Jump to content

Recommended Posts

Please find the appropriate files attached. Despite a Full scan, the virus is continuing to attack as I write.

I was also unable to download the MBAM update. "Access is denied"

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6303

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 6.0.2900.5512

4/10/2011 4:45:41 PM

mbam-log-2011-04-10 (16-45-41).txt

Scan type: Full scan (C:\|)

Objects scanned: 284018

Time elapsed: 1 hour(s), 20 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 6

Registry Data Items Infected: 1

Folders Infected: 3

Files Infected: 27

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyClearSearch Helper Service (PUP.Zwangi) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Malware.Gen) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxCenterServer (Malware.Gen) -> Value: FaxCenterServer -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper (Malware.Gen) -> Value: iTunesHelper -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SynTPLpr (Malware.Gen) -> Value: SynTPLpr -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SynTPEnh (Malware.Gen) -> Value: SynTPEnh -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shicoxp (Malware.Gen) -> Value: shicoxp -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caxchg (Malware.Gen) -> Value: caxchg -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.StartPage) -> Bad: (http://myclearsearch.com/) Good: (http://www.google.com) -> Quarantined and deleted successfully.

Folders Infected:

c:\documents and settings\all users\application data\browserseek (PUP.Zwangi) -> Quarantined and deleted successfully.

c:\program files\browserseek (PUP.Zwangi) -> Quarantined and deleted successfully.

c:\program files\myclearsearch (PUP.Zwangi) -> Quarantined and deleted successfully.

Files Infected:

c:\program files\lexmark fax solutions\fm3032.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\program files\iTunes\ituneshelper.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\program files\synaptics\SynTP\SynTPLpr.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\program files\synaptics\SynTP\SynTPEnh.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\shicoxp.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\caxchg.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\browserseek\browserseek174.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\program files\myclearsearch\myclearsearchsvc.exe (PUP.Zwangi) -> Quarantined and deleted successfully.

c:\documents and settings\amason\application data\microsoft\windows media\12.0\wmpacm.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\amason\local settings\Temp\egocarh.exe (Adware.BHO) -> Quarantined and deleted successfully.

c:\documents and settings\amason\local settings\Temp\inet.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\amason\local settings\Temp\myclearsearch-setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\documents and settings\amason\local settings\Temp\nsb22.tmp\browserseek.dll (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\amason\local settings\Temp\nsb22.tmp\browserseek.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\amason\local settings\temporary internet files\Content.IE5\1RMFL3B5\tgtkk[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\amason\local settings\temporary internet files\Content.IE5\ERITSO47\zzjwaaosf[1].htm (Adware.BHO) -> Quarantined and deleted successfully.

c:\program files\browserseek\browserseek.dll (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\program files\myclearsearch\ShowMsg.exe (PUP.Zwangi) -> Quarantined and deleted successfully.

c:\system volume information\_restore{a1d234c7-2567-4929-93b8-17007c4ddf79}\RP317\A0046903.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\Temp\ee896009-2241-4d1a-94b7-8f476921cf1c\offerapp-2533.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Temp\ee896009-2241-4d1a-94b7-8f476921cf1c\setup_dc665clbofferdp.exe (Adware.BHO) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\Ygr.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\qlgq\setup.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\winset.ini (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

c:\program files\myclearsearch\uninstall.exe (PUP.Zwangi) -> Quarantined and deleted successfully.

========================================================================

.

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK

Run by amason at 14:57:22.65 on Sun 04/10/2011

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.593 [GMT -7:00]

.

AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe

C:\Documents and Settings\amason\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main

mStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main

mWindow Title = Windows Internet Explorer provided by Comcast

mWinlogon: Userinit=userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.5.0.125\ips\IPSBHO.DLL

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [shicoxp] c:\windows\shicoxp.exe

mRun: [caxchg] c:\windows\caxchg.exe

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247844269106

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256091345322

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxsrvc.dll

Notify: itlnfw32 - itlnfw32.dll

Notify: itlntfy - itlnfw32.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\amason\applic~1\mozilla\firefox\profiles\77g6mh3o.default\

FF - prefs.js: network.proxy.ftp - 218.248.240.190

FF - prefs.js: network.proxy.ftp_port - 8080

FF - prefs.js: network.proxy.gopher - 218.248.240.190

FF - prefs.js: network.proxy.gopher_port - 8080

FF - prefs.js: network.proxy.http - 218.248.240.190

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.socks - 218.248.240.190

FF - prefs.js: network.proxy.socks_port - 8080

FF - prefs.js: network.proxy.ssl - 218.248.240.190

FF - prefs.js: network.proxy.ssl_port - 8080

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\documents and settings\amason\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\amason\application data\move networks\plugins\npqmp071502000008.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\IPSFFPlgn

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\amason\application data\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01);user_pref(general.useragent.extra.zencast,

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1205000.07d\symds.sys [2011-1-6 340016]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1205000.07d\symefa.sys [2011-1-6 652336]

R3 FLASHREADER;USB Reader;c:\windows\system32\drivers\camusb.sys [2009-7-23 25600]

S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-10 800376]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1205000.07d\ironx86.sys [2011-1-6 136312]

S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2003-3-31 14336]

S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.5.0.125\ccsvchst.exe [2011-1-6 130000]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-12-10 92008]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-9 102448]

S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20110407.001\IDSXpx86.sys [2011-4-7 341944]

S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110407.018\NAVENG.SYS [2011-4-7 86136]

S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110407.018\NAVEX15.SYS [2011-4-7 1393144]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2010.sp1d\RpcAgentSrv.exe [2010-5-9 93336]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

.

=============== Created Last 30 ================

.

2011-04-08 05:55:33 4224 ----a-w- c:\windows\system32\beep.sys

2011-04-07 01:21:03 34816 ----a-w- c:\windows\system32\itlnfw32.dll

2011-04-07 01:21:03 215552 ----a-w- c:\windows\system32\itlpfw32.dll

2011-04-07 01:11:09 -------- d--h--w- c:\docume~1\amason\applic~1\Malwarebytes

2011-04-07 01:11:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-07 01:11:04 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-04-07 01:11:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-07 01:11:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-06 22:18:57 -------- d--h--w- c:\docume~1\amason\applic~1\2017491D082AE9A7D22EFD10225E4D5D

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

============= FINISH: 14:58:00.10 ===============

Attach.zip

Link to post
Share on other sites

Hi, and :welcome:

There are still some infections left after the MBAM scan, so lets start with these.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

  • 2 weeks later...

Hi Elise, Thanks for the direction. Please find the results pasted below. I downloaded the program successfully but was unable to install the Autorecovery. The first time it didn't work it said it was because the page file might not be large enough, so it couldn't download. Then, it said something the next time I tried, but I can't recall what.

It also said I had Norton Antivirus running. I do have it installed, but I am in safe mode and it wasn't running and no processes indicated that it was active. So, I proceeded and got these results. As I'm typing the harddrive light is going non-stop and a browser just opened to a bogus site, so I'm still infected for sure.

Thanks for your help!!

ComboFix 11-04-20.04 - amason 04/21/2011 15:26:28.1.1 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.817 [GMT -7:00]

Running from: c:\documents and settings\amason\Desktop\ComboFix.exe

AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\amason\Application Data\2017491D082AE9A7D22EFD10225E4D5D

c:\documents and settings\amason\Application Data\2017491D082AE9A7D22EFD10225E4D5D\enemies-names.txt

c:\documents and settings\amason\Application Data\2017491D082AE9A7D22EFD10225E4D5D\local.ini

c:\documents and settings\amason\Application Data\Adobe\plugs

c:\documents and settings\amason\Application Data\Adobe\shed

c:\documents and settings\amason\Application Data\Microsoft\Windows Media\12.0

c:\documents and settings\amason\Application Data\Microsoft\Windows Media\12.0\locale.cls

c:\documents and settings\amason\Application Data\Microsoft\Windows Media\12.0\wmpacm .exe

c:\windows\favicon.ico

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_6TO4

-------\Legacy_BROWSERSEEK_SERVICE

-------\Legacy_ITLPERF

-------\Service_6to4

-------\Service_BrowserSeek Service

-------\Service_itlperf

.

.

((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))

.

.

