560 f:\windows\system32\dllcache\mshtmled.dll

- 2009-03-08 03:31 . 2010-09-10 05:58 66560 f:\windows\system32\dllcache\mshtmled.dll

+ 2009-09-14 17:31 . 2010-11-06 00:26 55296 f:\windows\system32\dllcache\msfeedsbs.dll

- 2009-09-14 17:31 . 2010-09-10 05:58 55296 f:\windows\system32\dllcache\msfeedsbs.dll

+ 2009-03-08 03:34 . 2010-11-06 00:26 43520 f:\windows\system32\dllcache\licmgr10.dll

- 2009-03-08 03:34 . 2010-09-10 05:58 43520 f:\windows\system32\dllcache\licmgr10.dll

- 2009-03-08 03:33 . 2010-09-10 05:58 25600 f:\windows\system32\dllcache\jsproxy.dll

+ 2009-03-08 03:33 . 2010-11-06 00:26 25600 f:\windows\system32\dllcache\jsproxy.dll

+ 2010-11-16 12:36 . 2010-12-16 18:27 34144 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\oisicon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 34144 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\oisicon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 42848 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\msouc.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 42848 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\msouc.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 19296 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\cagicon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 19296 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\cagicon.exe

+ 2010-02-28 02:22 . 2010-02-28 02:22 48504 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\PUBTRAP.DLL

+ 2010-12-16 18:27 . 2010-09-10 05:58 12800 f:\windows\ie8updates\KB2416400-IE8\xpshims.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 66560 f:\windows\ie8updates\KB2416400-IE8\mshtmled.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 55296 f:\windows\ie8updates\KB2416400-IE8\msfeedsbs.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 43520 f:\windows\ie8updates\KB2416400-IE8\licmgr10.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 25600 f:\windows\ie8updates\KB2416400-IE8\jsproxy.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 206848 f:\windows\system32\occache.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 206848 f:\windows\system32\occache.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 611840 f:\windows\system32\mstime.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 611840 f:\windows\system32\mstime.dll

+ 2009-03-08 03:32 . 2010-11-06 00:26 602112 f:\windows\system32\msfeeds.dll

- 2009-03-08 03:32 . 2010-09-10 05:58 602112 f:\windows\system32\msfeeds.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 184320 f:\windows\system32\iepeers.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 184320 f:\windows\system32\iepeers.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 387584 f:\windows\system32\iedkcs32.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 387584 f:\windows\system32\iedkcs32.dll

+ 2006-02-28 12:00 . 2010-11-03 12:26 173568 f:\windows\system32\ie4uinit.exe

+ 2003-02-07 17:59 . 2010-12-16 18:38 396752 f:\windows\system32\FNTCACHE.DAT

- 2003-02-07 17:59 . 2010-12-15 07:20 396752 f:\windows\system32\FNTCACHE.DAT

- 2009-06-26 16:50 . 2010-09-10 05:58 916480 f:\windows\system32\dllcache\wininet.dll

+ 2009-06-26 16:50 . 2010-11-06 00:26 916480 f:\windows\system32\dllcache\wininet.dll

- 2009-03-08 03:34 . 2010-09-10 05:58 206848 f:\windows\system32\dllcache\occache.dll

+ 2009-03-08 03:34 . 2010-11-06 00:26 206848 f:\windows\system32\dllcache\occache.dll

+ 2009-03-08 03:32 . 2010-11-06 00:26 611840 f:\windows\system32\dllcache\mstime.dll

- 2009-03-08 03:32 . 2010-09-10 05:58 611840 f:\windows\system32\dllcache\mstime.dll

- 2009-09-14 17:31 . 2010-09-10 05:58 602112 f:\windows\system32\dllcache\msfeeds.dll

+ 2009-09-14 17:31 . 2010-11-06 00:26 602112 f:\windows\system32\dllcache\msfeeds.dll

+ 2009-09-14 17:31 . 2010-11-06 00:26 247808 f:\windows\system32\dllcache\ieproxy.dll

- 2009-09-14 17:31 . 2010-09-10 05:58 247808 f:\windows\system32\dllcache\ieproxy.dll

- 2009-03-08 03:31 . 2010-09-10 05:58 184320 f:\windows\system32\dllcache\iepeers.dll

+ 2009-03-08 03:31 . 2010-11-06 00:26 184320 f:\windows\system32\dllcache\iepeers.dll

