JJH Posted May 3, 2011 ID:424232 Share Posted May 3, 2011 I have the cryptic.FJ on my computer. Need help getting rid of it.Thanks,John Link to post Share on other sites More sharing options...
Staff screen317 Posted May 5, 2011 Staff ID:425168 Share Posted May 5, 2011 Hi and welcome to Malwarebytes.Please update MBAM, run a Quick Scan, and post its log.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply. Link to post Share on other sites More sharing options...
JJH Posted May 5, 2011 Author ID:425223 Share Posted May 5, 2011 Thanks for your help!!!Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6515Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.135/5/2011 6:06:31 PMmbam-log-2011-05-05 (18-06-31).txtScan type: Quick scanObjects scanned: 189983Time elapsed: 13 minute(s), 58 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected).DDS (Ver_11-03-05.01) - NTFSx86 Run by John at 18:08:07.56 on Thu 05/05/2011Internet Explorer: 7.0.5730.13Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.126 [GMT -5:00].AV: AVG Internet Security *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: AVG Firewall *Enabled* .============== Running Processes ===============.C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exesvchost.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exeC:\WINDOWS\Explorer.EXEC:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\AVG\AVG9\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\HP\Digital Imaging\bin\hpqgalry.exeC:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exesvchost.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\AVG\AVG9\avgfws9.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exeC:\Program Files\AVG\AVG9\avgam.exeC:\Program Files\AVG\AVG9\avgnsx.exeC:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exeC:\Program Files\CyberLink\Shared Files\RichVideo.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\Program Files\AVG\AVG9\avgemc.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\FRT5PR0R\dds[1].scr.============== Pseudo HJT Report ===============.uSearch Bar = hxxp://www.google.com/ieuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uStart Page = hxxp://www.google.com/uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bbmDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bbmStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bbmURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dllBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dllBHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dllBHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dllTB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dllTB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dllTB: {A057A204-BACC-4D26-9990-79A187E2698E} - No FileTB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Power2GoExpress] NAuRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exeuRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_ActiveX.exe -update activexmRun: [LaunchApp] mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installmRun: [bkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNCmRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNCmRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMENamemRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startupmRun: [RTHDCPL] RTHDCPL.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timesu~1.lnk - c:\windows\installer\{837da79c-b12b-4709-9b9b-16d1468e418a}\_2127628D8B2D8C6389D854.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cabDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dllDPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabDPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dllHandler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dllHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dllNotify: avgrsstarter - avgrsstx.dllAppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLLSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll.============= SERVICES / DRIVERS ===============.R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2011-2-27 25168]R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-22 52872]R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-22 216400]R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-22 29584]R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-22 243152]R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2011-2-27 921952]R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-2-27 308136]R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2011-2-27 2331544]R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-27 5897808]R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\SymcPCCULaunchSvc.exe [2011-3-6 120248]R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\ccSvcHst.exe [2011-3-6 126392]R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-1-22 30104]R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2011-2-27 122448]R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2011-2-27 30288]R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2011-2-27 26192]R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\toolbarbroker.exe --> c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [?]S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-1-22 30104]S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-22 30192]S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664].=============== Created Last 30 ================.2011-05-01 19:01:30 -------- d-----w- C:\AVGTemp2011-05-01 14:30:05 -------- d-----w- c:\docume~1\john\applic~1\Malwarebytes2011-05-01 14:29:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-05-01 14:29:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2011-05-01 14:29:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2011-05-01 14:29:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-04-30 05:42:56 0 ---ha-w- c:\docume~1\john\locals~1\applic~1\BIT1A5.tmp2011-04-29 04:50:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE2011-04-29 04:49:07 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Temp2011-04-15 13:23:46 -------- d-----w- c:\windows\ServicePackFiles2011-04-09 21:34:47 185 ----a-w- c:\windows\DelUS.bat.==================== Find3M ====================.2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys2011-02-27 17:37:30 12536 ----a-w- c:\windows\system32\avgrsstx.dll2011-02-27 17:36:50 50968 ----a-w- c:\windows\system32\avgfwdx.dll2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll.============= FINISH: 18:09:16.29 ===============Best regards,John Link to post Share on other sites More sharing options...