2011-04-11 01:08 . 2011-04-11 01:08 -------- d--h--w- c:\windows\PIF

2011-04-10 22:02 . 2011-04-10 22:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FaxCtr

2011-04-10 22:02 . 2011-04-11 01:10 -------- d-----w- C:\Temp

2011-04-10 22:01 . 2011-04-10 22:01 356352 ----a-w- c:\windows\system32\lmqj.exe

2011-04-08 05:55 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\beep.sys

2011-04-08 05:55 . 2011-04-08 05:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-04-08 05:21 . 2011-04-08 05:21 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-04-07 01:21 . 2011-04-07 01:21 215552 ----a-w- c:\windows\system32\itlpfw32.dll.vir

2011-04-07 01:11 . 2011-04-07 01:11 -------- d--h--w- c:\documents and settings\amason\Application Data\Malwarebytes

2011-04-07 01:11 . 2011-04-07 01:11 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-04-07 01:11 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-07 01:11 . 2011-04-07 01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-07 01:11 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2003-03-31 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2003-03-31 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2009-10-20 06:54 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2009-10-20 06:54 677888 ----a-w- c:\windows\system32\mstsc.exe

.

<pre>
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Lexmark Fax Solutions\fm3032 .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Synaptics\SynTP\SynTPLpr .exe
c:\windows\caxchg .exe
c:\windows\shicoxp .exe
</pre>

.

------- Sigcheck -------

.

[7] 2003-03-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\beep.sys

[7] 2003-03-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

.

c:\windows\System32\drivers\beep.sys ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-12-10 247144]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]

"Windows Media Player ACM"="c:\documents and settings\amason\Application Data\Microsoft\Windows Media\12.0\wmpacm .exe" [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-17 113664]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

2002-10-04 01:50 684032 ------w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-28 00:10 35696 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

2006-02-07 05:10 98304 ------w- c:\program files\Lexmark 2400 Series\ezprint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]

2003-02-10 22:34 90112 ------r- c:\windows\GWMDMMSG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2003-10-02 21:19 118784 ------w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2003-10-02 21:37 155648 ------w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-27 00:18 413696 ------w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-07-31 23:51 148888 ------w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

"c:\\Documents and Settings\\amason\\My Documents\\Downloads\\winscp419.exe"=

"c:\\Program Files\\Allaire\\HomeSite 4.5\\homesite45.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP1d\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP1d\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"<NO NAME>"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [1/6/2011 8:29 PM 340016]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [1/6/2011 8:29 PM 652336]

R3 FLASHREADER;USB Reader;c:\windows\system32\drivers\camusb.sys [7/23/2009 5:54 PM 25600]

S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [3/10/2011 8:20 PM 800376]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [1/6/2011 8:29 PM 136312]

S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe [1/6/2011 8:28 PM 130000]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [12/10/2010 5:29 AM 92008]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/10/2011 6:38 PM 102448]

S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110408.001\IDSXpx86.sys [4/10/2011 6:38 PM 341944]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010.SP1d\RpcAgentSrv.exe [5/9/2010 9:32 PM 93336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

itlsvc REG_MULTI_SZ itlperf

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main

mWindow Title = Windows Internet Explorer provided by Comcast

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

FF - ProfilePath - c:\documents and settings\amason\Application Data\Mozilla\Firefox\Profiles\77g6mh3o.default\

FF - prefs.js: network.proxy.ftp - 218.248.240.190

FF - prefs.js: network.proxy.ftp_port - 8080

FF - prefs.js: network.proxy.gopher - 218.248.240.190

FF - prefs.js: network.proxy.gopher_port - 8080

FF - prefs.js: network.proxy.http - 218.248.240.190

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.socks - 218.248.240.190

FF - prefs.js: network.proxy.socks_port - 8080

FF - prefs.js: network.proxy.ssl - 218.248.240.190

FF - prefs.js: network.proxy.ssl_port - 8080

FF - prefs.js: network.proxy.type - 4

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\amason\Application Data\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01);user_pref(general.useragent.extra.zencast,

.

- - - - ORPHANS REMOVED - - - -

.

Notify-itlntfy - itlnfw32.dll

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-21 15:36

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Windows Media Player ACM = c:\documents and settings\amason\Application Data\Microsoft\Windows Media\12.0\wmpacm .exe??????????06&?@-&??????(&?h?&??????????(&? ??|?2?|????$???????????????????????????J!@??????????"@??????????????"@??????:@?k#??????YK@???????@?H-&???&???l?0????K@?????"??

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(628)

c:\windows\system32\l3codecx.acm

.

- - - - - - - > 'explorer.exe'(1924)

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

.

Completion time: 2011-04-21 15:40:57 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-21 22:40

.

Pre-Run: 8,147,181,568 bytes free

Post-Run: 8,473,133,056 bytes free

.

- - End Of File - - EDE64EF03DA8C6BE415F0D1AD3723679

Link to post
Share on other sites

Well, I was able to get the Recovery Console installed by adding the pagefile. (I normally don't have one because I have a Solid State drive.)

Also please note that I have dual boot with Ubuntu set up. I installed it a couple of years ago.

Here is the new ComboFix log file:

ComboFix 11-04-20.04 - amason 04/22/2011 0:21.2.1 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.801 [GMT -7:00]

Running from: c:\documents and settings\amason\Desktop\ComboFix.exe

AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\docume~1\amason\LOCALS~1\Temp\drweb.exe

c:\docume~1\amason\LOCALS~1\Temp\gdi32.exe

c:\docume~1\amason\LOCALS~1\Temp\install.exe

c:\docume~1\amason\LOCALS~1\Temp\lsass.exe

c:\docume~1\amason\LOCALS~1\Temp\mdm.exe

c:\docume~1\amason\LOCALS~1\Temp\nvsvc32.exe

c:\docume~1\amason\LOCALS~1\Temp\r3m67p.exe

c:\docume~1\amason\LOCALS~1\Temp\services.exe

c:\docume~1\amason\LOCALS~1\Temp\setup.exe

c:\docume~1\amason\LOCALS~1\Temp\svchost.exe

c:\docume~1\amason\LOCALS~1\Temp\sysmgm.exe

c:\docume~1\amason\LOCALS~1\Temp\winamp.exe

c:\docume~1\amason\LOCALS~1\Temp\winlogon.exe

c:\documents and settings\amason\Application Data\Microsoft\conhost.exe

c:\documents and settings\NetworkService\Local Settings\Application Data\lonerty.dll

C:\Recycle.Bin

c:\recycle.bin\config.bin

c:\recycle.bin\Recycle.Bin.exe

c:\windows\avp32.exe

c:\windows\cmd.exe

c:\windows\drweb.exe

c:\windows\iexplarer.exe

c:\windows\linkinfo.dll

c:\windows\login.exe

c:\windows\lsass.exe

c:\windows\mdm.exe

c:\windows\morerv.dll

c:\windows\setup.exe

c:\windows\spoolsv.exe

c:\windows\sysmgm.exe

c:\windows\system32\6to4v32.dll

c:\windows\system32\itlnfw32.dll

c:\windows\system32\itlpfw32.dll

c:\windows\system32\winset.ini

c:\windows\taskmgr.exe

c:\windows\user.exe

c:\windows\win.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_6TO4

-------\Legacy_ITLPERF

-------\Service_6to4

-------\Service_itlperf

.

.

((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))

.

.

2011-04-21 22:49 . 2011-04-21 22:49 50000 ----a-w- c:\windows\system32\jj8a8ixl.dll

2011-04-11 01:08 . 2011-04-11 01:08 -------- d--h--w- c:\windows\PIF

2011-04-10 22:02 . 2011-04-10 22:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FaxCtr

2011-04-10 22:02 . 2011-04-11 01:10 -------- d-----w- C:\Temp

2011-04-10 22:01 . 2011-04-10 22:01 356352 ----a-w- c:\windows\system32\lmqj.exe

2011-04-08 05:55 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\beep.sys

2011-04-08 05:55 . 2011-04-08 05:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-04-08 05:21 . 2011-04-08 05:21 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-04-07 01:21 . 2011-04-07 01:21 215552 ----a-w- c:\windows\system32\itlpfw32.dll.vir

2011-04-07 01:11 . 2011-04-07 01:11 -------- d--h--w- c:\documents and settings\amason\Application Data\Malwarebytes

2011-04-07 01:11 . 2011-04-07 01:11 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-04-07 01:11 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-07 01:11 . 2011-04-07 01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-07 01:11 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2003-03-31 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2003-03-31 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2009-10-20 06:54 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2009-10-20 06:54 677888 ----a-w- c:\windows\system32\mstsc.exe

.