- 2010-06-11 12:45 . 2010-09-10 05:58 743424 f:\windows\system32\dllcache\iedvtool.dll

+ 2010-06-11 12:45 . 2010-11-06 00:26 743424 f:\windows\system32\dllcache\iedvtool.dll

- 2009-03-08 13:09 . 2010-09-10 05:58 387584 f:\windows\system32\dllcache\iedkcs32.dll

+ 2009-03-08 13:09 . 2010-11-06 00:26 387584 f:\windows\system32\dllcache\iedkcs32.dll

+ 2009-03-08 03:32 . 2010-11-03 12:26 173568 f:\windows\system32\dllcache\ie4uinit.exe

+ 2010-04-20 05:30 . 2010-10-28 13:13 290048 f:\windows\system32\dllcache\atmfd.dll

+ 2010-07-22 02:43 . 2010-07-22 02:43 257024 f:\windows\Installer\68d44b4.msp

+ 2010-12-09 11:39 . 2010-12-09 11:39 720896 f:\windows\Installer\68d4493.msp

- 2010-11-16 12:36 . 2010-11-16 13:22 415584 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pubs.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 415584 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pubs.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 303456 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\outicon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 303456 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\outicon.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 571232 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\misc.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 571232 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\misc.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 326496 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\joticon.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 326496 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\joticon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 469856 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\inficon.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 469856 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\inficon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 178528 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\grvicons.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 178528 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\grvicons.exe

+ 2010-03-01 04:56 . 2010-03-01 04:56 604024 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\PUBCONV.DLL

+ 2010-01-09 21:50 . 2010-01-09 21:50 119160 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MSCONV97.DLL

+ 2010-03-01 04:56 . 2010-03-01 04:56 457104 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MORPH9.DLL

+ 2010-12-16 18:27 . 2010-09-10 05:58 916480 f:\windows\ie8updates\KB2416400-IE8\wininet.dll

+ 2010-12-16 18:27 . 2010-07-05 13:16 382840 f:\windows\ie8updates\KB2416400-IE8\spuninst\updspapi.dll

+ 2010-12-16 18:27 . 2010-02-22 14:23 231288 f:\windows\ie8updates\KB2416400-IE8\spuninst\spuninst.exe

+ 2010-12-16 18:27 . 2010-09-10 05:58 206848 f:\windows\ie8updates\KB2416400-IE8\occache.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 611840 f:\windows\ie8updates\KB2416400-IE8\mstime.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 602112 f:\windows\ie8updates\KB2416400-IE8\msfeeds.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 247808 f:\windows\ie8updates\KB2416400-IE8\ieproxy.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 184320 f:\windows\ie8updates\KB2416400-IE8\iepeers.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 743424 f:\windows\ie8updates\KB2416400-IE8\iedvtool.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 387584 f:\windows\ie8updates\KB2416400-IE8\iedkcs32.dll

+ 2010-12-16 18:27 . 2010-08-26 12:22 173056 f:\windows\ie8updates\KB2416400-IE8\ie4uinit.exe

+ 2006-02-28 12:00 . 2010-11-06 00:26 1210880 f:\windows\system32\urlmon.dll

- 2006-02-28 12:00 . 2010-09-10 05:58 1210880 f:\windows\system32\urlmon.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 5959168 f:\windows\system32\mshtml.dll

+ 2009-03-08 03:32 . 2010-11-06 00:26 1991680 f:\windows\system32\iertutil.dll

+ 2009-04-17 12:26 . 2010-10-26 13:25 1853312 f:\windows\system32\dllcache\win32k.sys

+ 2009-06-26 16:50 . 2010-11-06 00:26 1210880 f:\windows\system32\dllcache\urlmon.dll

- 2009-06-26 16:50 . 2010-09-10 05:58 1210880 f:\windows\system32\dllcache\urlmon.dll

+ 2009-07-18 16:05 . 2010-11-06 00:26 5959168 f:\windows\system32\dllcache\mshtml.dll

+ 2009-09-14 17:31 . 2010-11-06 00:26 1991680 f:\windows\system32\dllcache\iertutil.dll