Staff screen317 Posted May 8, 2011 Staff ID:426302 Share Posted May 8, 2011 Hi John,Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
JJH Posted May 9, 2011 Author ID:426916 Share Posted May 9, 2011 I had a bit of trouble running combofix. I had to uninstall AVG, run combo fix, then reinstall AVG. Somewhere in this process I lost my network or driver or cable modem capabilities-- result- not internet. Give me a day or so to resolve this problem. I will then send the combofix.txt document and the new DDS log. A possible bright note, AVG does not see the cryptic.FJ trojan horse file anymore. Thanks for your patience.Best regards,John Link to post Share on other sites More sharing options...
JJH Posted May 10, 2011 Author ID:427049 Share Posted May 10, 2011 Hi! Sorry for the delay.The Combofix info...ComboFix 11-05-08.04 - John 05/09/2011 0:31.1.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.509 [GMT -5:00]Running from: c:\documents and settings\John\Desktop\ComboFix.exeAV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\John\WINDOWS..((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))..2011-05-09 04:35 . 2011-05-09 04:35 -------- d-----w- c:\documents and settings\John\Application Data\AVG102011-05-01 19:01 . 2011-05-01 19:01 -------- d-----w- C:\AVGTemp2011-05-01 14:30 . 2011-05-01 14:30 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes2011-05-01 14:29 . 2011-05-01 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2011-05-01 14:29 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-05-01 14:29 . 2011-05-01 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-05-01 14:29 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2011-04-30 05:42 . 2011-04-30 05:42 0 ---ha-w- c:\documents and settings\John\Local Settings\Application Data\BIT1A5.tmp2011-04-29 04:50 . 2011-04-29 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE2011-04-29 04:49 . 2011-04-29 04:49 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Temp2011-04-29 04:02 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll2011-04-18 16:39 . 2011-04-30 02:30 -------- d-----w- c:\documents and settings\Garrison2011-04-15 13:23 . 2011-04-15 13:23 -------- d-----w- c:\windows\ServicePackFiles2011-04-09 21:34 . 2011-04-09 21:34 185 ----a-w- c:\windows\DelUS.bat...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-03-25 16:18 . 2008-04-14 12:00 11376 ----a-w- c:\windows\system32\drivers\secdrv.sys2011-03-07 05:33 . 2008-04-14 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-03-04 06:45 . 2008-04-14 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll2011-03-03 13:21 . 2008-04-14 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys2011-02-17 19:00 . 2007-08-14 01:54 832512 ----a-w- c:\windows\system32\wininet.dll2011-02-17 19:00 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll2011-02-17 19:00 . 2007-08-14 01:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl2011-02-17 19:00 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll2011-02-17 13:18 . 2008-04-14 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2011-02-17 13:18 . 2008-04-14 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys2011-02-17 12:32 . 2009-12-03 13:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll2011-02-17 11:44 . 2008-04-14 12:00 389120 ----a-w- c:\windows\system32\html.iec2011-02-15 12:56 . 2008-04-14 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll2011-02-11 13:25 . 2008-04-14 12:00 229888 ----a-w- c:\windows\system32\fxscover.exe2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll2011-02-08 13:33 . 2008-04-14 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll2011-02-08 13:33 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Power2GoExpress"="NA" [X]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-22 68856].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]"nwiz"="nwiz.exe" [2008-02-25 1626112]"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-13 30192]"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160].c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-29 53248]TimesUpKidz Reminders.lnk - c:\windows\Installer\{837DA79C-B12B-4709-9B9B-16D1468E418A}\_2127628D8B2D8C6389D854.exe [2009-4-27 17542].[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0).[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:Remote Desktop"65533:TCP"= 65533:TCP:Services"52344:TCP"= 52344:TCP:Services"5703:TCP"= 5703:TCP:Services"9906:TCP"= 9906:TCP:Services"8710:TCP"= 8710:TCP:Services.R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 12:42 AM 50424]R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:15 AM 135664]S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/22/2008 5:12 PM 30192]S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:15 AM 135664].Contents of the 'Scheduled Tasks' folder.2011-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50].2011-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 16:11].2011-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 16:11]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uStart Page = hxxp://www.google.com/mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bbHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - .- - - - ORPHANS REMOVED - - - -.WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)HKLM-Run-LaunchApp - (no file)Notify-avgrsstarter - avgrsstx.dll...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-05-09 00:42Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\S-1-5-21-3275455987-2673572317-3754695004-1006\Software\SecuROM\License information*]"datasecu"=hex:4f,57,d2,11,a6,e8,7b,36,20,26,48,ce,6c,8e,6e,32,fa,9b,ed,5b,58, 1a,42,41,76,55,4e,48,61,44,a4,b0,a0,74,6b,26,a5,44,75,2e,a1,32,02,ff,fb,01,\"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'explorer.exe'(2548)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\RTHDCPL.EXEc:\windows\system32\RUNDLL32.EXEc:\program files\HP\Digital Imaging\bin\hpqgalry.exec:\windows\system32\agrsmsvc.exec:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\LightScribe\LSSrvc.exec:\windows\system32\nvsvc32.exec:\program files\CyberLink\Shared Files\RichVideo.exec:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exec:\windows\system32\wscntfy.exec:\windows\system32\msiexec.exec:\program files\iPod\bin\iPodService.exec:\windows\system32\HPZipm12.exe.**************************************************************************.Completion time: 2011-05-09 00:44:31 - machine was rebootedComboFix-quarantined-files.txt 2011-05-09 05:44.Pre-Run: 21,107,273,728 bytes freePost-Run: 23,100,350,464 bytes free.WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect.- - End Of File - - 22100CC8DC1B87A337025D1A2A6422AAthe "new" DDS.DDS (Ver_11-03-05.01) - NTFSx86 Run by John at 21:05:54.35 on Mon 05/09/2011Internet Explorer: 7.0.5730.13Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.171 [GMT -5:00].AV: AVG Internet Security 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: AVG Firewall *Enabled* .============== Running Processes ===============.C:\PROGRA~1\AVG\AVG10\avgchsvx.exeC:\PROGRA~1\AVG\AVG10\avgrsx.exeC:\WINDOWS\system32\svchost.exe -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\AVG\AVG10\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\HP\Digital Imaging\bin\hpqgalry.exeC:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exeC:\WINDOWS\explorer.exesvchost.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\Program Files\AVG\AVG10\avgfws.exeC:\Program Files\AVG\AVG10\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\CyberLink\Shared Files\RichVideo.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exeC:\Program Files\AVG\AVG10\avgam.exeC:\Program Files\AVG\AVG10\avgnsx.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\imapi.exeC:\WINDOWS\system32\msiexec.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\AVG\AVG10\avgemcx.exeC:\Program Files\AVG\AVG10\avgcsrvx.exeC:\Program Files\AVG\AVG10\avgmfapx.exeC:\Program Files\internet explorer\iexplore.exeC:\Documents and Settings\John\Desktop\dds.scr.============== Pseudo HJT Report ===============.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uStart Page = hxxp://www.google.com/mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bbuURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dllmURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dllBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dllBHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dllBHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dllTB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dllTB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dllTB: {A057A204-BACC-4D26-9990-79A187E2698E} - No FileuRun: [Power2GoExpress] NAuRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exeuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installmRun: [bkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNCmRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNCmRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMENamemRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startupmRun: [RTHDCPL] RTHDCPL.EXEmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timesu~1.lnk - c:\windows\installer\{837da79c-b12b-4709-9b9b-16d1468e418a}\_2127628D8B2D8C6389D854.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cabDPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabDPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dllHandler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dllHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll.============= SERVICES / DRIVERS ===============.