<pre>

c:\program files\iTunes\iTunesHelper .exe

c:\program files\Lexmark Fax Solutions\fm3032 .exe

c:\program files\Synaptics\SynTP\SynTPEnh .exe

c:\program files\Synaptics\SynTP\SynTPLpr .exe

c:\windows\caxchg .exe

c:\windows\shicoxp .exe

</pre>

.

------- Sigcheck -------

.

[7] 2003-03-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\beep.sys

[7] 2003-03-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

.

c:\windows\System32\drivers\beep.sys ... is missing !!

.

((((((((((((((((((((((((((((( SnapShot@2011-04-21_22.36.07 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-22 07:30 . 2011-04-22 07:30 16384 c:\windows\temp\Perflib_Perfdata_654.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-12-10 247144]

"4E3E0230AEBB4E96"="c:\recycle.bin\Recycle.Bin.exe" [N/A]

"MKbuqc"="c:\windows\iexplarer.exe" [N/A]

"MKeuf"="c:\windows\spoolsv.exe" [N/A]

"MKfa"="c:\windows\win.exe" [N/A]

"MKZSc"="c:\windows\avp32.exe" [N/A]

"MKcZ"="c:\windows\mdm.exe" [N/A]

"MKevc"="c:\windows\setup.exe" [N/A]

"MKcrc"="c:\windows\login.exe" [N/A]

"MKerb"="c:\windows\taskmgr.exe" [N/A]

"MKcuc"="c:\windows\lsass.exe" [N/A]

"MKee"="c:\windows\user.exe" [N/A]

"MKasc"="c:\windows\drweb.exe" [N/A]

"MKaZ"="c:\windows\cmd.exe" [N/A]

"MKewe"="c:\windows\sysmgm.exe" [N/A]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]

"Windows Media Player ACM"="c:\documents and settings\amason\Application Data\Microsoft\Windows Media\12.0\wmpacm .exe" [N/A]

"MKbuqc"="c:\windows\iexplarer.exe" [N/A]

"MKeuf"="c:\windows\spoolsv.exe" [N/A]

"MKfa"="c:\windows\win.exe" [N/A]

"MKZSc"="c:\windows\avp32.exe" [N/A]

"MKcZ"="c:\windows\mdm.exe" [N/A]

"MKevc"="c:\windows\setup.exe" [N/A]

"MKcrc"="c:\windows\login.exe" [N/A]

"MKerb"="c:\windows\taskmgr.exe" [N/A]

"MKcuc"="c:\windows\lsass.exe" [N/A]

"MKee"="c:\windows\user.exe" [N/A]

"MKasc"="c:\windows\drweb.exe" [N/A]

"MKaZ"="c:\windows\cmd.exe" [N/A]

"MKewe"="c:\windows\sysmgm.exe" [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-17 113664]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\itlntfy]

itlnfw32.dll [bU]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

2002-10-04 01:50 684032 ------w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-28 00:10 35696 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

2006-02-07 05:10 98304 ------w- c:\program files\Lexmark 2400 Series\ezprint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]

2003-02-10 22:34 90112 ------r- c:\windows\GWMDMMSG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2003-10-02 21:19 118784 ------w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2003-10-02 21:37 155648 ------w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-27 00:18 413696 ------w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-07-31 23:51 148888 ------w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

"c:\\Documents and Settings\\amason\\My Documents\\Downloads\\winscp419.exe"=

"c:\\Program Files\\Allaire\\HomeSite 4.5\\homesite45.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP1d\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP1d\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"<NO NAME>"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [1/6/2011 8:29 PM 340016]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [1/6/2011 8:29 PM 652336]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [3/10/2011 8:20 PM 800376]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [1/6/2011 8:29 PM 136312]

R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe [1/6/2011 8:28 PM 130000]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [12/10/2010 5:29 AM 92008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/10/2011 6:38 PM 102448]

R3 FLASHREADER;USB Reader;c:\windows\system32\drivers\camusb.sys [7/23/2009 5:54 PM 25600]

S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110408.001\IDSXpx86.sys [4/10/2011 6:38 PM 341944]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010.SP1d\RpcAgentSrv.exe [5/9/2010 9:32 PM 93336]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - SymEvent

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

itlsvc REG_MULTI_SZ itlperf

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main

mWindow Title = Windows Internet Explorer provided by Comcast

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

FF - ProfilePath - c:\documents and settings\amason\Application Data\Mozilla\Firefox\Profiles\77g6mh3o.default\

FF - prefs.js: network.proxy.ftp - 218.248.240.190

FF - prefs.js: network.proxy.ftp_port - 8080

FF - prefs.js: network.proxy.gopher - 218.248.240.190

FF - prefs.js: network.proxy.gopher_port - 8080

FF - prefs.js: network.proxy.socks - 218.248.240.190

FF - prefs.js: network.proxy.socks_port - 8080

FF - prefs.js: network.proxy.ssl - 218.248.240.190

FF - prefs.js: network.proxy.ssl_port - 8080

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50000

FF - prefs.js: network.proxy.type - 1

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\amason\Application Data\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01);user_pref(general.useragent.extra.zencast,

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-22 00:31

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Windows Media Player ACM = c:\documents and settings\amason\Application Data\Microsoft\Windows Media\12.0\wmpacm .exe??????????06&?@-&??????(&?h?&??????????(&? ??|?2?|????$???????????????????????????J!@??????????"@??????????????"@??????:@?k#??????YK@???????@?H-&???&???l?0????K@?????"??

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(696)

c:\windows\system32\l3codecx.acm

.

- - - - - - - > 'explorer.exe'(3764)

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\l3codecx.acm

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\windows\System32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\lxcrcoms.exe

.

**************************************************************************

.

Completion time: 2011-04-22 00:38:13 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-22 07:38

ComboFix2.txt 2011-04-21 22:40

.

Pre-Run: 9,707,352,064 bytes free

Post-Run: 8,614,215,680 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NoExecute=OptIn

.

- - End Of File - - D151833F425172E99B8D67DEC52F3AD6

Link to post
Share on other sites

Hi again, there is still quite some malware left, so lets see if we can take it out with a script.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


KillAll::

File::
c:\windows\system32\lmqj.exe

MIA::
c:\windows\system32\drivers\beep.sys

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4E3E0230AEBB4E96"=-
"MKbuqc"=-
"MKeuf"=-
"MKfa"=-
"MKZSc"=-
"MKcZ"=-
"MKevc"=-
"MKcrc"=-
"MKerb"=-
"MKcuc"=-
"MKee"=-
"MKasc"=-
"MKaZ"=-
"MKewe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKbuqc"=-
"MKeuf"=-
"MKfa"=-
"MKZSc"=-
"MKcZ"=-
"MKevc"=-
"MKcrc"=-
"MKerb"=-
"MKcuc"=-
"MKee"=-
"MKasc"=-
"MKaZ"=-
"MKewe"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\itlntfy]

Firefox::
FF - ProfilePath - c:\documents and settings\amason\Application Data\Mozilla\Firefox\Profiles\77g6mh3o.default\
FF - prefs.js: network.proxy.ftp - 218.248.240.190
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 218.248.240.190
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.socks - 218.248.240.190
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 218.248.240.190
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50000
FF - prefs.js: network.proxy.type - 1

RenV::
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Lexmark Fax Solutions\fm3032 .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Synaptics\SynTP\SynTPLpr .exe
c:\windows\caxchg .exe
c:\windows\shicoxp .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Done!

ComboFix 11-04-20.04 - amason 04/22/2011 10:08:56.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.660 [GMT -7:00]

Running from: c:\documents and settings\amason\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\amason\Desktop\CFScript.txt

AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

.

FILE ::

"c:\windows\system32\lmqj.exe"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\lmqj.exe

.

c:\windows\system32\drivers\beep.sys was missing

Restored copy from - c:\windows\system32\dllcache\beep.sys

.

.

((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))

.

.