+ 2010-10-08 22:12 . 2010-10-08 22:12 8354304 f:\windows\Installer\68d445e.msp

+ 2010-11-19 13:34 . 2010-11-19 13:34 3459584 f:\windows\Installer\68d443c.msp

+ 2010-11-11 12:54 . 2010-11-11 12:54 1002496 f:\windows\Installer\68d441b.msp

+ 2010-11-11 12:54 . 2010-11-11 12:54 1121792 f:\windows\Installer\68d441a.msp

+ 2010-11-11 12:54 . 2010-11-11 12:54 1310720 f:\windows\Installer\68d4419.msp

- 2010-11-16 12:36 . 2010-11-16 13:22 1479520 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\xlicons.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 1479520 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\xlicons.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 1858400 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\wordicon.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 1858400 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\wordicon.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 3792736 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pptico.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 3792736 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pptico.exe

- 2010-11-16 12:36 . 2010-11-16 13:22 1449312 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\accicons.exe

+ 2010-11-16 12:36 . 2010-12-16 18:27 1449312 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\accicons.exe

+ 2010-03-01 05:20 . 2010-03-01 05:20 2323840 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKWORD.DLL

+ 2010-03-01 05:20 . 2010-03-01 05:20 2102656 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKPOWERPOINT.DLL

+ 2010-03-01 05:20 . 2010-03-01 05:20 3355008 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKEXCEL.DLL

+ 2010-12-16 18:27 . 2010-09-10 05:58 1210880 f:\windows\ie8updates\KB2416400-IE8\urlmon.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 5957120 f:\windows\ie8updates\KB2416400-IE8\mshtml.dll

+ 2010-12-16 18:27 . 2010-09-10 05:58 1986560 f:\windows\ie8updates\KB2416400-IE8\iertutil.dll

+ 2005-05-31 22:17 . 2010-12-16 18:23 37366216 f:\windows\system32\MRT.exe

+ 2009-03-08 03:39 . 2010-11-06 00:26 11080704 f:\windows\system32\ieframe.dll

+ 2009-07-19 17:48 . 2010-11-06 00:26 11080704 f:\windows\system32\dllcache\ieframe.dll

+ 2010-11-11 12:52 . 2010-11-11 12:52 13486592 f:\windows\Installer\68d4481.msp

+ 2010-03-01 04:56 . 2010-03-01 04:56 10272104 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MSPUB.EXE

+ 2010-12-16 18:27 . 2010-09-10 05:58 11080192 f:\windows\ie8updates\KB2416400-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-03-26 301744]

"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-03-26 1653424]

"logo mouse"="c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE" [2004-01-08 37888]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-17 30192]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-05-12 13684736]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Start Menu\Programs\System Tools\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWinKeys"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

"NoRecentDocsNetHood"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 00000000

"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"

"WService"=WService.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe

"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe

"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe"

"DT ACR"=c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR

"nwiz"=nwiz.exe /install

"00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe"

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [30/08/2009 10:06 42664]

R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [23/10/2007 12:11 80080]

R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [28/09/2010 13:40 15328]

R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [07/02/2004 18:27 10240]

R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [08/09/2009 05:23 68144]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [06/08/2010 03:54 2953808]

R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [06/02/2004 10:35 10112]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 13:40 220128]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [08/09/2009 05:23 130728]

S0 Lbd;Lbd; [x]

S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?]

S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [06/08/2010 03:54 72808]

S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [08/04/2003 10:48 265904]

S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [03/08/2010 15:37 13192]

S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [03/08/2010 15:37 8456]

S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [08/09/2009 05:23 64016]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [27/01/2010 17:58 30192]

S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [24/07/2008 20:36 366525]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]

S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [08/09/2009 12:58 90112]

S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896]

S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [28/09/2010 13:40 44512]

S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [28/09/2010 13:40 12256]

S3 Second Backup Service;Second Backup Service;c:\program files\Second Backup\SecondBackup.exe [27/12/2007 05:22 1744896]

S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [08/01/2002 18:53 162048]

S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [28/02/2006 12:00 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [08/09/2009 05:23 39856]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [08/09/2009 05:23 25264]

S4 NProtectService;Norton Unerase Protection; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-12-16 f:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-09-08 10:21]

2010-12-15 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500Core.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-16 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500UA.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-16 f:\windows\Tasks\WGASetup.job

- f:\windows\system32\KB905474\wgasetup.exe [2009-08-31 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000

IE: Read By Natural Voice Reader - c:\program files\NaturalReaders\Natural Voice Reader Pro\read.html

IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105

IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

FF - ProfilePath -

.

.

