Jump to content

Recommended Posts

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Thanks for your help!!!

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6515

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/5/2011 6:06:31 PM

mbam-log-2011-05-05 (18-06-31).txt

Scan type: Quick scan

Objects scanned: 189983

Time elapsed: 13 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by John at 18:08:07.56 on Thu 05/05/2011

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.126 [GMT -5:00]

.

AV: AVG Internet Security *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe

svchost.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\AVG\AVG9\avgfws9.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe

C:\Program Files\AVG\AVG9\avgam.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\FRT5PR0R\dds[1].scr

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bb

mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bb

mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bb

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Power2GoExpress] NA

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_ActiveX.exe -update activex

mRun: [LaunchApp]

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [bkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timesu~1.lnk - c:\windows\installer\{837da79c-b12b-4709-9b9b-16d1468e418a}\_2127628D8B2D8C6389D854.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2011-2-27 25168]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-22 52872]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-22 216400]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-22 29584]

R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-22 243152]

R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2011-2-27 921952]

R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-2-27 308136]

R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2011-2-27 2331544]

R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-27 5897808]

R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\SymcPCCULaunchSvc.exe [2011-3-6 120248]

R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]

R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\ccSvcHst.exe [2011-3-6 126392]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-1-22 30104]

R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2011-2-27 122448]

R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2011-2-27 30288]

R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2011-2-27 26192]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\toolbarbroker.exe --> c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [?]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-1-22 30104]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-22 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

.

=============== Created Last 30 ================

.

2011-05-01 19:01:30 -------- d-----w- C:\AVGTemp

2011-05-01 14:30:05 -------- d-----w- c:\docume~1\john\applic~1\Malwarebytes

2011-05-01 14:29:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-01 14:29:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-01 14:29:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-01 14:29:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-30 05:42:56 0 ---ha-w- c:\docume~1\john\locals~1\applic~1\BIT1A5.tmp

2011-04-29 04:50:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE

2011-04-29 04:49:07 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Temp

2011-04-15 13:23:46 -------- d-----w- c:\windows\ServicePackFiles

2011-04-09 21:34:47 185 ----a-w- c:\windows\DelUS.bat

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-27 17:37:30 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2011-02-27 17:36:50 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll

.

============= FINISH: 18:09:16.29 ===============

Best regards,

John

Link to post
Share on other sites

I had a bit of trouble running combofix. I had to uninstall AVG, run combo fix, then reinstall AVG. Somewhere in this process I lost my network or driver or cable modem capabilities-- result- not internet. Give me a day or so to resolve this problem. I will then send the combofix.txt document and the new DDS log. A possible bright note, AVG does not see the cryptic.FJ trojan horse file anymore. Thanks for your patience.

Best regards,

John

Link to post
Share on other sites

Hi! Sorry for the delay.

The Combofix info...

ComboFix 11-05-08.04 - John 05/09/2011 0:31.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.509 [GMT -5:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\John\WINDOWS

.

.

((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))

.

.

2011-05-09 04:35 . 2011-05-09 04:35 -------- d-----w- c:\documents and settings\John\Application Data\AVG10

2011-05-01 19:01 . 2011-05-01 19:01 -------- d-----w- C:\AVGTemp

2011-05-01 14:30 . 2011-05-01 14:30 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes

2011-05-01 14:29 . 2011-05-01 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-01 14:29 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-01 14:29 . 2011-05-01 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-01 14:29 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-30 05:42 . 2011-04-30 05:42 0 ---ha-w- c:\documents and settings\John\Local Settings\Application Data\BIT1A5.tmp

2011-04-29 04:50 . 2011-04-29 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2011-04-29 04:49 . 2011-04-29 04:49 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Temp

2011-04-29 04:02 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2011-04-18 16:39 . 2011-04-30 02:30 -------- d-----w- c:\documents and settings\Garrison

2011-04-15 13:23 . 2011-04-15 13:23 -------- d-----w- c:\windows\ServicePackFiles