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32464]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 296400]R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-2-8 2707512]R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-9 947528]S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-22 30192]S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664].=============== Created Last 30 ================.2011-05-10 01:55:08 -------- d-----w- c:\docume~1\john\applic~1\AVG102011-05-10 01:50:47 -------- d-----w- c:\windows\system32\drivers\AVG2011-05-10 01:50:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG102011-05-09 05:30:16 -------- d-sha-r- C:\cmdcons2011-05-09 05:26:28 -------- d-----w- C:\ComboFix2011-05-09 05:24:59 98816 ----a-w- c:\windows\sed.exe2011-05-09 05:24:59 89088 ----a-w- c:\windows\MBR.exe2011-05-09 05:24:59 256512 ----a-w- c:\windows\PEV.exe2011-05-09 05:24:59 161792 ----a-w- c:\windows\SWREG.exe2011-05-01 19:01:30 -------- d-----w- C:\AVGTemp2011-05-01 14:30:05 -------- d-----w- c:\docume~1\john\applic~1\Malwarebytes2011-05-01 14:29:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-05-01 14:29:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2011-05-01 14:29:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2011-05-01 14:29:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-04-30 05:42:56 0 ---ha-w- c:\docume~1\john\locals~1\applic~1\BIT1A5.tmp2011-04-29 04:50:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE2011-04-29 04:49:07 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Temp2011-04-15 13:23:46 -------- d-----w- c:\windows\ServicePackFiles.==================== Find3M ====================.2011-04-09 21:34:47 185 ----a-w- c:\windows\DelUS.bat2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll.============= FINISH: 21:09:48.32 ===============As usual THANK YOU!!!Best regards,John Link to post Share on other sites More sharing options...
Staff screen317 Posted May 12, 2011 Staff ID:428299 Share Posted May 12, 2011 Hi,Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.Next, please open Notepad - don't use any other text editor than notepad or the script will fail.Copy/paste the text in the box below into Notepad:File::c:\windows\system32\drivers\xcpip.sysc:\windows\system32\drivers\xpsec.sysDriver::xcpipxpsecSave this as CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.-screen317 Link to post Share on other sites More sharing options...
JJH Posted May 13, 2011 Author ID:428491 Share Posted May 13, 2011 Hi Here is the ComboFix file:omboFix 11-05-11.04 - John 05/12/2011 20:43:56.3.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.537 [GMT -5:00]Running from: c:\documents and settings\John\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\John\Desktop\CFScript.txtAV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}.FILE ::"c:\windows\system32\drivers\xcpip.sys""c:\windows\system32\drivers\xpsec.sys"..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))...((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))..-------\Service_xcpip-------\Service_xpsec..((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))..2011-05-10 04:02 . 2011-05-10 04:02 -------- d-----w- c:\documents and settings\Andrea\Application Data\AVG102011-05-01 19:01 . 2011-05-01 19:01 -------- d-----w- C:\AVGTemp2011-05-01 14:30 . 2011-05-01 14:30 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes2011-05-01 14:29 . 2011-05-01 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2011-05-01 14:29 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-05-01 14:29 . 2011-05-01 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-05-01 14:29 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2011-04-30 05:42 . 2011-04-30 05:42 0 ---ha-w- c:\documents and settings\John\Local Settings\Application Data\BIT1A5.tmp2011-04-29 04:50 . 2011-04-29 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE2011-04-29 04:49 . 2011-04-29 04:49 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Temp2011-04-29 04:02 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll2011-04-18 16:39 . 2011-04-30 02:30 -------- d-----w- c:\documents and settings\Garrison2011-04-15 13:23 . 2011-04-15 13:23 -------- d-----w- c:\windows\ServicePackFiles...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-04-09 21:34 . 2011-04-09 21:34 185 ----a-w- c:\windows\DelUS.bat2011-03-25 16:18 . 2008-04-14 12:00 11376 ----a-w- c:\windows\system32\drivers\secdrv.sys2011-03-07 05:33 . 2008-04-14 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-03-04 06:45 . 2008-04-14 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll2011-03-03 13:21 . 2008-04-14 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys2011-02-17 19:00 . 2007-08-14 01:54 832512 ----a-w- c:\windows\system32\wininet.dll2011-02-17 19:00 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll2011-02-17 19:00 . 2007-08-14 01:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl2011-02-17 19:00 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll2011-02-17 13:18 . 