------- File Associations -------

.

txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-16 18:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-789336058-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_413c&Pid_3016\6&280bb194&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)

f:\windows\system32\Ati2evxx.dll

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(808)

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(2076)

f:\windows\system32\WININET.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll

c:\program files\MozyHome\mozyshell.dll

c:\program files\MozyHome\LIBEAY32.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

f:\windows\system32\msi.dll

f:\windows\system32\ieframe.dll

f:\windows\system32\webcheck.dll

f:\windows\system32\WPDShServiceObj.dll

f:\windows\system32\PortableDeviceTypes.dll

f:\windows\system32\PortableDeviceApi.dll

f:\windows\System32\netshell.dll

.

Completion time: 2010-12-16 19:00:22

ComboFix-quarantined-files.txt 2010-12-16 19:00

ComboFix2.txt 2010-12-15 11:58

Pre-Run: 55,118,704,640 bytes free

Post-Run: 55,101,149,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer /SOS

- - End Of File - - B80A44C72052C7E20FCEC3FBD1A36E21

Link to post
Share on other sites

Dear Maniac,

Thanks I followed your instructions and did a F-secure scan but this found nothing. I then retried malwarebytes. Unfortunately it still refused to connect as did other AV programs when tested even though firefox and Chrome have no problems accessing the internet.

I then did combo-fix several times (1st time it needed windows console), next I added that and fully turned off f-secure [unplugging the PC from the router] and killed all background programs. This seemed to be positive. Ran f-secure again which found Malware!Gemini .

Unfortunately, even though this was quarantined, the situation of not being able to update malwarebytes and other AV programs remains in spite of Firefox, chrome and f-secure being able to access the internet.

malwarebytes gives the error PROGRAM_ERROR_UPDATING (12002, 0, WinHttpReceiveResponse]

I cut and paste below the logs from f-secure and combo-fix.

Best

John

This is the f-secure log -- note the file XXOLDTRASH.MBX dates back to 2003.

17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini BEGIN

;

;Log created by USS version 4.10.16410

;

17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini file "C:\PROGRAM FILES\REGSEEKER\REGSEEKER.EXE" quarantined success

17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini file "C:\PROGRAM FILES\REGSEEKER\REGSEEKER.EXE" deleted success

17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini END

17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini BEGIN

;

;Log created by USS version 4.10.16410

;

17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini file "F:\SYSTEM VOLUME INFORMATION\_RESTORE{C4365319-5737-4505-B996-8F6CA36D2EBD}\RP90\A0018870.EXE" quarantined success

17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini file "F:\SYSTEM VOLUME INFORMATION\_RESTORE{C4365319-5737-4505-B996-8F6CA36D2EBD}\RP90\A0018870.EXE" deleted success

17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini END

17.12.2010 05:36:08 Exploit.Iframe.Vulnerability BEGIN

;

;Log created by USS version 4.10.16410

;

17.12.2010 05:36:08 Exploit.Iframe.Vulnerability file "J:\EMAIL BACKUP\__HOME_EMAIL\EUDORA6\XXOLDTRASH.MBX" quarantined failed

17.12.2010 05:36:08 Exploit.Iframe.Vulnerability file "J:\EMAIL BACKUP\__HOME_EMAIL\EUDORA6\XXOLDTRASH.MBX" deleted failed

17.12.2010 05:36:08 Exploit.Iframe.Vulnerability END

17.12.2010 05:40:01 Exploit.Iframe.Vulnerability BEGIN

;

;Log created by USS version 4.10.16410

;

17.12.2010 05:40:01 Exploit.Iframe.Vulnerability file "J:\ARCHIVE\MY OTHER DOCUMENTS\EUDORA5\XXOLDTRASH.MBX" quarantined failed

17.12.2010 05:40:01 Exploit.Iframe.Vulnerability file "J:\ARCHIVE\MY OTHER DOCUMENTS\EUDORA5\XXOLDTRASH.MBX" deleted failed

17.12.2010 05:40:01 Exploit.Iframe.Vulnerability END

----------------------------------------------------------------------

Combo-fix log

ComboFix 10-12-14.05 - Administrator 17/12/2010 3:44.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT 0:00]

Running from: l:\d\Combo-Fix.exe

Command switches used :: l:\d\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

AV: F-Secure Client Security 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: F-Secure Client Security 9.01 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}

.

((((((((((((((((((((((((( Files Created from 2010-11-17 to 2010-12-17 )))))))))))))))))))))))))))))))

.