2011-04-09 21:34 . 2011-04-09 21:34 185 ----a-w- c:\windows\DelUS.bat

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-25 16:18 . 2008-04-14 12:00 11376 ----a-w- c:\windows\system32\drivers\secdrv.sys

2011-03-07 05:33 . 2008-04-14 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2008-04-14 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2008-04-14 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 19:00 . 2007-08-14 01:54 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00 . 2007-08-14 01:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 13:18 . 2008-04-14 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2008-04-14 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-12-03 13:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44 . 2008-04-14 12:00 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56 . 2008-04-14 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-11 13:25 . 2008-04-14 12:00 229888 ----a-w- c:\windows\system32\fxscover.exe

2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33 . 2008-04-14 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-22 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]

"nwiz"="nwiz.exe" [2008-02-25 1626112]

"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-13 30192]

"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-29 53248]

TimesUpKidz Reminders.lnk - c:\windows\Installer\{837DA79C-B12B-4709-9B9B-16D1468E418A}\_2127628D8B2D8C6389D854.exe [2009-4-27 17542]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:Remote Desktop

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

"5703:TCP"= 5703:TCP:Services

"9906:TCP"= 9906:TCP:Services

"8710:TCP"= 8710:TCP:Services

.

R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 12:42 AM 50424]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:15 AM 135664]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/22/2008 5:12 PM 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:15 AM 135664]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

.

2011-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 16:11]

.

2011-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 16:11]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bb

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKLM-Run-LaunchApp - (no file)

Notify-avgrsstarter - avgrsstx.dll

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-09 00:42

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3275455987-2673572317-3754695004-1006\Software\SecuROM\License information*]

"datasecu"=hex:4f,57,d2,11,a6,e8,7b,36,20,26,48,ce,6c,8e,6e,32,fa,9b,ed,5b,58,

1a,42,41,76,55,4e,48,61,44,a4,b0,a0,74,6b,26,a5,44,75,2e,a1,32,02,ff,fb,01,\

"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2548)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msiexec.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\HPZipm12.exe

.

**************************************************************************

.

Completion time: 2011-05-09 00:44:31 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-09 05:44

.

Pre-Run: 21,107,273,728 bytes free

Post-Run: 23,100,350,464 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 22100CC8DC1B87A337025D1A2A6422AA

the "new" DDS

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by John at 21:05:54.35 on Mon 05/09/2011

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.171 [GMT -5:00]

.

AV: AVG Internet Security 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *Enabled*

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\WINDOWS\explorer.exe

svchost.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\AVG\AVG10\avgfws.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\AVG\AVG10\avgam.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\imapi.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AVG\AVG10\avgemcx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\AVG\AVG10\avgmfapx.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\John\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bb

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [Power2GoExpress] NA

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [bkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timesu~1.lnk - c:\windows\installer\{837da79c-b12b-4709-9b9b-16d1468e418a}\_2127628D8B2D8C6389D854.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32464]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 296400]

R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-2-8 2707512]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-9 947528]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-22 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

.

=============== Created Last 30 ================

.

2011-05-10 01:55:08 -------- d-----w- c:\docume~1\john\applic~1\AVG10

2011-05-10 01:50:47 -------- d-----w- c:\windows\system32\drivers\AVG

2011-05-10 01:50:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10

2011-05-09 05:30:16 -------- d-sha-r- C:\cmdcons

2011-05-09 05:26:28 -------- d-----w- C:\ComboFix

2011-05-09 05:24:59 98816 ----a-w- c:\windows\sed.exe

2011-05-09 05:24:59 89088 ----a-w- c:\windows\MBR.exe

2011-05-09 05:24:59 256512 ----a-w- c:\windows\PEV.exe

2011-05-09 05:24:59 161792 ----a-w- c:\windows\SWREG.exe

2011-05-01 19:01:30 -------- d-----w- C:\AVGTemp

2011-05-01 14:30:05 -------- d-----w- c:\docume~1\john\applic~1\Malwarebytes

2011-05-01 14:29:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-01 14:29:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-01 14:29:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-01 14:29:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-30 05:42:56 0 ---ha-w- c:\docume~1\john\locals~1\applic~1\BIT1A5.tmp

2011-04-29 04:50:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE

2011-04-29 04:49:07 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Temp

2011-04-15 13:23:46 -------- d-----w- c:\windows\ServicePackFiles

.