2008-04-14 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2011-02-17 13:18 . 2008-04-14 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys2011-02-17 12:32 . 2009-12-03 13:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll2011-02-17 11:44 . 2008-04-14 12:00 389120 ----a-w- c:\windows\system32\html.iec2011-02-15 12:56 . 2008-04-14 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll..((((((((((((((((((((((((((((( SnapShot@2011-05-09_05.40.28 ))))))))))))))))))))))))))))))))))))))))).+ 2011-05-13 01:39 . 2011-05-13 01:39 16384 c:\windows\Temp\Perflib_Perfdata_7c4.dat+ 2008-08-22 22:13 . 2011-05-10 00:39 71732 c:\windows\system32\perfc009.dat- 2008-08-22 22:13 . 2011-05-03 00:47 71732 c:\windows\system32\perfc009.dat+ 2011-05-11 04:01 . 2011-05-11 04:01 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe- 2011-04-15 13:14 . 2011-04-15 13:14 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe+ 2008-08-21 22:43 . 2011-05-11 04:01 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe- 2008-08-21 22:43 . 2011-04-15 13:23 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe+ 2008-08-21 22:43 . 2011-05-11 04:01 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe- 2008-08-21 22:43 . 2011-04-15 13:23 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe- 2008-08-21 22:43 . 2011-04-15 13:23 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe+ 2008-08-21 22:43 . 2011-05-11 04:01 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe- 2011-04-15 13:14 . 2011-04-15 13:14 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe+ 2011-05-11 04:01 . 2011-05-11 04:01 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe+ 2008-08-22 22:13 . 2011-05-10 00:39 442466 c:\windows\system32\perfh009.dat- 2008-08-22 22:13 . 2011-05-03 00:47 442466 c:\windows\system32\perfh009.dat+ 2008-08-21 22:43 . 2011-05-11 04:01 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe- 2008-08-21 22:43 . 2011-04-15 13:23 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe- 2008-08-21 22:43 . 2011-04-15 13:23 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe+ 2008-08-21 22:43 . 2011-05-11 04:01 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe+ 2008-08-21 22:43 . 2011-05-11 04:01 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe- 2008-08-21 22:43 . 2011-04-15 13:23 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe- 2008-08-21 22:43 . 2011-04-15 13:23 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe+ 2008-08-21 22:43 . 2011-05-11 04:01 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe+ 2011-04-29 17:27 . 2011-04-29 17:27 4158464 c:\windows\Installer\3607892.msp+ 2011-04-29 17:30 . 2011-04-29 17:30 1197056 c:\windows\Installer\3607879.msp+ 2008-08-21 22:43 . 2011-05-11 04:01 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe- 2008-08-21 22:43 . 2011-04-15 13:23 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe+ 2008-11-19 04:24 . 2011-05-11 04:01 42829768 c:\windows\system32\MRT.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-22 68856].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]"nwiz"="nwiz.exe" [2008-02-25 1626112]"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-13 30192]"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160].c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-29 53248].[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0).[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"=.R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 12:42 AM 50424]R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:15 AM 135664]S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/22/2008 5:12 PM 30192]S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:15 AM 135664].Contents of the 'Scheduled Tasks' folder.2011-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50].2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 16:11].2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 16:11]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uStart Page = hxxp://www.google.com/mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bbHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - ..**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-05-12 20:50Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\S-1-5-21-3275455987-2673572317-3754695004-1006\Software\SecuROM\License information*]"datasecu"=hex:4f,57,d2,11,a6,e8,7b,36,20,26,48,ce,6c,8e,6e,32,fa,9b,ed,5b,58, 1a,42,41,76,55,4e,48,61,44,a4,b0,a0,74,6b,26,a5,44,75,2e,a1,32,02,ff,fb,01,\"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'explorer.exe'(3304)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.Completion time: 2011-05-12 20:52:40ComboFix-quarantined-files.txt 2011-05-13 01:52ComboFix2.txt 2011-05-09 05:44.Pre-Run: 22,515,499,008 bytes freePost-Run: 22,508,081,152 bytes free.