2011-04-22 17:15 . 2003-03-31 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys

2011-04-22 17:15 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2011-04-11 01:08 . 2011-04-11 01:08 -------- d--h--w- c:\windows\PIF

2011-04-10 22:02 . 2011-04-10 22:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FaxCtr

2011-04-10 22:02 . 2011-04-11 01:10 -------- d-----w- C:\Temp

2011-04-08 05:55 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\beep.sys

2011-04-08 05:55 . 2011-04-08 05:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-04-08 05:21 . 2011-04-08 05:21 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-04-07 01:21 . 2011-04-07 01:21 215552 ----a-w- c:\windows\system32\itlpfw32.dll.vir

2011-04-07 01:11 . 2011-04-07 01:11 -------- d--h--w- c:\documents and settings\amason\Application Data\Malwarebytes

2011-04-07 01:11 . 2011-04-07 01:11 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-04-07 01:11 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-07 01:11 . 2011-04-07 01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-07 01:11 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2003-03-31 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2003-03-31 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2009-10-20 06:54 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2009-10-20 06:54 677888 ----a-w- c:\windows\system32\mstsc.exe

.

.

((((((((((((((((((((((((((((( SnapShot@2011-04-21_22.36.07 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-22 16:59 . 2011-04-22 16:59 16384 c:\windows\temp\Perflib_Perfdata_594.dat

+ 2009-07-24 00:54 . 2003-03-06 18:42 40960 c:\windows\shicoxp.exe

+ 2009-07-24 00:54 . 2003-04-02 00:16 36864 c:\windows\caxchg.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-12-10 247144]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-17 113664]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="userinit.exe"

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

2002-10-04 01:50 684032 ------w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-28 00:10 35696 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

2006-02-07 05:10 98304 ------w- c:\program files\Lexmark 2400 Series\ezprint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]

2003-02-10 22:34 90112 ------r- c:\windows\GWMDMMSG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2003-10-02 21:19 118784 ------w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2003-10-02 21:37 155648 ------w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-27 00:18 413696 ------w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-07-31 23:51 148888 ------w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

"c:\\Documents and Settings\\amason\\My Documents\\Downloads\\winscp419.exe"=

"c:\\Program Files\\Allaire\\HomeSite 4.5\\homesite45.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP1d\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP1d\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"<NO NAME>"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [1/6/2011 8:29 PM 340016]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [1/6/2011 8:29 PM 652336]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110419.001\BHDrvx86.sys [4/15/2011 1:29 PM 802936]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [1/6/2011 8:29 PM 136312]

R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe [1/6/2011 8:28 PM 130000]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [12/10/2010 5:29 AM 92008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/10/2011 6:38 PM 102448]

R3 FLASHREADER;USB Reader;c:\windows\system32\drivers\camusb.sys [7/23/2009 5:54 PM 25600]

S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110421.001\IDSXpx86.sys [4/21/2011 10:43 PM 341944]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010.SP1d\RpcAgentSrv.exe [5/9/2010 9:32 PM 93336]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - SymEvent

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

itlsvc REG_MULTI_SZ itlperf

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main

mWindow Title = Windows Internet Explorer provided by Comcast

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

FF - ProfilePath - c:\documents and settings\amason\Application Data\Mozilla\Firefox\Profiles\77g6mh3o.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\amason\Application Data\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01);user_pref(general.useragent.extra.zencast,

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-Windows Media Player ACM - c:\documents and settings\amason\Application Data\Microsoft\Windows Media\12.0\wmpacm .exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-22 10:42

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Windows Media Player ACM = c:\documents and settings\amason\Application Data\Microsoft\Windows Media\12.0\wmpacm .exe??????????06&?@-&??????(&?h?&??????????(&? ??|?2?|????$???????????????????????????J!@??????????"@??????????????"@??????:@?k#??????YK@???????@?H-&???&???l?0????K@?????"??

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3528)

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\l3codecx.acm

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\windows\System32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\lxcrcoms.exe

c:\program files\Norton AntiVirus\Engine\18.5.0.125\hsplayer.exe

.

**************************************************************************

.

Completion time: 2011-04-22 10:48:31 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-22 17:48

ComboFix2.txt 2011-04-22 07:38

ComboFix3.txt 2011-04-21 22:40

.

Pre-Run: 8,622,981,120 bytes free

Post-Run: 8,606,953,472 bytes free

.

- - End Of File - - E60B685672F717A6B865CC7D7D8C439E

Link to post
Share on other sites

Well, we're not in good shape. I had to uninstall and reinstall MBAM for it to update, which it did. Then, I uninstalled and reinstalled JAVA successfully.

However, Norton was not working/couldn't turn itself on. So, I uninstalled it completely.

Windows update will not work from any angle. I'm still getting pop ups and a process called Skype Contacts or something.

I installed IE8 (only had IE6 before), hoping to solve the problem. I have a svchost.exe running a lot of mem and CPU.

That's all for now.

Thanks!!!

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6435

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

4/24/2011 5:57:40 PM

mbam-log-2011-04-24 (17-57-40).txt

Scan type: Full scan (C:\|)

Objects scanned: 273688

Time elapsed: 25 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 18

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Q7NZMT7RLB (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\TBXQRHV4KR (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Qoobox\quarantine\C\documents and settings\amason\application data\microsoft\conhost.exe.vir (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Recycle.Bin\recycle.bin.exe.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\avp32.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\cmd.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\drweb.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\iexplarer.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\login.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\lsass.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\mdm.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\morerv.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\setup.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\spoolsv.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\sysmgm.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\taskmgr.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\user.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\win.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\temp\jmps\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\itlpfw32.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Sure, deleted, and rerun. Results below. Btw, I am unable to connect to any networking through Windows. I have been booting in Ubuntu, downloading things, like ComboFix, and then saving them in the Windows partition. Then, booting in Windows and running from there.

I am thinking that there was some proxy that the virus set up that everything was running through. Is there a way to reinstall all the networking components?

And on that note, if we get rid of all traces of the virus, there are still things that are messed up... sound card, various services on/off that weren't before and Program icons that have disappeared. Is there any way to tell what damage was done, or do I just have to figure that all out as I notice it?

Thanks again!

Alan

ComboFix 11-04-25.02 - amason 04/25/2011 22:23:13.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.677 [GMT -7:00]

Running from: c:\documents and settings\amason\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))

.

.

2011-04-25 06:07 . 2011-04-25 06:07 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-04-25 05:50 . 2011-04-25 05:50 -------- d-----w- c:\documents and settings\amason\Application Data\Avira

2011-04-25 05:44 . 2011-04-25 05:44 -------- d-----w- c:\program files\Avira

2011-04-25 05:44 . 2011-04-25 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-04-25 05:44 . 2011-03-04 23:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-04-25 05:44 . 2011-03-04 21:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-04-25 05:44 . 2010-06-17 21:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-04-25 05:44 . 2010-06-17 21:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-04-25 01:33 . 2011-04-25 01:33 -------- d-sh--w- c:\documents and settings\amason\PrivacIE

2011-04-25 01:32 . 2011-04-25 01:32 -------- d-sh--w- c:\documents and settings\amason\IETldCache

2011-04-25 01:32 . 2011-04-25 01:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-04-25 01:21 . 2011-04-25 01:21 -------- d--h--w- c:\windows\msdownld.tmp

2011-04-25 01:16 . 2011-04-25 01:19 -------- dc-h--w- c:\windows\ie8

2011-04-25 01:04 . 2011-04-25 01:04 -------- d-----w- c:\program files\Common Files\Java

2011-04-25 01:04 . 2011-04-25 01:01 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2011-04-25 01:04 . 2011-04-25 01:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-25 01:04 . 2011-04-25 01:01 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-24 22:40 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-24 22:40 . 2011-04-24 22:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-24 22:40 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-22 17:15 . 2003-03-31 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys

2011-04-22 17:15 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2011-04-11 01:08 . 2011-04-11 01:08 -------- d--h--w- c:\windows\PIF

2011-04-10 22:02 . 2011-04-10 22:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FaxCtr

2011-04-10 22:02 . 2011-04-11 01:10 -------- d-----w- C:\Temp

2011-04-08 05:55 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\beep.sys

2011-04-08 05:55 . 2011-04-08 05:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-04-08 05:21 . 2011-04-08 05:21 -------- d-sh--w- c:\documents and settings\NetworkService\UserData

2011-04-07 01:11 . 2011-04-07 01:11 -------- d--h--w- c:\documents and settings\amason\Application Data\Malwarebytes

2011-04-07 01:11 . 2011-04-07 01:11 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2003-03-31 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2003-03-31 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2009-10-20 06:54 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2009-10-20 06:54 677888 ----a-w- c:\windows\system32\mstsc.exe

.

.