2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository

2010-12-15 02:44 . 2010-11-02 15:17 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys

2010-12-15 02:43 . 2010-10-11 14:59 45568 -c----w- f:\windows\system32\dllcache\wab.exe

2010-12-15 01:25 . 2010-12-17 03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-14 13:09 . 2010-12-17 02:44 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft

2010-12-13 05:54 . 2010-12-17 02:46 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData

2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX

2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler

2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc

2010-11-30 12:22 . 2010-12-17 03:38 -------- d-----w- c:\program files\Everything

2010-11-28 13:59 . 2010-11-28 14:33 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\imap-mail101128

2010-11-28 11:45 . 2010-11-28 11:45 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\%LOCALAPPDATA%

2010-11-28 10:39 . 2010-11-28 10:39 -------- d-----w- c:\program files\Microsoft Office Labs

2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- f:\windows\system32\dllcache\isign32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-15 13:06 . 2009-08-30 10:06 42664 ----a-w- f:\windows\system32\drivers\fsbts.sys

2010-11-29 17:42 . 2009-09-17 02:03 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys

2010-11-29 17:42 . 2009-09-17 02:03 20952 ----a-w- f:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2003-02-07 18:15 81920 ----a-w- f:\windows\system32\isign32.dll

2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- f:\windows\system32\wininet.dll

2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- f:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- f:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2006-02-28 12:00 385024 ------w- f:\windows\system32\html.iec

2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- f:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd.dll

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd(2).dll

2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- f:\windows\system32\win32k.sys

2010-10-13 10:55 . 2010-10-13 10:55 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe

2010-10-10 05:19 . 2010-10-10 05:19 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe

2010-09-28 13:03 . 2010-09-28 13:40 12256 ------w- f:\windows\system32\drivers\PSVolAcc.sys

2010-09-28 13:03 . 2010-09-28 13:40 15328 ------w- f:\windows\system32\drivers\pssnap.sys

2010-09-28 13:03 . 2010-09-28 13:40 44512 ------w- f:\windows\system32\drivers\psmounter.sys

2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll

2010-08-13 21:28 . 2010-08-21 06:51 1237504 ------w- c:\program files\TweakMe!.exe

2010-08-08 08:58 . 2010-08-17 13:21 33280 ------w- c:\program files\shmnview.exe

2009-08-15 17:09 . 2009-10-13 07:29 32256 ------w- c:\program files\OfficeIns.exe

2008-03-16 20:32 . 2010-11-10 05:31 2507710 ----a-w- c:\program files\bomb-countdown.exe

2004-11-28 19:33 . 2009-09-08 06:44 1208320 ------w- c:\program files\IfoEdit.exe

2002-11-24 20:53 . 2009-09-08 06:44 507904 ------w- c:\program files\TheRenameProgram.exe

2000-10-16 12:30 . 2009-09-30 13:39 217088 ------w- c:\program files\SpaceMonger.exe

2010-09-17 03:00 . 2010-01-27 17:58 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((( SnapShot_2010-12-16_18.58.23 )))))))))))))))))))))))))))))))))))))))))

.

+ 2003-02-07 18:24 . 2010-12-17 02:38 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2003-02-07 18:24 . 2010-12-14 02:55 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2003-02-07 18:24 . 2010-12-17 02:38 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2003-02-07 18:24 . 2010-12-14 02:55 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-12-11 15:38 . 2010-12-17 02:38 16384 f:\windows\system32\config\systemprofile\IETldCache\index.dat

- 2009-12-11 15:38 . 2010-12-14 02:55 16384 f:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2010-12-17 02:44 . 2010-12-17 02:44 1867776 f:\windows\Installer\7a5e0.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-03-26 301744]

"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-03-26 1653424]

"logo mouse"="c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE" [2004-01-08 37888]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-17 30192]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-05-12 13684736]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Start Menu\Programs\System Tools\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWinKeys"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

"NoRecentDocsNetHood"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 00000000

"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"

"WService"=WService.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe

"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe

"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe"

"DT ACR"=c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR

"nwiz"=nwiz.exe /install

"00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe"

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [30/08/2009 10:06 42664]

R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [23/10/2007 12:11 80080]

R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [28/09/2010 13:40 15328]

R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [07/02/2004 18:27 10240]

R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [08/09/2009 05:23 68144]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [06/08/2010 03:54 2953808]

R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [06/02/2004 10:35 10112]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 13:40 220128]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [08/09/2009 05:23 130728]

S0 Lbd;Lbd; [x]

S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?]