==================== Find3M ====================

.

2011-04-09 21:34:47 185 ----a-w- c:\windows\DelUS.bat

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

.

============= FINISH: 21:09:48.32 ===============

As usual THANK YOU!!!

Best regards,

John

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

File::
c:\windows\system32\drivers\xcpip.sys
c:\windows\system32\drivers\xpsec.sys
Driver::
xcpip
xpsec

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Hi

Here is the ComboFix file:

omboFix 11-05-11.04 - John 05/12/2011 20:43:56.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.537 [GMT -5:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt

AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

FILE ::

"c:\windows\system32\drivers\xcpip.sys"

"c:\windows\system32\drivers\xpsec.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_xcpip

-------\Service_xpsec

.

.

((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))

.

.

2011-05-10 04:02 . 2011-05-10 04:02 -------- d-----w- c:\documents and settings\Andrea\Application Data\AVG10

2011-05-01 19:01 . 2011-05-01 19:01 -------- d-----w- C:\AVGTemp

2011-05-01 14:30 . 2011-05-01 14:30 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes

2011-05-01 14:29 . 2011-05-01 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-01 14:29 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-01 14:29 . 2011-05-01 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-01 14:29 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-30 05:42 . 2011-04-30 05:42 0 ---ha-w- c:\documents and settings\John\Local Settings\Application Data\BIT1A5.tmp

2011-04-29 04:50 . 2011-04-29 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2011-04-29 04:49 . 2011-04-29 04:49 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Temp

2011-04-29 04:02 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2011-04-18 16:39 . 2011-04-30 02:30 -------- d-----w- c:\documents and settings\Garrison

2011-04-15 13:23 . 2011-04-15 13:23 -------- d-----w- c:\windows\ServicePackFiles

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-09 21:34 . 2011-04-09 21:34 185 ----a-w- c:\windows\DelUS.bat

2011-03-25 16:18 . 2008-04-14 12:00 11376 ----a-w- c:\windows\system32\drivers\secdrv.sys

2011-03-07 05:33 . 2008-04-14 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2008-04-14 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2008-04-14 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 19:00 . 2007-08-14 01:54 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00 . 2007-08-14 01:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 13:18 . 2008-04-14 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2008-04-14 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-12-03 13:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44 . 2008-04-14 12:00 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56 . 2008-04-14 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-05-09_05.40.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-05-13 01:39 . 2011-05-13 01:39 16384 c:\windows\Temp\Perflib_Perfdata_7c4.dat

+ 2008-08-22 22:13 . 2011-05-10 00:39 71732 c:\windows\system32\perfc009.dat

- 2008-08-22 22:13 . 2011-05-03 00:47 71732 c:\windows\system32\perfc009.dat

+ 2011-05-11 04:01 . 2011-05-11 04:01 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe

- 2011-04-15 13:14 . 2011-04-15 13:14 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe

+ 2008-08-21 22:43 . 2011-05-11 04:01 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe

- 2008-08-21 22:43 . 2011-04-15 13:23 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe

+ 2008-08-21 22:43 . 2011-05-11 04:01 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe

- 2008-08-21 22:43 . 2011-04-15 13:23 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe

- 2008-08-21 22:43 . 2011-04-15 13:23 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe

+ 2008-08-21 22:43 . 2011-05-11 04:01 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe

- 2011-04-15 13:14 . 2011-04-15 13:14 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

+ 2011-05-11 04:01 . 2011-05-11 04:01 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

+ 2008-08-22 22:13 . 2011-05-10 00:39 442466 c:\windows\system32\perfh009.dat

- 2008-08-22 22:13 . 2011-05-03 00:47 442466 c:\windows\system32\perfh009.dat

+ 2008-08-21 22:43 . 2011-05-11 04:01 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe

- 2008-08-21 22:43 . 2011-04-15 13:23 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe

- 2008-08-21 22:43 . 2011-04-15 13:23 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe

+ 2008-08-21 22:43 . 2011-05-11 04:01 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe

+ 2008-08-21 22:43 . 2011-05-11 04:01 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe

- 2008-08-21 22:43 . 2011-04-15 13:23 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe

- 2008-08-21 22:43 . 2011-04-15 13:23 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe

+ 2008-08-21 22:43 . 2011-05-11 04:01 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe

+ 2011-04-29 17:27 . 2011-04-29 17:27 4158464 c:\windows\Installer\3607892.msp

+ 2011-04-29 17:30 . 2011-04-29 17:30 1197056 c:\windows\Installer\3607879.msp

+ 2008-08-21 22:43 . 2011-05-11 04:01 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe

- 2008-08-21 22:43 . 2011-04-15 13:23 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe

+ 2008-11-19 04:24 . 2011-05-11 04:01 42829768 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-22 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]

"nwiz"="nwiz.exe" [2008-02-25 1626112]

"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-13 30192]

"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-29 53248]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 12:42 AM 50424]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:15 AM 135664]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/22/2008 5:12 PM 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:15 AM 135664]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

.

2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 16:11]

.

2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 16:11]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bb

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-12 20:50

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3275455987-2673572317-3754695004-1006\Software\SecuROM\License information*]

"datasecu"=hex:4f,57,d2,11,a6,e8,7b,36,20,26,48,ce,6c,8e,6e,32,fa,9b,ed,5b,58,

1a,42,41,76,55,4e,48,61,44,a4,b0,a0,74,6b,26,a5,44,75,2e,a1,32,02,ff,fb,01,\

"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3304)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-05-12 20:52:40

ComboFix-quarantined-files.txt 2011-05-13 01:52

ComboFix2.txt 2011-05-09 05:44

.

Pre-Run: 22,515,499,008 bytes free

Post-Run: 22,508,081,152 bytes free

.

- - End Of File - - 6D546E788838D84711AA74EE38C7AAA9

And here is the DDS file:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by John at 20:54:23.85 on Thu 05/12/2011

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.489 [GMT -5:00]

.

AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\John\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bb

mURLSearchHooks: H - No File

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [bkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-22 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

.

=============== Created Last 30 ================

.

2011-05-09 05:30:16 -------- d-sha-r- C:\cmdcons

2011-05-09 05:24:59 98816 ----a-w- c:\windows\sed.exe

2011-05-09 05:24:59 89088 ----a-w- c:\windows\MBR.exe

2011-05-09 05:24:59 256512 ----a-w- c:\windows\PEV.exe

2011-05-09 05:24:59 161792 ----a-w- c:\windows\SWREG.exe

2011-05-01 19:01:30 -------- d-----w- C:\AVGTemp

2011-05-01 14:30:05 -------- d-----w- c:\docume~1\john\applic~1\Malwarebytes

2011-05-01 14:29:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-01 14:29:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-01 14:29:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-01 14:29:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-30 05:42:56 0 ---ha-w- c:\docume~1\john\locals~1\applic~1\BIT1A5.tmp

2011-04-29 04:50:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE

2011-04-29 04:49:07 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Temp

2011-04-15 13:23:46 -------- d-----w- c:\windows\ServicePackFiles

.

==================== Find3M ====================

.

2011-04-09 21:34:47 185 ----a-w- c:\windows\DelUS.bat

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 20:54:35.23 ===============

Thank you.

John

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=5a7e259af220f94f9d04358aca807e0e

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-16 03:32:12

# local_time=2011-05-15 10:32:12 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1032 16777173 100 97 0 48571292 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=89690

# found=0

# cleaned=0

# scan_time=5187

Results of screen317's Security Check version 0.99.11

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

AVG 2011

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 16

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player

Adobe Reader 8.1.3

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

``````````End of Log````````````

Please find the logs,

Thanks,

John

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.