((((((((((((((((((((((((((((( SnapShot@2011-04-21_22.36.07 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-12 07:02 . 2009-07-12 07:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll

+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll

+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll

+ 2011-04-26 05:15 . 2011-04-26 05:15 16384 c:\windows\temp\Perflib_Perfdata_66c.dat

- 2009-07-17 15:25 . 2009-08-07 03:24 44768 c:\windows\system32\wups2.dll

+ 2009-07-17 15:25 . 2009-08-07 02:24 44768 c:\windows\system32\wups2.dll

+ 2009-07-17 15:25 . 2009-08-07 02:24 35552 c:\windows\system32\wups.dll

- 2009-07-17 15:25 . 2009-08-07 03:24 35552 c:\windows\system32\wups.dll

+ 2009-10-20 06:54 . 2009-08-07 02:24 53472 c:\windows\system32\wuauclt.exe

- 2009-10-20 06:54 . 2009-08-07 03:24 53472 c:\windows\system32\wuauclt.exe

+ 2009-07-17 15:28 . 2009-01-08 01:21 26144 c:\windows\system32\spupdsvc.exe

+ 2009-07-17 15:27 . 2009-01-08 01:20 16928 c:\windows\system32\spmsg.dll

- 2009-11-06 19:14 . 2009-08-07 03:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll

+ 2009-11-06 19:14 . 2009-08-07 02:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll

- 2009-11-06 19:14 . 2009-08-07 03:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll

+ 2009-11-06 19:14 . 2009-08-07 02:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll

+ 2003-03-31 12:00 . 2009-03-08 11:31 46592 c:\windows\system32\pngfilt.dll

+ 2003-03-31 12:00 . 2011-04-24 22:37 67714 c:\windows\system32\perfc009.dat

- 2003-03-31 12:00 . 2011-03-15 04:54 67714 c:\windows\system32\perfc009.dat

- 2006-06-29 15:05 . 2006-06-29 15:05 23552 c:\windows\system32\normaliz.dll

+ 2006-06-29 15:05 . 2009-01-08 01:20 23552 c:\windows\system32\normaliz.dll

- 2006-06-29 00:59 . 2006-06-29 00:59 24576 c:\windows\system32\nlsdl.dll

+ 2006-06-29 00:59 . 2009-01-08 01:20 24576 c:\windows\system32\nlsdl.dll

+ 2003-03-31 12:00 . 2009-03-08 11:31 48128 c:\windows\system32\mshtmler.dll

+ 2003-03-31 12:00 . 2009-03-08 11:31 66560 c:\windows\system32\mshtmled.dll

+ 2003-03-31 12:00 . 2009-03-08 11:31 45568 c:\windows\system32\mshta.exe

+ 2007-08-14 01:36 . 2009-03-08 11:31 13312 c:\windows\system32\msfeedssync.exe

+ 2007-08-14 01:54 . 2009-03-08 11:31 55296 c:\windows\system32\msfeedsbs.dll

+ 2003-03-31 12:00 . 2009-03-08 11:34 43008 c:\windows\system32\licmgr10.dll

+ 2003-03-31 12:00 . 2009-03-08 11:33 25600 c:\windows\system32\jsproxy.dll

+ 2003-03-31 12:00 . 2009-03-08 11:32 94720 c:\windows\system32\inseng.dll

+ 2003-03-31 12:00 . 2009-03-08 11:31 34816 c:\windows\system32\imgutil.dll

+ 2007-08-14 01:39 . 2009-03-08 11:32 36864 c:\windows\system32\ieudinit.exe

+ 2003-03-31 12:00 . 2009-03-08 11:32 71680 c:\windows\system32\iesetup.dll

+ 2003-03-31 12:00 . 2009-03-08 11:32 55808 c:\windows\system32\iernonce.dll

+ 2006-06-29 15:05 . 2009-01-08 01:20 26112 c:\windows\system32\idndl.dll

- 2006-06-29 15:05 . 2006-06-29 15:05 26112 c:\windows\system32\idndl.dll

+ 2007-08-14 01:36 . 2009-03-08 11:31 59904 c:\windows\system32\icardie.dll

+ 2011-04-25 05:44 . 2010-06-17 21:27 28520 c:\windows\system32\drivers\ssmdrv.sys

- 2009-07-17 15:25 . 2009-08-07 03:24 35552 c:\windows\system32\dllcache\wups.dll

+ 2009-07-17 15:25 . 2009-08-07 02:24 35552 c:\windows\system32\dllcache\wups.dll

+ 2009-10-20 06:54 . 2009-08-07 02:24 53472 c:\windows\system32\dllcache\wuauclt.exe

- 2009-10-20 06:54 . 2009-08-07 03:24 53472 c:\windows\system32\dllcache\wuauclt.exe

+ 2009-03-08 11:31 . 2009-03-08 11:31 46592 c:\windows\system32\dllcache\pngfilt.dll

+ 2009-03-08 11:31 . 2009-03-08 11:31 48128 c:\windows\system32\dllcache\mshtmler.dll

+ 2010-09-09 14:16 . 2009-03-08 11:31 66560 c:\windows\system32\dllcache\mshtmled.dll

+ 2009-03-08 11:31 . 2009-03-08 11:31 45568 c:\windows\system32\dllcache\mshta.exe

+ 2009-03-08 11:34 . 2009-03-08 11:34 43008 c:\windows\system32\dllcache\licmgr10.dll

+ 2009-03-08 11:33 . 2009-03-08 11:33 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2009-03-08 11:32 . 2009-03-08 11:32 94720 c:\windows\system32\dllcache\inseng.dll

+ 2009-03-08 11:31 . 2009-03-08 11:31 34816 c:\windows\system32\dllcache\imgutil.dll

+ 2009-03-08 11:32 . 2009-03-08 11:32 71680 c:\windows\system32\dllcache\iesetup.dll

+ 2009-03-08 11:32 . 2009-03-08 11:32 55808 c:\windows\system32\dllcache\iernonce.dll

+ 2009-03-08 11:24 . 2009-03-08 11:24 68608 c:\windows\system32\dllcache\hmmapi.dll

+ 2009-03-08 11:33 . 2009-03-08 11:33 18944 c:\windows\system32\dllcache\corpol.dll

+ 2003-03-31 12:00 . 2009-08-07 02:24 96480 c:\windows\system32\dllcache\cdm.dll

- 2003-03-31 12:00 . 2009-08-07 03:24 96480 c:\windows\system32\dllcache\cdm.dll

+ 2009-03-08 11:32 . 2009-03-08 11:32 72704 c:\windows\system32\dllcache\admparse.dll

+ 2003-03-31 12:00 . 2009-03-08 11:33 18944 c:\windows\system32\corpol.dll

+ 2009-07-17 15:04 . 2011-04-26 05:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-17 15:04 . 2010-02-25 20:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-17 15:04 . 2011-04-26 05:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-17 15:04 . 2010-02-25 20:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-17 15:04 . 2010-02-25 20:26 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2011-04-22 20:21 . 2011-04-26 05:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2003-03-31 12:00 . 2009-08-07 02:24 96480 c:\windows\system32\cdm.dll

- 2003-03-31 12:00 . 2009-08-07 03:24 96480 c:\windows\system32\cdm.dll

+ 2003-03-31 12:00 . 2009-03-08 11:32 72704 c:\windows\system32\admparse.dll

+ 2009-07-24 00:54 . 2003-03-06 18:42 40960 c:\windows\shicoxp.exe

+ 2011-04-25 01:16 . 2008-04-14 00:12 37888 c:\windows\ie8\url.dll

+ 2011-04-25 01:19 . 2009-03-08 21:23 58464 c:\windows\ie8\spuninst\iecustom.dll

+ 2011-04-25 01:16 . 2008-04-14 00:12 39424 c:\windows\ie8\pngfilt.dll

+ 2011-04-25 01:16 . 2008-04-14 00:12 96256 c:\windows\ie8\occache.dll

+ 2011-04-25 01:16 . 2008-04-13 16:26 56832 c:\windows\ie8\mshtmler.dll

+ 2011-04-25 01:16 . 2008-04-14 00:12 29184 c:\windows\ie8\mshta.exe

+ 2011-04-25 01:16 . 2007-08-14 01:36 12288 c:\windows\ie8\msfeedssync.exe

+ 2011-04-25 01:16 . 2009-04-29 04:55 52224 c:\windows\ie8\msfeedsbs.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 22016 c:\windows\ie8\licmgr10.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 15872 c:\windows\ie8\jsproxy.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 96256 c:\windows\ie8\inseng.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 35840 c:\windows\ie8\imgutil.dll