S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [06/08/2010 03:54 72808]

S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [08/04/2003 10:48 265904]

S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [03/08/2010 15:37 13192]

S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [03/08/2010 15:37 8456]

S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [08/09/2009 05:23 64016]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [27/01/2010 17:58 30192]

S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [24/07/2008 20:36 366525]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]

S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [08/09/2009 12:58 90112]

S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896]

S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [28/09/2010 13:40 44512]

S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [28/09/2010 13:40 12256]

S3 Second Backup Service;Second Backup Service;c:\program files\Second Backup\SecondBackup.exe [27/12/2007 05:22 1744896]

S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [08/01/2002 18:53 162048]

S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [28/02/2006 12:00 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [08/09/2009 05:23 39856]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [08/09/2009 05:23 25264]

S4 NProtectService;Norton Unerase Protection; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-12-17 f:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-09-08 10:21]

2010-12-16 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500Core.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-17 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500UA.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-17 f:\windows\Tasks\WGASetup.job

- f:\windows\system32\KB905474\wgasetup.exe [2009-08-31 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000

IE: Read By Natural Voice Reader - c:\program files\NaturalReaders\Natural Voice Reader Pro\read.html

IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105

IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

FF - ProfilePath -

.

.

------- File Associations -------

.

txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-17 03:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-789336058-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_413c&Pid_3016\6&280bb194&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)

f:\windows\system32\Ati2evxx.dll

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(812)

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(1728)

f:\windows\system32\WININET.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll

c:\program files\MozyHome\mozyshell.dll

c:\program files\MozyHome\LIBEAY32.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

f:\windows\system32\msi.dll

f:\windows\system32\ieframe.dll

f:\windows\system32\webcheck.dll

f:\windows\system32\WPDShServiceObj.dll

f:\windows\system32\PortableDeviceTypes.dll

f:\windows\system32\PortableDeviceApi.dll

f:\windows\System32\netshell.dll

.

Completion time: 2010-12-17 03:51:00

ComboFix-quarantined-files.txt 2010-12-17 03:50

ComboFix2.txt 2010-12-17 03:34

ComboFix3.txt 2010-12-17 03:24

ComboFix4.txt 2010-12-16 19:00

ComboFix5.txt 2010-12-17 03:41

Pre-Run: 55,017,357,312 bytes free

Post-Run: 54,987,948,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer /SOS

- - End Of File - - 12F0778DACDA0CDA4AC1CD18015FE842

Link to post
Share on other sites

Step 1

Clear your system restore points:

http://www.microsoft.com/windowsxp/using/h...ps/mcgill1.mspx

Step 2

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Maniac,

Thanks for suggesting EsetOnlineScanne. It took sometime scanning but to nil result. Checked malwarebytes but it still will not update and indeed stopped firefox requiring a reboot.

Best

John

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6415

# api_version=3.0.2

# EOSSerial=9fde2087d1acce4f8ea1e5b4112ca3e0

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-12-17 09:58:37

# local_time=2010-12-17 09:58:37 (+0000, GMT Standard Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=2304 16777191 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 3774 3774 0 0

# scanned=73832

# found=0

# cleaned=0

# scan_time=2964

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6415

# api_version=3.0.2

# EOSSerial=9fde2087d1acce4f8ea1e5b4112ca3e0

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-12-18 06:19:40

# local_time=2010-12-18 06:19:40 (+0000, GMT Standard Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=2304 16777175 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 41668 41668 0 0

# scanned=338992

# found=0

# cleaned=0

# scan_time=38424

Link to post
Share on other sites

  1. Please download Junction.zip and save it.
  2. Unzip it and put junction.exe in the Windows directory (C:\Windows).
  3. Go to Start => Run... and copy/paste the following command in the run box and click OK:
    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt


  4. A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Link to post
Share on other sites

Thanks Maniac,

Here is the cut and paste from junction.

best

John

-- 19:14:30 3/10/10 - LocalSocketProtocol::readNextMessage

(C:\Users\bitten\mendeley\manual\source\src\localSocket\LocalSocketProtocol.cpp:172)

readNextMessage: unexpected end of the ioDevice

-- 19:14:30 3/10/10 - LocalSocketProtocol::decodeMessage

(C:\Users\bitten\mendeley\manual\source\src\localSocket\LocalSocketProtocol.cpp:122)