- - End Of File - - 6D546E788838D84711AA74EE38C7AAA9And here is the DDS file:.DDS (Ver_11-03-05.01) - NTFSx86 Run by John at 20:54:23.85 on Thu 05/12/2011Internet Explorer: 7.0.5730.13Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.489 [GMT -5:00].AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: AVG Firewall *Disabled* .============== Running Processes ===============.C:\WINDOWS\system32\svchost.exe -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exeC:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\HP\Digital Imaging\bin\hpqgalry.exeC:\Program Files\CyberLink\Shared Files\RichVideo.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\explorer.exeC:\Documents and Settings\John\Desktop\dds.scr.============== Pseudo HJT Report ===============.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uStart Page = hxxp://www.google.com/mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bbmURLSearchHooks: H - No FileBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No FileBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dllBHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dllTB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dlluRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installmRun: [bkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNCmRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNCmRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMENamemRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startupmRun: [RTHDCPL] RTHDCPL.EXEmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cabDPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabDPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll.============= SERVICES / DRIVERS ===============.R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-22 30192]S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664].=============== Created Last 30 ================.2011-05-09 05:30:16 -------- d-sha-r- C:\cmdcons2011-05-09 05:24:59 98816 ----a-w- c:\windows\sed.exe2011-05-09 05:24:59 89088 ----a-w- c:\windows\MBR.exe2011-05-09 05:24:59 256512 ----a-w- c:\windows\PEV.exe2011-05-09 05:24:59 161792 ----a-w- c:\windows\SWREG.exe2011-05-01 19:01:30 -------- d-----w- C:\AVGTemp2011-05-01 14:30:05 -------- d-----w- c:\docume~1\john\applic~1\Malwarebytes2011-05-01 14:29:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-05-01 14:29:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2011-05-01 14:29:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2011-05-01 14:29:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-04-30 05:42:56 0 ---ha-w- c:\docume~1\john\locals~1\applic~1\BIT1A5.tmp2011-04-29 04:50:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE2011-04-29 04:49:07 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Temp2011-04-15 13:23:46 -------- d-----w- c:\windows\ServicePackFiles.==================== Find3M ====================.2011-04-09 21:34:47 185 ----a-w- c:\windows\DelUS.bat2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll.============= FINISH: 20:54:35.23 ===============Thank you.John Link to post Share on other sites More sharing options...
Staff screen317 Posted May 16, 2011 Staff ID:429581 Share Posted May 16, 2011 Hi,Next, please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick ScanWait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topicNext, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
JJH Posted May 16, 2011 Author ID:429636 Share Posted May 16, 2011 ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OK# version=7# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)# OnlineScanner.ocx=1.0.0.6427# api_version=3.0.2# EOSSerial=5a7e259af220f94f9d04358aca807e0e# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2011-05-16 03:32:12# local_time=2011-05-15 10:32:12 (-0600, Central Daylight Time)# country="United States"# lang=9# osver=5.1.2600 NT Service Pack 3# compatibility_mode=1032 16777173 100 97 0 48571292 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=89690# found=0# cleaned=0# scan_time=5187Results of screen317's Security Check version 0.99.11 Windows XP Service Pack 3 Internet Explorer 7 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! AVG 2011 ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 16 Java 6 Update 5 Out of date Java installed! Adobe Flash Player Adobe Reader 8.1.3 Out of date Adobe Reader installed! ```````````````````````````````` Process Check: objlist.exe by Laurent AVG avgwdsvc.exe AVG avgtray.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe ``````````End of Log```````````` Please find the logs,Thanks,John Link to post Share on other sites More sharing options...
Staff screen317 Posted May 18, 2011 Staff ID:430733 Share Posted May 18, 2011 Hi,Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstallThis uninstalls all of ComboFix's components.Delete SecurityCheck.After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):Java Link to post Share on other sites More sharing options...
Recommended Posts