+ 2011-04-25 01:16 . 2008-04-14 00:12 93184 c:\windows\ie8\iexplore.exe

+ 2011-04-25 01:16 . 2008-04-14 00:11 62976 c:\windows\ie8\iesetup.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 48640 c:\windows\ie8\iernonce.dll

+ 2011-04-25 01:16 . 2010-12-20 22:15 81920 c:\windows\ie8\ieencode.dll

+ 2011-04-25 01:16 . 2008-04-14 00:12 34304 c:\windows\ie8\ie4uinit.exe

+ 2011-04-25 01:16 . 2009-04-29 04:55 63488 c:\windows\ie8\icardie.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 38912 c:\windows\ie8\hmmapi.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 35328 c:\windows\ie8\corpol.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 99840 c:\windows\ie8\advpack.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 61440 c:\windows\ie8\admparse.dll

+ 2009-07-24 00:54 . 2003-04-02 00:16 36864 c:\windows\caxchg.exe

+ 2009-07-12 07:02 . 2009-07-12 07:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll

+ 2009-07-12 07:05 . 2009-07-12 07:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll

+ 2009-07-19 17:49 . 2009-01-08 01:21 121856 c:\windows\system32\xmllite.dll

- 2009-07-19 17:49 . 2008-04-14 00:12 121856 c:\windows\system32\xmllite.dll

- 2008-10-16 21:12 . 2009-08-07 03:24 209632 c:\windows\system32\wuweb.dll

+ 2008-10-16 21:12 . 2009-08-07 02:24 209632 c:\windows\system32\wuweb.dll

- 2009-07-17 15:25 . 2009-08-07 03:24 327896 c:\windows\system32\wucltui.dll

+ 2009-07-17 15:25 . 2009-08-07 02:24 327896 c:\windows\system32\wucltui.dll

+ 2009-07-17 15:24 . 2009-08-07 02:23 575704 c:\windows\system32\wuapi.dll

- 2009-07-17 15:24 . 2009-08-07 03:23 575704 c:\windows\system32\wuapi.dll

+ 2003-03-31 12:00 . 2009-03-08 11:34 914944 c:\windows\system32\wininet.dll

+ 2007-08-14 01:45 . 2009-03-08 11:34 208384 c:\windows\system32\WinFXDocObj.exe

+ 2003-03-31 12:00 . 2009-03-08 11:34 236544 c:\windows\system32\webcheck.dll

+ 2003-03-31 12:00 . 2009-03-08 11:33 420352 c:\windows\system32\vbscript.dll

+ 2003-03-31 12:00 . 2009-03-08 11:34 105984 c:\windows\system32\url.dll

- 2003-03-31 12:00 . 2011-03-15 04:54 432924 c:\windows\system32\perfh009.dat

+ 2003-03-31 12:00 . 2011-04-24 22:37 432924 c:\windows\system32\perfh009.dat

+ 2003-03-31 12:00 . 2009-03-08 11:34 109568 c:\windows\system32\occache.dll

+ 2003-03-31 12:00 . 2009-03-08 11:32 611840 c:\windows\system32\mstime.dll

+ 2003-03-31 12:00 . 2009-03-08 11:34 193536 c:\windows\system32\msrating.dll

+ 2003-03-31 12:00 . 2009-03-08 11:22 156160 c:\windows\system32\msls31.dll

+ 2007-08-14 01:54 . 2009-03-08 11:32 594432 c:\windows\system32\msfeeds.dll

+ 2009-01-08 01:20 . 2009-01-08 01:20 265720 c:\windows\system32\msdbg2.dll

+ 2003-03-31 12:00 . 2009-03-08 11:33 726528 c:\windows\system32\jscript.dll

+ 2011-04-25 01:04 . 2011-04-25 01:01 157472 c:\windows\system32\javaws.exe

+ 2011-04-25 01:04 . 2011-04-25 01:01 145184 c:\windows\system32\javaw.exe

+ 2011-04-25 01:04 . 2011-04-25 01:01 145184 c:\windows\system32\java.exe

+ 2007-08-14 01:54 . 2009-03-08 11:22 164352 c:\windows\system32\ieui.dll

+ 2003-03-31 12:00 . 2009-03-08 11:31 183808 c:\windows\system32\iepeers.dll

+ 2003-03-31 12:00 . 2009-03-08 21:09 391536 c:\windows\system32\iedkcs32.dll

+ 2007-07-11 19:27 . 2009-03-08 11:11 445952 c:\windows\system32\ieapfltr.dll

+ 2003-03-31 12:00 . 2009-03-08 11:32 163840 c:\windows\system32\ieakui.dll

+ 2003-03-31 12:00 . 2009-03-08 11:33 229376 c:\windows\system32\ieaksie.dll

+ 2003-03-31 12:00 . 2009-03-08 11:33 125952 c:\windows\system32\ieakeng.dll

+ 2003-03-31 12:00 . 2009-03-08 11:32 173056 c:\windows\system32\ie4uinit.exe

+ 2003-03-31 12:00 . 2009-03-08 11:31 216064 c:\windows\system32\dxtrans.dll

+ 2003-03-31 12:00 . 2009-03-08 11:31 348160 c:\windows\system32\dxtmsft.dll

- 2008-10-16 21:12 . 2009-08-07 03:24 209632 c:\windows\system32\dllcache\wuweb.dll

+ 2008-10-16 21:12 . 2009-08-07 02:24 209632 c:\windows\system32\dllcache\wuweb.dll

- 2009-07-17 15:25 . 2009-08-07 03:24 327896 c:\windows\system32\dllcache\wucltui.dll

+ 2009-07-17 15:25 . 2009-08-07 02:24 327896 c:\windows\system32\dllcache\wucltui.dll

- 2009-07-17 15:24 . 2009-08-07 03:23 575704 c:\windows\system32\dllcache\wuapi.dll

+ 2009-07-17 15:24 . 2009-08-07 02:23 575704 c:\windows\system32\dllcache\wuapi.dll

+ 2009-09-25 05:37 . 2009-03-08 11:34 914944 c:\windows\system32\dllcache\wininet.dll

+ 2009-03-08 11:34 . 2009-03-08 11:34 236544 c:\windows\system32\dllcache\webcheck.dll

+ 2009-03-08 11:33 . 2009-03-08 11:33 759296 c:\windows\system32\dllcache\VGX.dll

+ 2008-05-09 10:53 . 2009-03-08 11:33 420352 c:\windows\system32\dllcache\vbscript.dll

+ 2009-03-08 11:34 . 2009-03-08 11:34 105984 c:\windows\system32\dllcache\url.dll

+ 2009-01-08 01:20 . 2009-01-08 01:20 134144 c:\windows\system32\dllcache\sqmapi.dll

+ 2009-03-08 11:34 . 2009-03-08 11:34 109568 c:\windows\system32\dllcache\occache.dll

+ 2010-12-20 22:15 . 2009-03-08 11:32 611840 c:\windows\system32\dllcache\mstime.dll

+ 2009-03-08 11:34 . 2009-03-08 11:34 193536 c:\windows\system32\dllcache\msrating.dll

+ 2003-03-31 12:00 . 2009-03-08 11:22 156160 c:\windows\system32\dllcache\msls31.dll

+ 2009-10-21 21:46 . 2009-03-08 11:33 726528 c:\windows\system32\dllcache\jscript.dll

+ 2009-03-08 21:09 . 2009-03-08 21:09 638816 c:\windows\system32\dllcache\iexplore.exe

+ 2010-04-16 16:09 . 2009-03-08 11:31 183808 c:\windows\system32\dllcache\iepeers.dll

+ 2009-03-08 21:09 . 2009-03-08 21:09 391536 c:\windows\system32\dllcache\iedkcs32.dll

+ 2003-03-31 12:00 . 2009-03-08 11:32 163840 c:\windows\system32\dllcache\ieakui.dll

+ 2009-03-08 11:33 . 2009-03-08 11:33 229376 c:\windows\system32\dllcache\ieaksie.dll

+ 2009-03-08 11:33 . 2009-03-08 11:33 125952 c:\windows\system32\dllcache\ieakeng.dll

+ 2009-03-08 11:32 . 2009-03-08 11:32 173056 c:\windows\system32\dllcache\ie4uinit.exe