LocalSocketProtocol: message malformed: empty

  1. Please download Junction.zip and save it.
  2. Unzip it and put junction.exe in the Windows directory (C:\Windows).
  3. Go to Start => Run... and copy/paste the following command in the run box and click OK:
    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt


  4. A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Link to post
Share on other sites

What is the problem with MBAM? Run this tool and try again:

  1. Download FixPolicies.exe (by Bill Castner) and save it to your desktop.
  2. Double click on FixPolicies.exe to run it.
  3. Click on Install. It will create a folder named FixPolicies on your desktop.
  4. Open the FixPolicies folder.
  5. Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.

Link to post
Share on other sites

Maniac, thanks for your help.

Malwarebytes can now update. But Emsisoft Anti-Malware cannot. Or rather Emsisoft can update and connect to the internet provided f-secure is unloaded to only its firewall. Emsisoft has not had this problem before with f-secure. I ran both Malwarebytes and f-secure and they found nothing. Is it clean? Can I transfer files off the pc without transferring an infection?

John

What is the problem with MBAM? Run this tool and try again:

  1. Download FixPolicies.exe (by Bill Castner) and save it to your desktop.
  2. Double click on FixPolicies.exe to run it.
  3. Click on Install. It will create a folder named FixPolicies on your desktop.
  4. Open the FixPolicies folder.
  5. Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.

Link to post
Share on other sites

Maniac

Apologies for not reading and understanding your last instruction.

I ran junction again it produced the following output:

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file

because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

The existence of Pagefile.sys is a mystery since xp is set not to use it and it should have been deleted but a 2GB pagefile.sys file remains.

John

Link to post
Share on other sites

Maniac

Apologies I did not see your more recent post.

In f-secure connections emsisoft is given "allow" both for both outbound and inbound. I do not see a way to give it an exception in the firewall other than this. The puzzle is that emsisoft (I have rechecked) will download updates through the f-secure firewall but only if the rest of f-secure is unloaded.

John

Very interesting.... did you add them to exception of F-Secure Firewall? Maybe this is the problem. Yes, you can transfer your files.
Link to post
Share on other sites

Thanks John, nothing special in Junction log.

The existence of Pagefile.sys is a mystery since xp is set not to use it and it should have been deleted but a 2GB pagefile.sys file remains.

Page file is very important. I suggest you to read this article from Microsoft for more information:

http://support.microsoft.com/kb/2267427

You can restrict these things, but I personally advise not to be confused in the operating system and the Microsoft.

In f-secure connections emsisoft is given "allow" both for both outbound and inbound. I do not see a way to give it an exception in the firewall other than this. The puzzle is that emsisoft (I have rechecked) will download updates through the f-secure firewall but only if the rest of f-secure is unloaded.

You're right, this should be enough for Emsisoft. It seems a problem between them, so I suggest you to contact their tech support - Emsisoft or F-Secure, they will help you.

http://www.f-secure.com/en_EMEA/support/

http://www.emsisoft.com/en/support/

Link to post
Share on other sites

Dear Maniac,

Yes, Page file is important--but I had turned it off so scanners would not waste time on it. Obviously once the system is back to normal it will turned back on. The puzzle is why it never went.

I contacted F-Secure and was told to uninstall all nonF-Secure AV, then reinstall F-Secure and rely entirely upon F-Secure and not reinstall alternatives. Conflicts between AVs make sense for deep guard type active monitoring but the update concerned traces for scanning and this should not cause program conflicts--files would be just passively examined. I am awaiting a fuller response.

My concern is that F-Secure might actively be stopping other AV and their updates. F-Secure should not as it would it be illegal in the US, for example, in regard to antitrust laws (customers must be able to evaluate competitor software unless there is good reason and then with notification). But then programmers at google foolishly in Street view softwared the picking up of Wi-Fi network data--something google lawyers should have warned them as illegal.

Best

John

Thanks John, nothing special in Junction log.

Page file is very important. I suggest you to read this article from Microsoft for more information:

http://support.microsoft.com/kb/2267427

You can restrict these things, but I personally advise not to be confused in the operating system and the Microsoft.

You're right, this should be enough for Emsisoft. It seems a problem between them, so I suggest you to contact their tech support - Emsisoft or F-Secure, they will help you.

http://www.f-secure.com/en_EMEA/support/

http://www.emsisoft.com/en/support/

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.