+ 2009-03-08 11:31 . 2009-03-08 11:31 216064 c:\windows\system32\dllcache\dxtrans.dll

+ 2009-03-08 11:31 . 2009-03-08 11:31 348160 c:\windows\system32\dllcache\dxtmsft.dll

+ 2009-03-08 11:32 . 2009-03-08 11:32 128512 c:\windows\system32\dllcache\advpack.dll

+ 2003-03-31 12:00 . 2009-03-08 11:32 128512 c:\windows\system32\advpack.dll

+ 2011-04-25 05:42 . 2011-04-25 05:42 219648 c:\windows\Installer\1d3dd2.msi

+ 2011-04-25 01:04 . 2011-04-25 01:04 180224 c:\windows\Installer\142a0.msi

+ 2011-04-25 01:00 . 2011-04-25 01:00 677376 c:\windows\Installer\1429b.msi

+ 2011-04-25 01:16 . 2010-12-20 22:15 667136 c:\windows\ie8\wininet.dll

+ 2011-04-25 01:16 . 2007-08-14 01:45 206336 c:\windows\ie8\winfxdocobj.exe

+ 2011-04-25 01:16 . 2008-04-14 00:12 276480 c:\windows\ie8\webcheck.dll

+ 2011-04-25 01:16 . 2008-04-14 00:12 851968 c:\windows\ie8\vgx.dll

+ 2011-04-25 01:16 . 2010-03-09 11:09 430080 c:\windows\ie8\vbscript.dll

+ 2011-04-25 01:16 . 2010-12-20 22:15 629760 c:\windows\ie8\urlmon.dll

+ 2011-04-25 01:19 . 2009-01-08 01:21 382496 c:\windows\ie8\spuninst\updspapi.dll

+ 2011-04-25 01:19 . 2009-01-08 01:20 231456 c:\windows\ie8\spuninst\spuninst.exe

+ 2011-04-25 01:16 . 2006-09-07 00:43 213216 c:\windows\ie8\spuninst.exe

+ 2011-04-25 01:16 . 2010-12-20 22:15 532480 c:\windows\ie8\mstime.dll

+ 2011-04-25 01:16 . 2008-04-14 00:12 146432 c:\windows\ie8\msrating.dll

+ 2011-04-25 01:16 . 2003-03-31 12:00 146432 c:\windows\ie8\msls31.dll

+ 2011-04-25 01:16 . 2010-12-20 22:15 449024 c:\windows\ie8\mshtmled.dll

+ 2011-04-25 01:16 . 2009-04-29 04:55 459264 c:\windows\ie8\msfeeds.dll

+ 2011-04-25 01:16 . 2009-08-13 15:16 512000 c:\windows\ie8\jscript.dll

+ 2011-04-25 01:16 . 2007-08-14 01:54 180736 c:\windows\ie8\ieui.dll

+ 2011-04-25 01:16 . 2009-04-29 04:55 268288 c:\windows\ie8\iertutil.dll

+ 2011-04-25 01:16 . 2007-08-14 01:54 287744 c:\windows\ie8\ieproxy.dll

+ 2011-04-25 01:16 . 2010-12-20 22:15 251904 c:\windows\ie8\iepeers.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 323584 c:\windows\ie8\iedkcs32.dll

+ 2011-04-25 01:16 . 2009-04-29 04:55 383488 c:\windows\ie8\ieapfltr.dll

+ 2011-04-25 01:16 . 2003-03-31 12:00 221184 c:\windows\ie8\ieakui.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 216576 c:\windows\ie8\ieaksie.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 143360 c:\windows\ie8\ieakeng.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 205312 c:\windows\ie8\dxtrans.dll

+ 2011-04-25 01:16 . 2008-04-14 00:11 357888 c:\windows\ie8\dxtmsft.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll

+ 2009-10-20 06:54 . 2009-08-07 02:23 1929952 c:\windows\system32\wuaueng.dll

- 2009-10-20 06:54 . 2009-08-07 03:23 1929952 c:\windows\system32\wuaueng.dll

+ 2003-03-31 12:00 . 2009-03-08 11:34 1206784 c:\windows\system32\urlmon.dll

+ 2003-03-31 12:00 . 2009-03-08 11:41 5937152 c:\windows\system32\mshtml.dll

+ 2007-08-14 01:34 . 2009-03-08 11:32 1985024 c:\windows\system32\iertutil.dll

+ 2007-02-12 23:10 . 2009-02-07 04:07 3698584 c:\windows\system32\ieapfltr.dat

- 2009-10-20 06:54 . 2009-08-07 03:23 1929952 c:\windows\system32\dllcache\wuaueng.dll

+ 2009-10-20 06:54 . 2009-08-07 02:23 1929952 c:\windows\system32\dllcache\wuaueng.dll

+ 2009-09-25 05:37 . 2009-03-08 11:34 1206784 c:\windows\system32\dllcache\urlmon.dll

+ 2009-09-25 05:37 . 2009-03-08 11:41 5937152 c:\windows\system32\dllcache\mshtml.dll

+ 2011-04-25 01:16 . 2010-12-20 22:15 3078144 c:\windows\ie8\mshtml.dll

+ 2011-04-25 01:16 . 2009-04-29 04:55 6066176 c:\windows\ie8\ieframe.dll

+ 2011-04-25 01:16 . 2008-07-09 14:25 2455488 c:\windows\ie8\ieapfltr.dat

+ 2009-07-17 16:07 . 2011-04-07 20:52 39828936 c:\windows\system32\MRT.exe

+ 2007-08-14 01:54 . 2009-03-08 11:39 11063808 c:\windows\system32\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-17 113664]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

2002-10-04 01:50 684032 ------w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-28 00:10 35696 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

2006-02-07 05:10 98304 ------w- c:\program files\Lexmark 2400 Series\ezprint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]

2003-02-10 22:34 90112 ------r- c:\windows\GWMDMMSG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2003-10-02 21:19 118784 ------w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2003-10-02 21:37 155648 ------w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]

2010-10-19 10:58 1439496 ------w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCRCATS]

2006-02-24 11:54 65536 ------w- c:\windows\system32\spool\drivers\w32x86\3\lxcrtime.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-27 00:18 413696 ------w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-07-31 23:51 148888 ------w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2010-12-10 12:28 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

"c:\\Documents and Settings\\amason\\My Documents\\Downloads\\winscp419.exe"=

"c:\\Program Files\\Allaire\\HomeSite 4.5\\homesite45.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP1d\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP1d\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"<NO NAME>"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/24/2011 10:44 PM 135336]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [12/10/2010 5:29 AM 92008]

R3 FLASHREADER;USB Reader;c:\windows\system32\drivers\camusb.sys [7/23/2009 5:54 PM 25600]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010.SP1d\RpcAgentSrv.exe [5/9/2010 9:32 PM 93336]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - SSMDRV

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

itlsvc REG_MULTI_SZ itlperf

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mWindow Title = Windows Internet Explorer provided by Comcast

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

FF - ProfilePath - c:\documents and settings\amason\Application Data\Mozilla\Firefox\Profiles\77g6mh3o.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.ftp - 192.168.1.254

FF - prefs.js: network.proxy.gopher - 192.168.1.254

FF - prefs.js: network.proxy.http - 192.168.1.254

FF - prefs.js: network.proxy.socks - 192.168.1.254

FF - prefs.js: network.proxy.ssl - 192.168.1.254

FF - prefs.js: network.proxy.type - 1

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\amason\Application Data\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01);user_pref(general.useragent.extra.zencast,

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-25 22:33

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(684)

c:\windows\system32\l3codecx.acm

.

- - - - - - - > 'explorer.exe'(3848)

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

.

Completion time: 2011-04-25 22:40:05

ComboFix-quarantined-files.txt 2011-04-26 05:39

ComboFix2.txt 2011-04-22 17:48

ComboFix3.txt 2011-04-22 07:38

ComboFix4.txt 2011-04-21 22:40

.

Pre-Run: 8,234,782,720 bytes free

Post-Run: 8,348,815,360 bytes free

.

- - End Of File - - F4E2CBDEF5E1D575A1A5E10326EA6B91

Link to post
Share on other sites

No, I do not have a proxy set up, or am not supposed to anyway. To answer your question, I cannot download using IE. Now, I can't get online through Windows at all. Other items to note: The Waudt process is running, but I can't even open Windows Automatic Update. When I try to run it, it pops open a small IE browser for a split second, then nothing else happens.

Also, there were three instances of iexplore.exe running when I had the browser open. Not sure if this is new/typical in IE8 (I only use Firefox).

I took a screen shot of the processes running and found an "rsvp.exe" that I don't recognize.

Thanks/Alan

Link to post
Share on other sites

Please try the steps here to reset internet explorer: http://support.microsoft.com/kb/923737

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


Firefox::
FF - ProfilePath - c:\documents and settings\amason\Application Data\Mozilla\Firefox\Profiles\77g6mh3o.default\
FF - prefs.js: network.proxy.ftp - 192.168.1.254
FF - prefs.js: network.proxy.gopher - 192.168.1.254
FF - prefs.js: network.proxy.http - 192.168.1.254
FF - prefs.js: network.proxy.socks - 192.168.1.254
FF - prefs.js: network.proxy.ssl - 192.168.1.254
FF - prefs.js: network.proxy.type - 1

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Sure,

ComboFix 11-04-25.02 - amason 04/28/2011 18:01:05.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.659 [GMT -7:00]

Running from: c:\documents and settings\amason\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\amason\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))

.

.

2011-04-25 06:07 . 2011-04-25 06:07 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-04-25 05:50 . 2011-04-25 05:50 -------- d-----w- c:\documents and settings\amason\Application Data\Avira

2011-04-25 05:44 . 2011-04-25 05:44 -------- d-----w- c:\program files\Avira

2011-04-25 05:44 . 2011-04-25 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-04-25 05:44 . 2011-03-04 23:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-04-25 05:44 . 2011-03-04 21:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-04-25 05:44 . 2010-06-17 21:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-04-25 05:44 . 2010-06-17 21:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-04-25 01:33 . 2011-04-25 01:33 -------- d-sh--w- c:\documents and settings\amason\PrivacIE

2011-04-25 01:32 . 2011-04-25 01:32 -------- d-sh--w- c:\documents and settings\amason\IETldCache

2011-04-25 01:32 . 2011-04-25 01:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-04-25 01:21 . 2011-04-25 01:21 -------- d--h--w- c:\windows\msdownld.tmp

2011-04-25 01:16 . 2011-04-25 01:19 -------- dc-h--w- c:\windows\ie8

2011-04-25 01:04 . 2011-04-25 01:04 -------- d-----w- c:\program files\Common Files\Java

2011-04-25 01:04 . 2011-04-25 01:01 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2011-04-25 01:04 . 2011-04-25 01:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-25 01:04 . 2011-04-25 01:01 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-24 22:40 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-24 22:40 . 2011-04-24 22:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-24 22:40 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-22 17:15 . 2003-03-31 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys

2011-04-22 17:15 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2011-04-11 01:08 . 2011-04-11 01:08 -------- d--h--w- c:\windows\PIF

2011-04-10 22:02 . 2011-04-10 22:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FaxCtr

2011-04-10 22:02 . 2011-04-11 01:10 -------- d-----w- C:\Temp

2011-04-08 05:55 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\beep.sys

2011-04-08 05:55 . 2011-04-08 05:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-04-08 05:21 . 2011-04-08 05:21 -------- d-sh--w- c:\documents and settings\NetworkService\UserData

2011-04-07 01:11 . 2011-04-07 01:11 -------- d--h--w- c:\documents and settings\amason\Application Data\Malwarebytes

2011-04-07 01:11 . 2011-04-07 01:11 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2003-03-31 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2003-03-31 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2009-10-20 06:54 2067456 ----a-w- c:\windows\system32\mstscax.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-04-26_05.33.48 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-29 00:49 . 2011-04-29 00:49 16384 c:\windows\temp\Perflib_Perfdata_758.dat

+ 2009-07-17 15:04 . 2011-04-29 00:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-17 15:04 . 2011-04-26 05:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-17 15:04 . 2011-04-29 00:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-17 15:04 . 2011-04-26 05:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2011-04-22 20:21 . 2011-04-29 00:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2011-04-22 20:21 . 2011-04-26 05:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-17 113664]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

2002-10-04 01:50 684032 ------w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-28 00:10 35696 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

2006-02-07 05:10 98304 ------w- c:\program files\Lexmark 2400 Series\ezprint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]

2003-02-10 22:34 90112 ------r- c:\windows\GWMDMMSG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2003-10-02 21:19 118784 ------w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2003-10-02 21:37 155648 ------w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]

2010-10-19 10:58 1439496 ------w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCRCATS]

2006-02-24 11:54 65536 ------w- c:\windows\system32\spool\drivers\w32x86\3\lxcrtime.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-27 00:18 413696 ------w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-07-31 23:51 148888 ------w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2010-12-10 12:28 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\amason\\My Documents\\Downloads\\winscp419.exe"=

"c:\\Program Files\\Allaire\\HomeSite 4.5\\homesite45.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP1d\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP1d\\WNt500x86\\RpcSandraSrv.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"<NO NAME>"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/24/2011 10:44 PM 136360]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [12/10/2010 5:29 AM 92008]

R3 FLASHREADER;USB Reader;c:\windows\system32\drivers\camusb.sys [7/23/2009 5:54 PM 25600]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010.SP1d\RpcAgentSrv.exe [5/9/2010 9:32 PM 93336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

itlsvc REG_MULTI_SZ itlperf

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mWindow Title = Windows Internet Explorer provided by Comcast

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

FF - ProfilePath - c:\documents and settings\amason\Application Data\Mozilla\Firefox\Profiles\77g6mh3o.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\amason\Application Data\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01);user_pref(general.useragent.extra.zencast,

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-28 18:10

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3384)

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

.

Completion time: 2011-04-28 18:16:38

ComboFix-quarantined-files.txt 2011-04-29 01:16

ComboFix2.txt 2011-04-26 05:40

ComboFix3.txt 2011-04-22 17:48

ComboFix4.txt 2011-04-22 07:38

ComboFix5.txt 2011-04-29 00:57

.

Pre-Run: 8,305,332,224 bytes free

Post-Run: 8,289,492,992 bytes free

.

- - End Of File - - 9CBDF908362AA777D04034E8BC29F536

Link to post
Share on other sites

Hi Elise, I can connect to the internet now, no problem. But, I cannot visit any site with the words "w-i-n-d-o-w-s-u-p-d-a-t-e" or anything like it in either Firefox or IE8. (I couldn't even post this without changing the letters above.) However, if I do a tracert to update.microsoft.com, it comes up with the correct IP. (Verified on another computer.)

Question. Should I have run any of those things (ComboFix, etc.) in safe mode? I did *not* do that.

Also, there are popups on both browsers. I will open the program or visit a new site and a tab pops open to some bogus site.

Also, there is a lot of hard drive churning. I will notice it, then try to open task manager (which takes a while), then I notice that one of the svchost.exe's is starting to run up to 200K memory. (Happened just now as I am writing in safe mode.) When I kill it, the hard drive stops churning. Also, a process called SkypeNames2 pops open sometimes, then closes. Also, a time or two I have opened task manager and I notice several iexplore.exe processes which disappear quickly by themselves. Very strange.

Is there a program to view what is accessing your hard drive in real time? Seems like that would help a little.

Other than those things, I seem to be okay. However, I am still missing my Quick launch icons and a few other things.

What has happened to my computer!??? :(

Thanks/Alan

Link to post
Share on other sites

Hi Alan, how are things running at this point? Does the connection work now.

To resolve the update problem, please try the steps here: http://support.microsoft.com/kb/971058

When I tried this, I downloaded it, but when I tried to run it, it said: "The Administrator has set policies to prevent this installation."

I do not believe I did this myself.

Eeek!post-76230-0-72167900-1304104864.jpg

Link to post
Share on other sites

Can you try the manual steps under "Let Me Fix It Myself" in the link I gave you?

Hi Elise,

Sorry, I didn't see the page 2 until today, so I didn't notice your response.

I rebooted and was able to run it automatically to the end. However, it still cannot connect to the Wndws Updt site. There is something blocking access. What is it?

Is this a complicated virus? I don't understand why nothing has been able to remove it?

I will say this, I ran Avira full scan and it said there was at least one "hidden objects (rootkits)". But, it did not provide any info on how to get rid of it.

Thanks for your help,

Alan

Link to post
Share on other sites

Hi Alan,

This is more a virus leftover (malware often messes with security settings). Have you tried also the manual steps, or only the Fix-it automated solution?

Besides this, do you have any other problem left?

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.